From 014056f686a117e1eb7159e46467aa489b24d815 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 18 Oct 2018 21:02:40 +0200
Subject: [PATCH] detect/analyzer: add detection for sigs that could use http
 keywords

---
 src/detect-engine-analyzer.c | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index 648540fe3a..545b53ba1a 100644
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -497,7 +497,7 @@ AnalyzerNote(RuleAnalyzer *ctx, char *fmt, ...)
     if (ctx->js_notes)
         json_array_append_new(ctx->js_notes, json_string(str));
 }
-#if 0
+
 static void __attribute__ ((format (printf, 2, 3)))
 AnalyzerWarning(RuleAnalyzer *ctx, char *fmt, ...)
 {
@@ -513,7 +513,25 @@ AnalyzerWarning(RuleAnalyzer *ctx, char *fmt, ...)
     if (ctx->js_warnings)
         json_array_append_new(ctx->js_warnings, json_string(str));
 }
-#endif
+
+#define CHECK(pat) if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;
+
+static bool LooksLikeHTTPMethod(const uint8_t *buf, uint16_t len)
+{
+    CHECK("GET /");
+    CHECK("POST /");
+    CHECK("HEAD /");
+    CHECK("PUT /");
+    return false;
+}
+
+static bool LooksLikeHTTPUA(const uint8_t *buf, uint16_t len)
+{
+    CHECK("User-Agent: ");
+    CHECK("\nUser-Agent: ");
+    return false;
+}
+
 static void DumpMatches(RuleAnalyzer *ctx, json_t *js, const SigMatchData *smd)
 {
     json_t *js_matches = json_array();
@@ -565,6 +583,14 @@ static void DumpMatches(RuleAnalyzer *ctx, json_t *js, const SigMatchData *smd)
 
                         json_object_set_new(js_match, "content", js_match_content);
                     }
+
+                    if (LooksLikeHTTPMethod(cd->content, cd->content_len)) {
+                        AnalyzerWarning(ctx, (char *)"pattern looks like it inspects HTTP, use http_request_line or http_method and http_uri instead for improved performance");
+                    }
+                    if (LooksLikeHTTPUA(cd->content, cd->content_len)) {
+                        AnalyzerWarning(ctx, (char *)"pattern looks like it inspects HTTP, use http_user_agent or http_header for improved performance");
+                    }
+
                     SCFree(pat);
                     break;
                 }