3 Rules from [Ruleset Update Summary - 2024/08/28 - v10676] are causing errors on suricata version 7 due to http_content_type misplacement.
sid:2055541
sid:2055542
sid:2055543
The sids (2055541, 2055542, 2055543) were internally validated against suricata-7.0.3 and they did not cause Suricata 7 syntax errors.
In your query, the provided rule (2055541) appears to use Suricata 4 syntax and not Suricata 7. For example, Suricata 4 and older uses sticky buffers with underscores (http_content_type). Suricata 5 and above uses dots (http.content_type).
If you try running Suricata 4 rules against a Suricata 7 engine, errors are expected for not only (2055541, 2055542, 2055543) but for all Suricata 4 rules provided.
As an initial troubleshooting step, could you please check which ruleset version was used against your Suricata 7 engine? If it’s Suricata 4, then the errors were caused by a ruleset mismatch. Else, we can dig into this a bit more.
Just to add we are testing the signatures in 4 Suricata versions
9/9/2024 – 12:26:25 - - This is Suricata version 4.0.7 RELEASE
9/9/2024 – 12:27:30 - - This is Suricata version 5.0.3 RELEASE running in USER mode
9/9/2024 – 12:28:08 - - This is Suricata version 6.0.18 RELEASE running in USER mode
[290] Notice: suricata: This is Suricata version 7.0.5 RELEASE running in USER mode
The rule you shared appears to be a Suricata 4.0 formatted rule. This rule and other Suricata 4.0 rules are expected to error against Suricata 5+ engines.
Could you try downloading the suricata-7.0.3/ ruleset and see if your errors resolve?