detect/analyzer: use note instead of warning

It is invalid to issue a warning based purely on pattern matching
between the matched content and certain http methods. Without a check
for which keyword exists in the rule, it makes more sense to issue this
as a general note.

Bug 5177

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index ecc25a903cf973356ae0138cadbe28bc1c35c0ad..4536b6d4654677a6196efd07c7942e5d128f17f8 100644 (file)
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -744,12 +744,12 @@ static void DumpMatches(RuleAnalyzer *ctx, SCJsonBuilder *js, const SigMatchData
                                               "is interpreted as regular 'fast_pattern'");
                 }
                 if (LooksLikeHTTPMethod(cd->content, cd->content_len)) {
-                    AnalyzerWarning(ctx,
+                    AnalyzerNote(ctx,
                             (char *)"pattern looks like it inspects HTTP, use http.request_line or "
                                     "http.method and http.uri instead for improved performance");
                 }
                 if (LooksLikeHTTPUA(cd->content, cd->content_len)) {
-                    AnalyzerWarning(ctx,
+                    AnalyzerNote(ctx,
                             (char *)"pattern looks like it inspects HTTP, use http.user_agent "
                                     "or http.header for improved performance");
                 }