From 9046f30731063a08346eb8f8daf23d1d69254419 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivani@oisf.net>
Date: Thu, 29 May 2025 14:34:57 +0530
Subject: [PATCH] detect/analyzer: use note instead of warning

It is invalid to issue a warning based purely on pattern matching
between the matched content and certain http methods. Without a check
for which keyword exists in the rule, it makes more sense to issue this
as a general note.

Bug 5177
---
 src/detect-engine-analyzer.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index ecc25a903c..4536b6d465 100644
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -744,12 +744,12 @@ static void DumpMatches(RuleAnalyzer *ctx, SCJsonBuilder *js, const SigMatchData
                                               "is interpreted as regular 'fast_pattern'");
                 }
                 if (LooksLikeHTTPMethod(cd->content, cd->content_len)) {
-                    AnalyzerWarning(ctx,
+                    AnalyzerNote(ctx,
                             (char *)"pattern looks like it inspects HTTP, use http.request_line or "
                                     "http.method and http.uri instead for improved performance");
                 }
                 if (LooksLikeHTTPUA(cd->content, cd->content_len)) {
-                    AnalyzerWarning(ctx,
+                    AnalyzerNote(ctx,
                             (char *)"pattern looks like it inspects HTTP, use http.user_agent "
                                     "or http.header for improved performance");
                 }
-- 
2.47.2