[Oisf-devel] http_host & http_raw_host
Victor Julien
victor at inliniac.net
Tue Mar 19 10:53:17 UTC 2013
In the new http_host, which host is selected if we have:
GET http://one/ HTTP/1.0
Host: two
One or two?
I know "alert http any any -> any any (msg:"SURICATA HTTP Host header
ambiguous"; flow:established,to_server;
app-layer-event:http.host_header_ambiguous;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;
sid:2221015; rev:1;)" will fire in this case, but I assume the http_host
keyword will fire on something as well.
Also, what does http_raw_host match on specifically?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list