[Oisf-devel] http_host & http_raw_host
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Mar 19 11:03:15 UTC 2013
On Tue, Mar 19, 2013 at 4:23 PM, Victor Julien <victor at inliniac.net> wrote:
> In the new http_host, which host is selected if we have:
>
> GET http://one/ HTTP/1.0
> Host: two
>
> One or two?
One. The uri value gets priority over the header value.
>
> I know "alert http any any -> any any (msg:"SURICATA HTTP Host header
> ambiguous"; flow:established,to_server;
> app-layer-event:http.host_header_ambiguous;
> flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;
> sid:2221015; rev:1;)" will fire in this case, but I assume the http_host
> keyword will fire on something as well.
>
> Also, what does http_raw_host match on specifically?
>
Same logic as above.
--
Anoop Saldanha
More information about the Oisf-devel
mailing list