Hi,<br><br>if you try:<br><font size="4"><code>alert <u><b>http</b></u> any any -> any any (msg:"User-Agent abc http_user_agent"; content:"zilla"; http_user_agent; sid:2; rev:1;)</code></font><br><br>
would it behave as expected?<br><br>thank you<br><br><div class="gmail_quote">On Tue, Oct 23, 2012 at 7:15 PM, Michael <span dir="ltr"><<a href="mailto:hoffrath@gmx.de" target="_blank">hoffrath@gmx.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Hello,<div><br></div><div>information:</div><div>Host: Ubuntu 12.04 64Bit running on esxi 4.1</div>
<div>Version: Suricata 1.3.2</div><div>Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW </div><div>I insert suricata with iptables which redirects all traffic to nfqueue 0.</div>
<div><br></div><div>I have the problem that i could not match any pakets while using http_uri or other http options. </div><div>My rule is: "drop tcp any any -> any any (msg:"index";flow:established,to_server;content:"/index.html";nocase;http_uri;sid:2;rev:2;)" even trying to use this rule from <a href="http://planet.suricata-ids.org" target="_blank">planet.suricata-ids.org</a> "<span style="font-family:monospace">alert tcp any any -> any any (msg:"User-Agent abc http_user_agent"; content:"Mozilla"; http_user_agent; sid:2; rev:1;)" it fails.</span></div>
<div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">I have absolut no clue why this happens, maybe someone could give me a clue?</span></div><div><span style="font-family:monospace"><br>
</span></div><div><span style="font-family:monospace">Regards</span></div><span class="HOEnZb"><font color="#888888"><div><span style="font-family:monospace">Michael</span></div><div><span style="font-family:monospace"><br>
</span></div></font></span></div><br>_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>