
<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">I would find that useful, especially if

      it increases efficiency in the same way as http_user_agent.  Among

      other things, I use Suricata to match blacklists of known bad

      URLs, and all those rules include a content match for the HTTP

      Host.<br>

      <br>

      <pre class="moz-signature" cols="72">Matt</pre>

      On 1/24/2013 3:13 AM, Peter Manev wrote:<br>

    </div>

    <blockquote

cite="mid:CAMhe82+91vEbJtCYoQSQE+CJfB_-GoZPwmeBFhA+VZe0piSH9A@mail.gmail.com"

      type="cite"><br>

      <br>

      <div class="gmail_quote">On Thu, Jan 24, 2013 at 9:11 AM, Anoop

        Saldanha <span dir="ltr"><<a moz-do-not-send="true"

            href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span>

        wrote:<br>

        <blockquote class="gmail_quote" style="margin:0 0 0

          .8ex;border-left:1px #ccc solid;padding-left:1ex">

          <div class="HOEnZb">

            <div class="h5">On Thu, Jan 24, 2013 at 1:37 PM, Peter Manev

              <<a moz-do-not-send="true"

                href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>

              wrote:<br>

              ><br>

              >> However, any of the techniques mentioned above

              isn't a foolproof way<br>

              >> to match on the host header.  The right way would

              be to provide a new<br>

              >> keyword called "http_host".<br>

              >><br>

              > Anoop or Vincent would you please put in feature

              request for that?<br>

              ><br>

              <br>

            </div>

          </div>

          We should probably consult users/rule-writers if such a

          keyword would<br>

          be useful to them?<br>

          <span class="HOEnZb"><font color="#888888"><br>

              --<br>

              Anoop Saldanha<br>

            </font></span></blockquote>

      </div>

      sure<br>

      <br clear="all">

      <br>

      -- <br>

      <div>Regards,</div>

      <div>Peter Manev</div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>

Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>

List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

OISF: <a class="moz-txt-link-freetext" href="http://www.openinfosecfoundation.org/">http://www.openinfosecfoundation.org/</a></pre>

    </blockquote>

    <br>

  </body>

</html>