<div dir="ltr">Here's the new results, I will run the tests again to see if it's consistent but using the wireshark filter<div><br></div><div>http contains "<a href="http://businessweek.com">businessweek.com</a>"</div>
<div><br></div><div>there were 75 matches</div><div><br></div><div>and in the fast.log there were 138 total alerts from the two new rules you specified</div><div>grep -c "http header" fast.log -> 69 lines</div>
<div>grep -c "pcre version" fast.log -> 69 lines</div><div><br></div><div>so they're both the same. Ran suricata in offline mode and the results were the same so that's good since they're consistent.</div>
<div><br></div><div>Here's a copy of the two rules</div><div><br></div><div><div>alert ip $HOME_NET any -> any any (msg:"pcre version rule fired"; pcre:"/\s.*?\.<a href="http://businessweek.com/H">businessweek.com/H</a>"; sid:1;)</div>
<div><br></div><div>alert ip $HOME_NET any -> any any (msg:"http header rule fired"; content:".<a href="http://businessweek.com">businessweek.com</a>"; http_header; sid:2;)</div></div><div><br></div>
<div>In the next few runs I also plan to change the protocol to http instead of ip, and I technically should get the same numbers yes?</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 24, 2013 at 9:44 AM, Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Sound good. Will open a feature request for "http_host" keyword;<br>
<div class="HOEnZb"><div class="h5"><br>
On Thu, Jan 24, 2013 at 7:45 PM, Matt <<a href="mailto:matt@somedamn.com">matt@somedamn.com</a>> wrote:<br>
> I would find that useful, especially if it increases efficiency in the same<br>
> way as http_user_agent. Among other things, I use Suricata to match<br>
> blacklists of known bad URLs, and all those rules include a content match<br>
> for the HTTP Host.<br>
><br>
> Matt<br>
><br>
> On 1/24/2013 3:13 AM, Peter Manev wrote:<br>
><br>
><br>
><br>
> On Thu, Jan 24, 2013 at 9:11 AM, Anoop Saldanha <<a href="mailto:anoopsaldanha@gmail.com">anoopsaldanha@gmail.com</a>><br>
> wrote:<br>
>><br>
>> On Thu, Jan 24, 2013 at 1:37 PM, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br>
>> ><br>
>> >> However, any of the techniques mentioned above isn't a foolproof way<br>
>> >> to match on the host header. The right way would be to provide a new<br>
>> >> keyword called "http_host".<br>
>> >><br>
>> > Anoop or Vincent would you please put in feature request for that?<br>
>> ><br>
>><br>
>> We should probably consult users/rule-writers if such a keyword would<br>
>> be useful to them?<br>
>><br>
>> --<br>
>> Anoop Saldanha<br>
><br>
> sure<br>
><br>
><br>
> --<br>
> Regards,<br>
> Peter Manev<br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Anoop Saldanha<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br></div>