<div dir="ltr">Ahhh, referrer is in http_header. I had it in http_host, will add it to header now as well. Thanks!</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 4, 2017 at 12:49 PM, Jack Mott <span dir="ltr"><<a href="mailto:jmott@emergingthreats.net" target="_blank">jmott@emergingthreats.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Erik,<div><br></div><div>Referer is in the http_header; buffer. If you're referring to rule syntax, you can negate this domain by placing these into the rules: 'content:!"Referer|3a 20|<a href="https://accounts.google.com" target="_blank">https://accounts.google.com</a><wbr>"; http_header;' and 'content:!"<a href="http://accounts.google.com" target="_blank">accounts.google.com</a><wbr>"; http_host;' into your rule.</div><div><br></div><div>Obviously, check to ensure the host/referer is accurate (maybe check to ensure http(s)/www is or isn't there).</div><div><br></div><div>Best,</div><div><br></div><div>Jack</div></div><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Tue, Apr 4, 2017 at 7:15 AM, erik clark <span dir="ltr"><<a href="mailto:philosnef@gmail.com" target="_blank">philosnef@gmail.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><div dir="ltr">Is the referrer in the http header? I am trying to ignore events where the referrer or host is <a href="http://accounts.google.com" target="_blank">accounts.google.com</a>. Thanks!</div>
<br></span>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>