<div dir="ltr"><div>HI Amin - <br></div><div><br></div><div>We are moving our community discussions to Discourse.</div><div><br></div><div>Would you please post your question here - <a href="https://forum.suricata.io/">https://forum.suricata.io/</a> - so our developers and community see it?</div><div><br></div><div>Thanks,</div><div>the OISF Team<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 26, 2020 at 12:26 AM Amin Saba <<a href="mailto:amn.brhm.sb@gmail.com">amn.brhm.sb@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="auto"><span style="font-family:sans-serif;font-size:12.8px">Sorry the second rule should be:</span></div><div dir="auto"><span style="font-family:sans-serif;font-size:12.8px"><br></span></div><span style="font-family:sans-serif;font-size:12.8px">alert ip any any -> any any (msg:"delete detected"; content:"delete"; nocase; sid:1; rev:1)</span></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 26, 2020, 08:53 Amin Saba <<a href="mailto:amn.brhm.sb@gmail.com" target="_blank">amn.brhm.sb@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="auto">We want to detect a GET request like this:</div><div dir="auto"><br></div><div dir="auto"><a href="http://domain-name/delete" rel="noreferrer" target="_blank">http://domain-name/delete</a></div><div dir="auto"><br></div>The following rule, does not match with packets that are forwarded on the box running suricata:<div dir="auto"><br></div><div dir="auto">alert http any any -> any any (msg:"delete detected"; content:"delete"; http_uri; nocase; sid:1; rev:1)</div><div dir="auto"><br></div><div dir="auto">However, it does match with packets that have a source or destinaton address in common with the box. (Tested on both Linux Suricata 3.2.2 and FreeBSD Suricata 4.0.0 and 5.0.1)<div dir="auto"><br></div><div dir="auto">However, as soon as the http protocol detection module gets out of the way, it starts to work as expected:</div><div dir="auto"><br></div><div dir="auto">alert http any any -> any any (msg:"delete detected"; content:"delete"; http_uri; nocase; sid:1; rev:1)<br></div><div dir="auto"><br></div><div dir="auto">This rule matches with forwarded packeets, too.</div><div dir="auto"><br></div><div dir="auto">Can you please let me know if I am missing something?</div><div dir="auto"><br></div><div dir="auto">Thanks in advance for your help.</div></div></div>
</blockquote></div>
_______________________________________________<br>
NOTE: this list will soon be closed. New topics should be brought to: <a href="https://forum.suricata.io" rel="noreferrer" target="_blank">https://forum.suricata.io</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font size="1" color="#0000ff"><b>Kelley Misata, Ph.D.</b></font><div><font size="1" color="#0000ff"><b>Executive Director</b></font></div><div><font size="1" color="#0000ff"><b><a href="mailto:kmisata@oisf.net" target="_blank">kmisata@oisf.net</a></b></font></div><div><font size="1" color="#0000ff"><b>twitter:@OISFoundation</b></font></div><div><font size="1" color="#0000ff"><b><a href="http://www.oisf.net" target="_blank">www.oisf.net</a></b></font></div><div><br></div></div></div></div></div></div></div>