[Oisf-users] HTTP detections without full stream?

Matt matt at somedamn.com
Wed Nov 7 22:17:26 UTC 2012

Hi, is it possible to use http detection rules in an environment where 
Suricata only sees the http request packets?  E.g. there's no TCP 
handshake.  I tried just removing the flow keywords, but that doesn't 
appear to work.  Here's an example test rule:

alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Test 
Detection"; uricontent:"jpg"; nocase; classtype:trojan-activity; 
sid:1111111; rev:1;)

tcp and udp alerts work, so I know I have my net variables correct.


- Matt

More information about the Oisf-users mailing list