[Oisf-users] HTTP detections without full stream?

Victor Julien lists at inliniac.net
Thu Nov 8 08:49:36 UTC 2012


On 11/07/2012 11:17 PM, Matt wrote:
> Hi, is it possible to use http detection rules in an environment where
> Suricata only sees the http request packets?  E.g. there's no TCP
> handshake.  I tried just removing the flow keywords, but that doesn't
> appear to work.  Here's an example test rule:
> 
> alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Test
> Detection"; uricontent:"jpg"; nocase; classtype:trojan-activity;
> sid:1111111; rev:1;)
> 
> tcp and udp alerts work, so I know I have my net variables correct.

Our HTTP engine is stateful and runs on top of the stream tracking and
reassembly engine, so this will be difficult. You could try enabling
"midstream" in your stream config, but I haven't tried this so it may
not work.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list