[Oisf-users] HTTP detections without full stream?

Matt Carothers matt at somedamn.com
Thu Nov 8 16:47:37 UTC 2012


On 11/8/2012 3:49 AM, Victor Julien wrote:
> On 11/07/2012 11:17 PM, Matt wrote:
>> Hi, is it possible to use http detection rules in an environment where
>> Suricata only sees the http request packets?  E.g. there's no TCP
>> handshake.  I tried just removing the flow keywords, but that doesn't
>> appear to work.  Here's an example test rule:
>>
>> alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Test
>> Detection"; uricontent:"jpg"; nocase; classtype:trojan-activity;
>> sid:1111111; rev:1;)
>>
>> tcp and udp alerts work, so I know I have my net variables correct.
> Our HTTP engine is stateful and runs on top of the stream tracking and
> reassembly engine, so this will be difficult. You could try enabling
> "midstream" in your stream config, but I haven't tried this so it may
> not work.

Excellent.  That worked.  Thank you.

- Matt



More information about the Oisf-users mailing list