[Oisf-users] Inline problems with http_uri
Peter Manev
petermanev at gmail.com
Tue Oct 23 20:09:07 UTC 2012
Hi,
if you try:
alert *http* any any -> any any (msg:"User-Agent abc http_user_agent";
content:"zilla"; http_user_agent; sid:2; rev:1;)
would it behave as expected?
thank you
On Tue, Oct 23, 2012 at 7:15 PM, Michael <hoffrath at gmx.de> wrote:
> Hello,
>
> information:
> Host: Ubuntu 12.04 64Bit running on esxi 4.1
> Version: Suricata 1.3.2
> Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
> HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
> HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
> I insert suricata with iptables which redirects all traffic to nfqueue 0.
>
> I have the problem that i could not match any pakets while using http_uri
> or other http options.
> My rule is: "drop tcp any any -> any any
> (msg:"index";flow:established,to_server;content:"/index.html";nocase;http_uri;sid:2;rev:2;)"
> even trying to use this rule from planet.suricata-ids.org "alert tcp any
> any -> any any (msg:"User-Agent abc http_user_agent"; content:"Mozilla";
> http_user_agent; sid:2; rev:1;)" it fails.
>
> I have absolut no clue why this happens, maybe someone could give me a
> clue?
>
> Regards
> Michael
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121023/042140ca/attachment-0002.html>
More information about the Oisf-users
mailing list