[Oisf-users] Inline problems with http_uri

Michael hoffrath at gmx.de
Wed Oct 24 11:07:34 UTC 2012


Hello Peter,

thanks for your reply.

No this does not work. 

My Useragent: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4 
The rule: alert http any any -> any any (msg:"User-Agent abc http_user_agent"; content:"zilla"; http_user_agent; sid:2; rev:1;)

What i forgot to mention, suricata does not see the whole traffic. only the incoming requests runs through suricata. 
The response of the host goes directly to the client requesting the files (i think this is called direct server return).

so the pakets flows like this:
- incoming: router -> suricata -> server
- outgoing: server -> router

There is no way around this as suricata should not be the default gateway for the server.

Regards
Michael


Am 23.10.2012 um 22:09 schrieb Peter Manev:

> alert http any any -> any any (msg:"User-Agent abc http_user_agent"; content:"zilla"; http_user_agent; sid:2; rev:1;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121024/4f35d4ed/attachment-0002.html>


More information about the Oisf-users mailing list