[Oisf-users] Inline problems with http_uri
Victor Julien
lists at inliniac.net
Wed Oct 24 13:24:57 UTC 2012
On 10/24/2012 01:07 PM, Michael wrote:
> Hello Peter,
>
> thanks for your reply.
>
> No this does not work.
>
> My Useragent: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4)
> AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
> The rule: alert http any any -> any any (msg:"User-Agent abc
> http_user_agent"; content:"zilla"; http_user_agent; sid:2; rev:1;)
>
> What i forgot to mention, suricata does not see the whole traffic. only
> the incoming requests runs through suricata.
> The response of the host goes directly to the client requesting the
> files (i think this is called direct server return).
>
> so the pakets flows like this:
> - incoming: router -> suricata -> server
> - outgoing: server -> router
>
> There is no way around this as suricata should not be the default
> gateway for the server.
This will not work I think. You may try enabling the "midstream" option
in the stream settings, but I doubt it will work with the http stream
properly.
You may want to try enabling "midstream" and write the rule without the
http specifics, like:
content:"User-Agent|3a|"; content:"zilla"; distance:0;
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list