[Oisf-users] Inline problems with http_uri

Victor Julien lists at inliniac.net
Wed Oct 24 13:24:57 UTC 2012

On 10/24/2012 01:07 PM, Michael wrote:
> Hello Peter,
> thanks for your reply.
> No this does not work. 
> My Useragent: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4)
> AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4 
> The rule: alert http any any -> any any (msg:"User-Agent abc
> http_user_agent"; content:"zilla"; http_user_agent; sid:2; rev:1;)
> What i forgot to mention, suricata does not see the whole traffic. only
> the incoming requests runs through suricata. 
> The response of the host goes directly to the client requesting the
> files (i think this is called direct server return).
> so the pakets flows like this:
> - incoming: router -> suricata -> server
> - outgoing: server -> router
> There is no way around this as suricata should not be the default
> gateway for the server.

This will not work I think. You may try enabling the "midstream" option
in the stream settings, but I doubt it will work with the http stream

You may want to try enabling "midstream" and write the rule without the
http specifics, like:

content:"User-Agent|3a|"; content:"zilla"; distance:0;

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list