[Oisf-users] Inline problems with http_uri

Michael hoffrath at gmx.de
Wed Oct 24 16:49:22 UTC 2012


after playing around a bit with the options i noticed that "midstream" prevented my "secured" server from using commands like "apt-get update" and others. 
After disabling this everything works fine again on the server.

I noticed another "problem" running this setup:

rule: drop ip any any -> any any (msg:"flood"; threshold: type both, track by_src, seconds 1, count 200;sid:2; rev:1;)

i ran an simple udp flood on the target suricata logs that this rule hast triggered but the packets does not get dropped, the full flood hits the target.

Someone any suggestions?


Am 24.10.2012 um 15:38 schrieb Michael:

> Hello Victor,
> thanks for your suggestion. I've enabled midstream and ran the test again, no success. 
> Matching without the http stuff works, but that already worked without the midstream option.
> This is ok, but i was not sure if i just made an mistake or missonfiguration, thats the reason why i asked this question.
> Regards
> Michael
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list