[Oisf-users] HTTP keywords not matching
Paul Apostolescu
apbogdan at gmail.com
Sun Dec 14 03:43:15 UTC 2014
Hi,
I'm having troubles getting rules using http keywords to work, this is the
behavior I'm seeing:
- an alert looking for http and content works:
alert *http* any any -> any any (msg:"get"; *content*:"GET";sid...)
- anything else using the keywords fails like this one for example
alert *http* any any -> any any (msg:"get method"; *content*:"GET";
*http_method*;sid...)
I've turned on eve logging but I cannot see any http activity only dns (I
have disabled all other loggers).
I'm using 2.0.5 on CentOS 6.5 in a VM (Fusion on Mac) and running in pcap
live mode "suricata -i eth1 -c ...."
Any ideas what might be wrong ?
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141213/e54cec9b/attachment.html>
More information about the Oisf-users
mailing list