[Oisf-users] HTTP keywords not matching

Paul Apostolescu apbogdan at gmail.com
Sun Dec 14 03:43:15 UTC 2014


I'm having troubles getting rules using http keywords to work, this is the
behavior I'm seeing:

- an alert looking for http and content works:
      alert *http* any any -> any any (msg:"get"; *content*:"GET";sid...)

- anything else using the keywords fails like this one for example
      alert *http* any any -> any any (msg:"get method"; *content*:"GET";

I've turned on eve logging but I cannot see any http activity only dns (I
have disabled all other loggers).

I'm using 2.0.5 on CentOS 6.5 in a VM (Fusion on Mac) and running in pcap
live mode "suricata -i eth1 -c ...."

Any ideas what might be wrong ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141213/e54cec9b/attachment.html>

More information about the Oisf-users mailing list