[Oisf-users] RE : HTTP keywords not matching

Paul Apostolescu apbogdan at gmail.com
Sun Dec 14 14:16:15 UTC 2014


That did it, with "setting checksum-validation: no" app layer is processed.

Is there a place where I can find all options that need to be on/off for
the card to disable offloading ? I've already switched off gso and lro.

Thanks.

On Sun, Dec 14, 2014 at 5:53 AM, rmkml <rmkml at yahoo.fr> wrote:
>
> Hi Paul,
>
> Could you try disable cksum verification in suricata.yaml please?
>
> Regards
> @Rmkml
>
>
>
> -------- Message d'origine --------
> De : Paul Apostolescu <apbogdan at gmail.com>
> Date :14/12/2014 04:43 (GMT+01:00)
> A : oisf-users at lists.openinfosecfoundation.org
> Cc :
> Objet : [Oisf-users] HTTP keywords not matching
>
> Hi,
>
> I'm having troubles getting rules using http keywords to work, this is the
> behavior I'm seeing:
>
> - an alert looking for http and content works:
>       alert *http* any any -> any any (msg:"get"; *content*:"GET";sid...)
>
> - anything else using the keywords fails like this one for example
>       alert *http* any any -> any any (msg:"get method"; *content*:"GET";
> *http_method*;sid...)
>
> I've turned on eve logging but I cannot see any http activity only dns (I
> have disabled all other loggers).
>
> I'm using 2.0.5 on CentOS 6.5 in a VM (Fusion on Mac) and running in pcap
> live mode "suricata -i eth1 -c ...."
>
> Any ideas what might be wrong ?
>
> Thanks.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141214/9c95d14b/attachment.html>


More information about the Oisf-users mailing list