[Oisf-users] RE : HTTP keywords not matching
rmkml
rmkml at yahoo.fr
Sun Dec 14 15:56:13 UTC 2014
Thx Paul,
You could check disable offloading on this url please:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
Could you share a pcap please, your sig and your suricata.yaml please ?
Regards
@Rmkml
On Sun, 14 Dec 2014, Paul Apostolescu wrote:
> That did it, with "setting checksum-validation: no" app layer is processed.
> Is there a place where I can find all options that need to be on/off for the card to disable offloading ? I've already switched off gso and lro.
>
> Thanks.
>
> On Sun, Dec 14, 2014 at 5:53 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi Paul,
>
> Could you try disable cksum verification in suricata.yaml please?
>
> Regards
> @Rmkml
>
>
>
> -------- Message d'origine --------
> De : Paul Apostolescu <apbogdan at gmail.com>
> Date :14/12/2014 04:43 (GMT+01:00)
> A : oisf-users at lists.openinfosecfoundation.org
> Cc :
> Objet : [Oisf-users] HTTP keywords not matching
>
> Hi,
> I'm having troubles getting rules using http keywords to work, this is the behavior I'm seeing:
>
> - an alert looking for http and content works:
> alert http any any -> any any (msg:"get"; content:"GET";sid...)
>
> - anything else using the keywords fails like this one for example
> alert http any any -> any any (msg:"get method"; content:"GET";http_method;sid...)
>
> I've turned on eve logging but I cannot see any http activity only dns (I have disabled all other loggers).
>
> I'm using 2.0.5 on CentOS 6.5 in a VM (Fusion on Mac) and running in pcap live mode "suricata -i eth1 -c ...."
>
> Any ideas what might be wrong ?
>
> Thanks.
>
>
>
>
More information about the Oisf-users
mailing list