[Oisf-users] Pass rule for host name not working as expected
Jay MJ
jskier at gmail.com
Fri May 15 17:07:54 UTC 2015
Greetings,
I'm trying to use a pass rule with http_host, and I can't seem to get
it to work (which is odd, my other http_host pass rules work fine).
Alerts are firing on a local rule for zip files, which I don't want to
happen. I have confirmed the order in the configuration is correct
(pass rules first), and am running Archlinux with suricata 2.1beta4-1
(behavior was also present in 2.1beta3).
The pass rule:
pass http $EXTERNAL_NET 80 -> 192.168.0.1 any (msg:"Pass Adobe cloud";
content:"ccmdl.adobe.com"; http_host; sid:8000068;)
Eve log alert metadata:
hostname: ccmdl.adobe.com
src_ip: <several external>
src_port: 80
dest_ip: 192.168.0.1
dest_port: <various>
I have tried to be more forgiving with the rule parameters (ie using
any instead of external var, any port instead of 80), however the
problem still persists.
I am willing to provide an obfuscated pcap if someone is interested in
having a greater look.
Thanks in advance for any help,
--
Jeremy MJ
More information about the Oisf-users
mailing list