[Oisf-users] Pass rule for host name not working as expected

Jay MJ jskier at gmail.com
Fri May 15 17:07:54 UTC 2015


I'm trying to use a pass rule with http_host, and I can't seem to get
it to work (which is odd, my other http_host pass rules work fine).
Alerts are firing on a local rule for zip files, which I don't want to
happen. I have confirmed the order in the configuration is correct
(pass rules first), and am running Archlinux with suricata 2.1beta4-1
(behavior was also present in 2.1beta3).

The pass rule:
pass http $EXTERNAL_NET 80 -> any (msg:"Pass Adobe cloud";
content:"ccmdl.adobe.com"; http_host; sid:8000068;)

Eve log alert metadata:
hostname: ccmdl.adobe.com
src_ip: <several external>
src_port: 80
dest_port: <various>

I have tried to be more forgiving with the rule parameters (ie using
any instead of external var, any port instead of 80), however the
problem still persists.

I am willing to provide an obfuscated pcap if someone is interested in
having a greater look.

Thanks in advance for any help,

Jeremy MJ

More information about the Oisf-users mailing list