[Oisf-users] Pass rule for host name not working as expected

Victor Julien lists at inliniac.net
Tue May 19 07:27:29 UTC 2015

On 05/15/2015 07:07 PM, Jay MJ wrote:
> Greetings,
> I'm trying to use a pass rule with http_host, and I can't seem to get
> it to work (which is odd, my other http_host pass rules work fine).
> Alerts are firing on a local rule for zip files, which I don't want to
> happen. I have confirmed the order in the configuration is correct
> (pass rules first), and am running Archlinux with suricata 2.1beta4-1
> (behavior was also present in 2.1beta3).
> The pass rule:
> pass http $EXTERNAL_NET 80 -> any (msg:"Pass Adobe cloud";
> content:"ccmdl.adobe.com"; http_host; sid:8000068;)
> Eve log alert metadata:
> hostname: ccmdl.adobe.com
> src_ip: <several external>
> src_port: 80
> dest_ip:
> dest_port: <various>
> I have tried to be more forgiving with the rule parameters (ie using
> any instead of external var, any port instead of 80), however the
> problem still persists.
> I am willing to provide an obfuscated pcap if someone is interested in
> having a greater look.

The http_host keyword matches against request properties: the parsed
hostname (either from URL or Host header). Port and IP's in your rule
suggest you're matching on the response. Try flipping the address/port part.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list