[Oisf-users] Pass rule for host name not working as expected
Victor Julien
lists at inliniac.net
Tue May 19 07:27:29 UTC 2015
On 05/15/2015 07:07 PM, Jay MJ wrote:
> Greetings,
>
> I'm trying to use a pass rule with http_host, and I can't seem to get
> it to work (which is odd, my other http_host pass rules work fine).
> Alerts are firing on a local rule for zip files, which I don't want to
> happen. I have confirmed the order in the configuration is correct
> (pass rules first), and am running Archlinux with suricata 2.1beta4-1
> (behavior was also present in 2.1beta3).
>
> The pass rule:
> pass http $EXTERNAL_NET 80 -> 192.168.0.1 any (msg:"Pass Adobe cloud";
> content:"ccmdl.adobe.com"; http_host; sid:8000068;)
>
> Eve log alert metadata:
> hostname: ccmdl.adobe.com
> src_ip: <several external>
> src_port: 80
> dest_ip: 192.168.0.1
> dest_port: <various>
>
> I have tried to be more forgiving with the rule parameters (ie using
> any instead of external var, any port instead of 80), however the
> problem still persists.
>
> I am willing to provide an obfuscated pcap if someone is interested in
> having a greater look.
The http_host keyword matches against request properties: the parsed
hostname (either from URL or Host header). Port and IP's in your rule
suggest you're matching on the response. Try flipping the address/port part.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list