[Oisf-users] Pass rule for host name not working as expected
Jeremy MJ
jskier at gmail.com
Tue May 19 16:01:58 UTC 2015
Thanks Victor. I think I tried getting more broad on this before, but
I'll see if this works:
pass http any any <> any any (content:"ccmdl.adobe.com"; http_host;
sid:8000068;)
--
Jeremy MJ
On Tue, May 19, 2015 at 2:27 AM, Victor Julien <lists at inliniac.net> wrote:
>
> On 05/15/2015 07:07 PM, Jay MJ wrote:
> > Greetings,
> >
> > I'm trying to use a pass rule with http_host, and I can't seem to get
> > it to work (which is odd, my other http_host pass rules work fine).
> > Alerts are firing on a local rule for zip files, which I don't want to
> > happen. I have confirmed the order in the configuration is correct
> > (pass rules first), and am running Archlinux with suricata 2.1beta4-1
> > (behavior was also present in 2.1beta3).
> >
> > The pass rule:
> > pass http $EXTERNAL_NET 80 -> 192.168.0.1 any (msg:"Pass Adobe cloud";
> > content:"ccmdl.adobe.com"; http_host; sid:8000068;)
> >
> > Eve log alert metadata:
> > hostname: ccmdl.adobe.com
> > src_ip: <several external>
> > src_port: 80
> > dest_ip: 192.168.0.1
> > dest_port: <various>
> >
> > I have tried to be more forgiving with the rule parameters (ie using
> > any instead of external var, any port instead of 80), however the
> > problem still persists.
> >
> > I am willing to provide an obfuscated pcap if someone is interested in
> > having a greater look.
>
> The http_host keyword matches against request properties: the parsed
> hostname (either from URL or Host header). Port and IP's in your rule
> suggest you're matching on the response. Try flipping the address/port part.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list