[Oisf-users] Pass rule for host name not working as expected

Victor Julien lists at inliniac.net
Tue May 19 16:15:27 UTC 2015 

On 05/19/2015 06:01 PM, Jeremy MJ wrote:
> Thanks Victor. I think I tried getting more broad on this before, but
> I'll see if this works:
> pass http any any <> any any (content:"ccmdl.adobe.com"; http_host;
> sid:8000068;)

Just using -> instead of <> should have the same effect here, esp if you
use: any any <> any any.

> 
> --
> Jeremy MJ
> 
> On Tue, May 19, 2015 at 2:27 AM, Victor Julien <lists at inliniac.net> wrote:
>>
>> On 05/15/2015 07:07 PM, Jay MJ wrote:
>>> Greetings,
>>>
>>> I'm trying to use a pass rule with http_host, and I can't seem to get
>>> it to work (which is odd, my other http_host pass rules work fine).
>>> Alerts are firing on a local rule for zip files, which I don't want to
>>> happen. I have confirmed the order in the configuration is correct
>>> (pass rules first), and am running Archlinux with suricata 2.1beta4-1
>>> (behavior was also present in 2.1beta3).
>>>
>>> The pass rule:
>>> pass http $EXTERNAL_NET 80 -> 192.168.0.1 any (msg:"Pass Adobe cloud";
>>> content:"ccmdl.adobe.com"; http_host; sid:8000068;)
>>>
>>> Eve log alert metadata:
>>> hostname: ccmdl.adobe.com
>>> src_ip: <several external>
>>> src_port: 80
>>> dest_ip: 192.168.0.1
>>> dest_port: <various>
>>>
>>> I have tried to be more forgiving with the rule parameters (ie using
>>> any instead of external var, any port instead of 80), however the
>>> problem still persists.
>>>
>>> I am willing to provide an obfuscated pcap if someone is interested in
>>> having a greater look.
>>
>> The http_host keyword matches against request properties: the parsed
>> hostname (either from URL or Host header). Port and IP's in your rule
>> suggest you're matching on the response. Try flipping the address/port part.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list