[Oisf-users] Pass rule for host name not working as expected

Jeremy MJ jskier at gmail.com
Wed May 20 20:11:38 UTC 2015


Your suggestions worked just fine, thanks!

--
Jeremy MJ


On Tue, May 19, 2015 at 11:15 AM, Victor Julien <lists at inliniac.net> wrote:
> On 05/19/2015 06:01 PM, Jeremy MJ wrote:
>> Thanks Victor. I think I tried getting more broad on this before, but
>> I'll see if this works:
>> pass http any any <> any any (content:"ccmdl.adobe.com"; http_host;
>> sid:8000068;)
>
> Just using -> instead of <> should have the same effect here, esp if you
> use: any any <> any any.
>
>>
>> --
>> Jeremy MJ
>>
>> On Tue, May 19, 2015 at 2:27 AM, Victor Julien <lists at inliniac.net> wrote:
>>>
>>> On 05/15/2015 07:07 PM, Jay MJ wrote:
>>>> Greetings,
>>>>
>>>> I'm trying to use a pass rule with http_host, and I can't seem to get
>>>> it to work (which is odd, my other http_host pass rules work fine).
>>>> Alerts are firing on a local rule for zip files, which I don't want to
>>>> happen. I have confirmed the order in the configuration is correct
>>>> (pass rules first), and am running Archlinux with suricata 2.1beta4-1
>>>> (behavior was also present in 2.1beta3).
>>>>
>>>> The pass rule:
>>>> pass http $EXTERNAL_NET 80 -> 192.168.0.1 any (msg:"Pass Adobe cloud";
>>>> content:"ccmdl.adobe.com"; http_host; sid:8000068;)
>>>>
>>>> Eve log alert metadata:
>>>> hostname: ccmdl.adobe.com
>>>> src_ip: <several external>
>>>> src_port: 80
>>>> dest_ip: 192.168.0.1
>>>> dest_port: <various>
>>>>
>>>> I have tried to be more forgiving with the rule parameters (ie using
>>>> any instead of external var, any port instead of 80), however the
>>>> problem still persists.
>>>>
>>>> I am willing to provide an obfuscated pcap if someone is interested in
>>>> having a greater look.
>>>
>>> The http_host keyword matches against request properties: the parsed
>>> hostname (either from URL or Host header). Port and IP's in your rule
>>> suggest you're matching on the response. Try flipping the address/port part.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>



More information about the Oisf-users mailing list