[Oisf-users] Would it be possible to run a query per http request?

Andreas Herz andi at geekosphere.org
Sun Nov 27 22:45:07 UTC 2016


On 25/11/16 at 14:35, Eliezer Croitoru wrote:
> Hey,
> I am working with proxies for quite some time and I was wondering if it
> would be possible to use surricata the next way:
> - Inspect http request
> - Verify against a DB the request URL
> - Deny or Allow the http request

If you can get the DB converted into rules or embedded via lua scripts
that should work. Matching on http traffic and within that on specific
requests isn't that difficult.

> I think that Surricata have an advantage over a proxy for plain http since
> it can be less "invasive".

Why less invasive?

> Would it be possible? If so what are the recommendations?

You could try to run it with NFQ or AF_PACKET ips mode, add some
signatures that use the http keyword and match on requests to specific
URLs and test it with traffic.

I just think using squid with someting like urlfilterdb might be suited
better for that purpose but it might be worth testing with suricata.

Andreas Herz

More information about the Oisf-users mailing list