[Oisf-users] http_referrer
Jack Mott
jmott at emergingthreats.net
Tue Apr 4 16:49:06 UTC 2017
Hi Erik,
Referer is in the http_header; buffer. If you're referring to rule syntax,
you can negate this domain by placing these into the rules:
'content:!"Referer|3a 20|https://accounts.google.com"; http_header;' and
'content:!"accounts.google.com"; http_host;' into your rule.
Obviously, check to ensure the host/referer is accurate (maybe check to
ensure http(s)/www is or isn't there).
Best,
Jack
On Tue, Apr 4, 2017 at 7:15 AM, erik clark <philosnef at gmail.com> wrote:
> Is the referrer in the http header? I am trying to ignore events where the
> referrer or host is accounts.google.com. Thanks!
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170404/44866f29/attachment-0002.html>
More information about the Oisf-users
mailing list