[Oisf-users] http_referrer

Jack Mott jmott at emergingthreats.net
Tue Apr 4 16:49:06 UTC 2017


Hi Erik,

Referer is in the http_header; buffer. If you're referring to rule syntax,
you can negate this domain by placing these into the rules:
'content:!"Referer|3a 20|https://accounts.google.com"; http_header;' and
'content:!"accounts.google.com"; http_host;' into your rule.

Obviously, check to ensure the host/referer is accurate (maybe check to
ensure http(s)/www is or isn't there).

Best,

Jack

On Tue, Apr 4, 2017 at 7:15 AM, erik clark <philosnef at gmail.com> wrote:

> Is the referrer in the http header? I am trying to ignore events where the
> referrer or host is accounts.google.com. Thanks!
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170404/44866f29/attachment-0002.html>


More information about the Oisf-users mailing list