[Oisf-users] http_referrer

erik clark philosnef at gmail.com
Tue Apr 4 16:51:27 UTC 2017


Ahhh, referrer is in http_header. I had it in http_host, will add it to
header now as well. Thanks!

On Tue, Apr 4, 2017 at 12:49 PM, Jack Mott <jmott at emergingthreats.net>
wrote:

> Hi Erik,
>
> Referer is in the http_header; buffer. If you're referring to rule syntax,
> you can negate this domain by placing these into the rules:
> 'content:!"Referer|3a 20|https://accounts.google.com"; http_header;' and
> 'content:!"accounts.google.com"; http_host;' into your rule.
>
> Obviously, check to ensure the host/referer is accurate (maybe check to
> ensure http(s)/www is or isn't there).
>
> Best,
>
> Jack
>
> On Tue, Apr 4, 2017 at 7:15 AM, erik clark <philosnef at gmail.com> wrote:
>
>> Is the referrer in the http header? I am trying to ignore events where
>> the referrer or host is accounts.google.com. Thanks!
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170404/1f83858e/attachment-0002.html>


More information about the Oisf-users mailing list