[Oisf-users] http_referrer
Peter Manev
petermanev at gmail.com
Mon Apr 10 22:48:05 UTC 2017
On Tue, Apr 4, 2017 at 6:51 PM, erik clark <philosnef at gmail.com> wrote:
> Ahhh, referrer is in http_header. I had it in http_host, will add it to
> header now as well. Thanks!
To that note - some upcoming goodies -
https://github.com/inliniac/suricata/pull/2650
Feedback is welcome!
>
> On Tue, Apr 4, 2017 at 12:49 PM, Jack Mott <jmott at emergingthreats.net>
> wrote:
>>
>> Hi Erik,
>>
>> Referer is in the http_header; buffer. If you're referring to rule syntax,
>> you can negate this domain by placing these into the rules:
>> 'content:!"Referer|3a 20|https://accounts.google.com"; http_header;' and
>> 'content:!"accounts.google.com"; http_host;' into your rule.
>>
>> Obviously, check to ensure the host/referer is accurate (maybe check to
>> ensure http(s)/www is or isn't there).
>>
>> Best,
>>
>> Jack
>>
>> On Tue, Apr 4, 2017 at 7:15 AM, erik clark <philosnef at gmail.com> wrote:
>>>
>>> Is the referrer in the http header? I am trying to ignore events where
>>> the referrer or host is accounts.google.com. Thanks!
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list