[Oisf-users] http url block or inject in sniffer mode for suricata (tap mode or mirror mode, no inline)

Ayhan ARDA ayhanardaistanbul at gmail.com
Wed Nov 6 20:33:05 UTC 2019


I have one question about suricata. I'm going crazy. I have to explain this
situation to the best CEO of the company :)

*Is it possible - http url - block or reset or reject in sniff mode? *

(like snort's react rule) *no inline traffic *(mirror mode or tap mode or
span port mode)

for example : client access http://*xxx*.com or any.url/*yyy* and suricata
sniff traffic with switch port mirror and send tcp reset or redirect client
with http injection?(no inline traffic)

(while in this mode, tcp rules are working, i can send tc rst flag, but
http is not., for example i can reset for not default port rdp connection,
it's good working)



bulunmuyor. www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191106/2dfc4957/attachment.html>

More information about the Oisf-users mailing list