[Oisf-users] Suricata http protocol detection/parser not working on forwarded packts
Amin Saba
amn.brhm.sb at gmail.com
Wed Aug 26 04:23:10 UTC 2020
We want to detect a GET request like this:
http://domain-name/delete
The following rule, does not match with packets that are forwarded on the
box running suricata:
alert http any any -> any any (msg:"delete detected"; content:"delete";
http_uri; nocase; sid:1; rev:1)
However, it does match with packets that have a source or destinaton
address in common with the box. (Tested on both Linux Suricata 3.2.2 and
FreeBSD Suricata 4.0.0 and 5.0.1)
However, as soon as the http protocol detection module gets out of the way,
it starts to work as expected:
alert http any any -> any any (msg:"delete detected"; content:"delete";
http_uri; nocase; sid:1; rev:1)
This rule matches with forwarded packeets, too.
Can you please let me know if I am missing something?
Thanks in advance for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200826/40ca50c8/attachment.html>
More information about the Oisf-users
mailing list