[Oisf-users] Suricata http protocol detection/parser not working on forwarded packts
Amin Saba
amn.brhm.sb at gmail.com
Wed Aug 26 04:26:24 UTC 2020
Sorry the second rule should be:
alert ip any any -> any any (msg:"delete detected"; content:"delete";
nocase; sid:1; rev:1)
On Wed, Aug 26, 2020, 08:53 Amin Saba <amn.brhm.sb at gmail.com> wrote:
> We want to detect a GET request like this:
>
> http://domain-name/delete
>
> The following rule, does not match with packets that are forwarded on the
> box running suricata:
>
> alert http any any -> any any (msg:"delete detected"; content:"delete";
> http_uri; nocase; sid:1; rev:1)
>
> However, it does match with packets that have a source or destinaton
> address in common with the box. (Tested on both Linux Suricata 3.2.2 and
> FreeBSD Suricata 4.0.0 and 5.0.1)
>
> However, as soon as the http protocol detection module gets out of the
> way, it starts to work as expected:
>
> alert http any any -> any any (msg:"delete detected"; content:"delete";
> http_uri; nocase; sid:1; rev:1)
>
> This rule matches with forwarded packeets, too.
>
> Can you please let me know if I am missing something?
>
> Thanks in advance for your help.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200826/dc189774/attachment.html>
More information about the Oisf-users
mailing list