[Oisf-users] Suricata http protocol detection/parser not working on forwarded packts

Mon Aug 31 17:48:14 UTC 2020

HI Amin -

We are moving our community discussions to Discourse.

Would you please post your question here - https://forum.suricata.io/ - so
our developers and community see it?

Thanks,
the OISF Team

On Wed, Aug 26, 2020 at 12:26 AM Amin Saba <amn.brhm.sb at gmail.com> wrote:

> Sorry the second rule should be:
>
> alert ip any any -> any any (msg:"delete detected"; content:"delete";
> nocase; sid:1; rev:1)
>
> On Wed, Aug 26, 2020, 08:53 Amin Saba <amn.brhm.sb at gmail.com> wrote:
>
>> We want to detect a GET request like this:
>>
>> http://domain-name/delete
>>
>> The following rule, does not match with packets that are forwarded on the
>> box running suricata:
>>
>> alert http any any -> any any (msg:"delete detected"; content:"delete";
>> http_uri; nocase; sid:1; rev:1)
>>
>> However, it does match with packets that have a source or destinaton
>> address in common with the box. (Tested on both Linux Suricata 3.2.2 and
>> FreeBSD Suricata 4.0.0 and 5.0.1)
>>
>> However, as soon as the http protocol detection module gets out of the
>> way, it starts to work as expected:
>>
>> alert http any any -> any any (msg:"delete detected"; content:"delete";
>> http_uri; nocase; sid:1; rev:1)
>>
>> This rule matches with forwarded packeets, too.
>>
>> Can you please let me know if I am missing something?
>>
>> Thanks in advance for your help.
>>
> _______________________________________________
> NOTE: this list will soon be closed. New topics should be brought to:
> https://forum.suricata.io
>

-- 
*Kelley Misata, Ph.D.*
*Executive Director*
*kmisata at oisf.net <kmisata at oisf.net>*
*twitter:@OISFoundation*
*www.oisf.net <http://www.oisf.net>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200831/ba780c69/attachment.html>