Alert based on custom http header with suricata rule


i would like to ask help with a rule. i would like to alert based on a custom http header.
when i do a curl request to with -H with the custom header i would like that suricata alert me.

i’ve tried with this but it’s not working:
alert http any any → any any (msg:“Custom Header XXX Detected”; http.header; content:“XXX”; sid:11;)

note XXX can be anything here it’s just to give an example.

Thank you all

Hi there, welcome to the Suricata forum ^^

Have you checked if you can see http events in the eve.log file? This could help you understand what is Suri seeing on the traffic.
If you create a simpler http rule, does that one alert?
Do you see other alerts? - it’s always a good sanity check to ensure that Suri is generating alerts, if we are getting started with using it, or with writing rules.

I’m thinking that maybe the Suricata Language Server could help you with your task. It was created to ease the rule-writing process: GitHub - StamusNetworks/suricata-language-server: Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.

Good luck! :slight_smile:

Hi Ju,

thank you for your reply, i’m using AWS network firewall with suricata rules so i can’t check this files…
what i would like ti confirm is that if suricata is able to log the value of a costumer header or not ?

thank you so much in advance

Hi Anas,

Ok, so just to be extra clear: the answer to your first question is yes, the rule you created should work, under normal circumstances.

About logging custom headers, if what you want is listed here - 16.1.1. Eve JSON Output — Suricata 6.0.13 documentation then you can enable it under custom headers in the config file.
If not, you should be able to see all HTTP headers in raw format if you configure http.dump-all-headers (and 11.1. Suricata.yaml — Suricata 6.0.13 documentation ).

Unfortunately, I don’t know how to configure these in the AWS network firewall. A quick search didn’t show a lot of flexibility for what one can see in the logs there…