Catching HTTP traffic on loopback

Evgenij · May 19, 2024, 8:26am

Suricata version: 7.0.3

Operating system and/or Linux distribution: MacOS

How you installed Suricata (from source, packages, something else): Got from brew

Hello. I am trying to catch HTTP traffic from my local server using Suricata.
I use this rule: alert http any any → any any (http.method; content: “GET”; msg:“http from lo0”; sid:5000000;)
The command I run: suricata -c suricata.yaml -i lo0 --pcap=lo0
However there are no packets in fast.log or log.pcap. The rule definitely works if I use my ethernet interface, but for loopback it doesn’t work.

jmtaylor90 · May 20, 2024, 11:33am

How are you initiating the traffic across the lo0 interface (via curl/wget/etc)?

Are you able to see the traffic in wireshark or tcpdump if you run those in parallel to suricata?

JT

Evgenij · May 22, 2024, 8:13am

I start my server and send get request via form. In Wireshark I can see all the packets on lo0.

If I write rules for tcp, I can see all the packets in fast.log. But for http it doesn’t work.

jmtaylor90 · May 22, 2024, 12:29pm

Are you able to share the pcap?

Evgenij · May 23, 2024, 9:27am

log.pcap (6.0 KB)

Philippe_Antoine · May 24, 2024, 8:38am

Did you try with -k none to ignore checksums ?

Evgenij · May 28, 2024, 2:37pm

Sorry for late answer.
Yes, now it works. Thank you!

Topic		Replies	Views
Suricata cant capture Loopback Interface Help	2	596	June 15, 2023
Rule(s) to monitor HTTP traffic Help	1	97	November 20, 2024
Http traffic is not detected after updating to Suricata 7 Help	17	729	February 13, 2024
Suricata http traffic parse exception in mirror traffic Help	5	931	January 25, 2022
Filtering pcap logs Help ips , rules , suricata	2	41	January 27, 2025

Catching HTTP traffic on loopback

Related topics