Please include the following information with your help request:
- Suricata version 7.0.8
- Ubuntu 24.04.1 LTS
- Suricata installed from source
Hi all,
I am trying to log HTTP/1.0 and HTTP/1.1 traffic separately using Suricata, but I am encountering some issues. I’ve written custom Suricata rules to detect and log HTTP/1.0 and HTTP/1.1 traffic separately. Below are the rules I created:
HTTP 1, 2 : 1000-1099
request
#alert http any any <> any any (msg: “HTTP istegi gecti”; flow: established, to_server; flowbits: set, gecsin; tag: session; sid: 1000;)
alert http any any → any any (msg:“HTTP/1.1 Traffic”; content:“HTTP/1.1”; flow:established,to_server; flowbits: set,gecsin;tag:session; sid:1002;)
alert http any any → any any (msg:“HTTP/1.0 Traffic”; content:“HTTP/1.0”; flow:established,to_server; flowbits: set,gecsin;tag:session; sid:1003;)
response
alert http any any → any any (msg: “HTTP cevabi gecti”; flow: established, to_client; flowbits: set, gecsin; sid: 1050;)
pass ip any any → any any (msg: “TANIMLI TRAFIK GECTI”; flowbits: isset, gecsin; flowbits: noalert; sid: 9999980;)
drop ip any any → any any (msg: “TANIMSIZ TRAFIK ENGELLENDI”; flowbits: isnotset, gecsin; sid: 9999999;)
I configured Suricata to log the captured traffic into PCAP files and use the tag feature to separate HTTP/1.0 and HTTP/1.1 traffic. My intention was to log the traffic separately, ideally saving each HTTP version’s traffic into different files or directories.
I try to curl with -0 and default so to create two seperate pcap files but for example when i curl -0 it creates pcap but it does not create another for http/1.1 . This situation is same for other way around aswell. So my question is that how can i create seperate pcap files looking into content.
Thanks