In IPS mode for suricata I can reject a http session with reject action
But how can I do something like some routers or firewalls they does: If match a bad url or other things in plain text http, return a 302/301 redirect to client,to show them a notice page, not only reset tcp or drop whole session.
I read the documents and see something such as “replace” in keywords, how can I make it work with “flowbits” or some other keywords to do this?
This doesn’t work. The replace keyword is not created for such a purpose. That would be a feature request, but also not sure if one would to integrate it into Suricata.