hi everyone ! A rule that includes http host and http url , How does Suricata work?Intercept HTTP host and URL through libhtp ,How to determine if two restrictions are met simultaneously ?sure ,Some rules contain multiple restrictions 。How was Suricata solved?
If I understand correctly, you want to combine multiple keywords in one rule. You can do that by just adding them both in the rule, e.g.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Host and URL Example"; flow:established,to_server; http.host; content:"suricata.io"; http.uri; content:"/index.html"; sid:123; rev:1;)
would alert on HTTP traffic with HTTP Host suricata.io an HTTP URI /index.html.
thank you , but i want to know how does Suricata implement the function of matching combination rules. eg
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Host and URL Example111"; flow:established,to_server; http.host; content:"suricata.io"; http.uri; content:"/index.html"; sid:123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Host and URL Example222"; flow:established,to_server; http.host; content:"suricata.github.io"; sid:124; rev:1;)
Traverse all rules or other methods after extracting fields?
Suricata uses multi pattern matching to run only once the content through all the rules
use multi pattern matching(such as ac or hyperscan ) on fields (eg http_url \http_host ) after extracting fields ,then check if the rule is a combination rule? Is that correct?
use multi pattern matching(such as ac or hyperscan ) on fields (eg http_url \http_host ) after extracting fields ,
Yes
If the rule has multiple conditions, after a first prefilter, Suricata evaluates the conditions one by one…
thank you for your answer