We want to detect HTTP requests with specific keywords, like for example the word “delete”:
The following rule, does not match with packets that are forwarded on the box running Suricata:
alert http any any -> any any (msg:“delete detected”; content:“delete”; http_uri; nocase; sid:1; rev:1)
However, it does match with packets that are originate from or are targeted at the box itself. (Tested on both Linux Suricata 3.2.2 and FreeBSD Suricata 4.0.0 and 5.0.1). I tested this both in netmap and libpcap capture modes.
However, as soon as the HTTP protocol detection module gets out of the way, it starts to work as expected:
alert ip any any -> any any (msg:“delete detected”; content:“delete”; nocase; sid:1; rev:1)
This rule does match with forwarded packets.
Can you please let me know if I am missing something?