I have a suritcata running on an AWS EC2 with VPC Mirroring.
Testing some rules I see that those that are of the type “alert tcp” work and those that “alert http” do not
alert tcp any any → any any (content: “passwd”; msg: “Testing 1 - tcp”; sid: 1; rev: 1;)
alert http any any → any any (content: “password”; msg: “Testing 2 - http”; sid: 2; rev: 1;)
Actually I care that HTTP works because I need to get the XFF header to display the actual IP.
IF there is another way to capture this header in the TCP payload I would love to know
I hope a help!