HTTP rules not working - Suricata + EC2 + VPC Mirroring

Juan_Pablo_Lopez_Yac · October 15, 2021, 7:08pm

Hello Team,

I have a suritcata running on an AWS EC2 with VPC Mirroring.

Testing some rules I see that those that are of the type “alert tcp” work and those that “alert http” do not

Example :

alert tcp any any → any any (content: “passwd”; msg: “Testing 1 - tcp”; sid: 1; rev: 1;)

alert http any any → any any (content: “password”; msg: “Testing 2 - http”; sid: 2; rev: 1;)

Actually I care that HTTP works because I need to get the XFF header to display the actual IP.

IF there is another way to capture this header in the TCP payload I would love to know

I hope a help!

Regards

Andreas_Herz · November 1, 2021, 10:05pm

What version are you running and how does the config look like?
Can you share an example pcap that does not trigger but should?

waf_ruler · September 17, 2022, 2:55pm

maybe when you request,the request data is encode by ‘urlencode’,so use you rule could’t check on http

waf_ruler · September 17, 2022, 2:56pm

My some rules with wrote "base_decode or url_decode ",then “alert http…” is ok

Topic		Replies	Views
Suricata HTTP rules not working Rules	4	575	February 17, 2023
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	672	June 8, 2023
Alert triggered but nothing in the pcap Rules rules , suricata	2	327	September 19, 2022
Some match bypass? Rules rules	27	1757	September 17, 2021
SURICATA HTTP unable to match response to request Rules	1	2877	November 1, 2021