HTTP rules not working - Suricata + EC2 + VPC Mirroring

Hello Team,

I have a suritcata running on an AWS EC2 with VPC Mirroring.

Testing some rules I see that those that are of the type “alert tcp” work and those that “alert http” do not

Example :

alert tcp any any → any any (content: “passwd”; msg: “Testing 1 - tcp”; sid: 1; rev: 1;)

alert http any any → any any (content: “password”; msg: “Testing 2 - http”; sid: 2; rev: 1;)

Actually I care that HTTP works because I need to get the XFF header to display the actual IP.

IF there is another way to capture this header in the TCP payload I would love to know

I hope a help!


What version are you running and how does the config look like?
Can you share an example pcap that does not trigger but should?