alert http any any → any any (
msg:“Website content alert”;
http.method; content:"GET ";
http.host; content:“examplel.com”;
http.uri; content:“blog”; nocase;
)
Hi Hamza,
Using the alert action in a signature, will do just that, generate an alert. There are other actions you can specify (reference: 8.1. Rules Format — Suricata 7.0.3-dev documentation)
In your example signature there would be an alert generated for any GET request (http.method sticky buffer content match), with a URI containing the word “blog” (case insensitive http.uri sticky buffer content match) at a domain containing examplel.com (http.host sticky buffer content match).
reference: 8.13. HTTP Keywords — Suricata 7.0.3-dev documentation
In addition to a signature(s) your Suricata instance would need to be configured to allow traffic to be dropped.
reference: 12.1. Suricata.yaml — Suricata 7.0.3-dev documentation
HTH,
JT