Rule to search for a word in the entire header

ilmoi · February 18, 2021, 6:59pm

I’m new to Suricata and am trying to create a rule that would detect a word in the header of a packet.

So far the best I’ve managed to come up with is:

drop tcp any any -> any any (content:"bad_word"; nocase; sid:1;)

This works, but my understanding is that this is searching across the entire packet, including the body (effectively doin DPI).

Is that correct? If so, how do I modify the rule to only search for the word in the header?

Thank you!

vjulien · February 18, 2021, 7:23pm

This only inspects the payloads, in fact by default in the reassembled stream. In Suricata 6 you can use the tcp.hdr sticky buffer, so you’d write your content match as:

tcp.hdr; content:"bad_word"; nocase;

Topic		Replies	Views
Suricata Rules HTTP Header not working Rules	3	667	October 31, 2023
Most simple rule with "content" keyword doesn't work Rules rules , suricata	1	101	July 31, 2024
Content filtering does not seem to work without other payload keywords Rules rules , suricata	3	210	April 4, 2024
Rules with sticky buffers and content modifiers Rules	4	3896	June 4, 2020
Http protocol detection/parser not working on forwarded packts Help	6	1146	May 8, 2021

Rule to search for a word in the entire header

Related topics