Running Suricata 6.0.3 as an IPS gateway.
NFQueue support: yes
iptables -A FORWARD -j NFQUEUE
starting suricata using:
/usr/bin/suricata -v -q 0 -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
Generating the request using curl: curl http://myubd1.test75.com/page1
I’ve read through the similar topics but could not correct the problem
Trying to understand when I can use http in the rule or if my setup is incorrect.
Is http only for IDS? The suricata.yaml shows
libhtp:
default-config:
personality: IDS
I striped the rule to the bare basic
alert http any any → any any (msg:“Rule 2”; rev:10; sid:2;) does not alert
alert tcp any any → any any (msg:“Rule 2”; rev:10; sid:2;) alerts
01/13/2022-16:54:57.051779 [] [1:2:10] Rule 2 [] [Classification: (null)] [Priority: 3] {TCP} 10.12.1.2.1.75:80
Also tried using tcp protocol with an http keyword
alert tcp any any → any any (msg:“Rule 2”; content:“myubd1.test75.com/page1”; http_uri; rev:10; sid:2;) - does not alert