Rule using http does not matching get request

enag11 · January 13, 2022, 9:31pm

Running Suricata 6.0.3 as an IPS gateway.
NFQueue support: yes
iptables -A FORWARD -j NFQUEUE
starting suricata using:
/usr/bin/suricata -v -q 0 -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid

Generating the request using curl: curl http://myubd1.test75.com/page1

I’ve read through the similar topics but could not correct the problem

Trying to understand when I can use http in the rule or if my setup is incorrect.
Is http only for IDS? The suricata.yaml shows
libhtp:
default-config:
personality: IDS

I striped the rule to the bare basic
alert http any any → any any (msg:“Rule 2”; rev:10; sid:2;) does not alert

alert tcp any any → any any (msg:“Rule 2”; rev:10; sid:2;) alerts
01/13/2022-16:54:57.051779 [] [1:2:10] Rule 2 [] [Classification: (null)] [Priority: 3] {TCP} 10.12.1.2.1.75:80

Also tried using tcp protocol with an http keyword
alert tcp any any → any any (msg:“Rule 2”; content:“myubd1.test75.com/page1”; http_uri; rev:10; sid:2;) - does not alert

Jungho · January 14, 2022, 11:54am

You must distinguish between Host and URI in the address.

alert tcp any any → any any (msg:“Rule 2”; content:“myubd1.test75.com”; http_host; content:“/page1”; http_uri; rev:10; sid:2; )

enag11 · January 18, 2022, 4:38pm

Thanks for the response. I tried the suggested rule change and still do not get the alert

Topic		Replies	Views
Ssh and http protocol rule not work Help suricata	1	101	April 7, 2024
Suricata don`t mutch http post request with my rule Help rules	7	641	November 5, 2021
Suricata Rules HTTP Header not working Rules	3	375	October 31, 2023
Rate_limiter is not matching with the rule Help ips , rules , suricata	2	475	September 1, 2022
How can I write some rules in IPS not just reset http connections Rules ips , rules , suricata	1	471	February 28, 2022

Rule using http does not matching get request

Related Topics