Rules with http.host keyword and DNS resolution?

jaredchandler · March 21, 2023, 3:14pm

I was experimenting with some rules, and I noticed that a rule will not trigger if a http.host isn’t resolvable.

For example:

alert http any any -> any any ( msg: "test"; http.host; content: "2288.org"; ) will not trigger while
alert http any any -> any any ( msg: "test"; http.host; content: "eff.org"; ) will.

Is there someplace I can disable this behavior so that when I provide a PCAP for analysis it won’t require the domain (2288.org for example) to be resolvable?

Thank you and sorry to be the newb.

ish · March 21, 2023, 4:20pm

Hi Jared,

Suricata does not do any DNS resolution itself. With those rules above, Suricata is parsing out the “Host” header from the HTTP traffic in the PCAP file and matches the content on that. No network activity is created by this process and could be done completely offline.

Hope that helps.

jaredchandler · March 21, 2023, 4:36pm

Thank you.

The PCAPs i was evaluating had HTTP.Requests using just LineFeeds, not CarriageReturn LineFeeds as HTTP specifies.

Topic		Replies	Views
Cannot get alerts from pcaps Help	6	2465	July 2, 2020
HTTP rules not working - Suricata + EC2 + VPC Mirroring Help aws	3	682	September 17, 2022
Most simple rule with "content" keyword doesn't work Rules rules , suricata	1	101	July 31, 2024
SURICATA HTTP unable to match response to request Rules	1	3238	November 1, 2021
Suricata HTTP rules not working Rules	4	740	February 17, 2023

Rules with http.host keyword and DNS resolution?

Related topics