Rules with http.host keyword and DNS resolution?

I was experimenting with some rules, and I noticed that a rule will not trigger if a http.host isn’t resolvable.

For example:

alert http any any -> any any ( msg: "test"; http.host; content: "2288.org"; ) will not trigger while
alert http any any -> any any ( msg: "test"; http.host; content: "eff.org"; ) will.

Is there someplace I can disable this behavior so that when I provide a PCAP for analysis it won’t require the domain (2288.org for example) to be resolvable?

Thank you and sorry to be the newb.

Hi Jared,

Suricata does not do any DNS resolution itself. With those rules above, Suricata is parsing out the “Host” header from the HTTP traffic in the PCAP file and matches the content on that. No network activity is created by this process and could be done completely offline.

Hope that helps.

2 Likes

Thank you.

The PCAPs i was evaluating had HTTP.Requests using just LineFeeds, not CarriageReturn LineFeeds as HTTP specifies.