Hello,
I’m testing Suricata 7.0.5 and trying to block HTTP traffic based on a keyword inside the file body. I created this rule:
drop http any any -> any any (msg:"Block Doyle Hound book based on content match"; file_data; content:"wimped"; sid:2300402; rev:1;)
To test, I fetch a text file with wget:
wget --tries=1 --no-check-certificate --bind-address=141.64.201.1 http://www.textfiles.com/computers/weird2_1.txt
Problem:
- The file downloads completely.
- No alert or log is generated in
eve.json. - The keyword (
wimped) is present near the end of the file.
Config details:
My Suricata config has:
stream:
depth: 0
midstream: true
drop-invalid: no
midstream-policy: auto
http:
enabled: true
libhtp:
default-config:
request-body-limit: 0
response-body-limit: 0
request-body-minimal-inspect-size: 500kb
response-body-minimal-inspect-size: 500kb
request-body-inspect-window: 4mb
response-body-inspect-window: 4mb
http-body-inline: yes
Questions:
- With these settings, shouldn’t Suricata scan the entire HTTP response body?
- Is there a limitation where
file_datastops scanning before the end of the file if it’s large? - Do I need to tweak
response-body-inspect-windowor usefilemagic/filestoreto handle this case? - How can I debug if Suricata actually sees the keyword in the response body?
Environment:
- Suricata version: 7.0.5
- Using default config except for the above rule and body limits.
Thanks for any insights!