I writed this rule:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP POST packet flood"; http.method; content:"POST"; detection_filter: track by_dst, count 3, seconds 10;)
but Suricata don`t mutch post packets and dont log it. Help please
Hi, can you help us with some info about:
- what command are you using to run Suricata
- which version are you using
- do you see any errors when Suricata starts?
Thanks!
1 Like
I use this command for start:
sudo suricata -i enp0s3
I use 6.0.3 version
No, I dont have any errors
I`m generating POST request by ab:
ab -T application/x-www-form-urlencoded -p /tmp/body -n 1000 http://192.168.1.104/
in suricata.log I see, what packets arrived at the server
It would be good to know:
- Are you sure Suricata is capturing/receiving that specific traffic?
- If yes, how? pcap, nfqueue, ipfw divert?
- Is there a test rule to make sure the detection is working fine?
- How is your suricata.yaml configured? (HOME_NET)
Iβve replicated your scenario with the test rule below:
alert http $EXTERNAL_NET any -> 192.168.1.147 80 (msg:"HTTP packet"; http.method; content: "POST"; detection_filter: track by_dst, count 3, seconds 10;)
1 Like
how did you generate post request?
-
Post request gerenated with ab (same parameters).
-
To make sure a rule is matching try to simplify the rule options at a time. In your case, start with matching just post request and test the rule if it works and each time add more options (trackβ¦).
3) Your HOME_NET range is wide, so be sure the host sending post resquest is not part of the home networks as the rule is matching requests from EXTERNAL_NET (out of your HOME_NET) to HOME_NET (internal networks).
A simple rule that can be used to check if Suricata is detecting things as expected could be:
alert icmp any any -> any any (msg: "ICMP Packet found"; sid: 1000002; rev: 1;)
Then you can try and use a ping command to trigger it.
1 Like