Suricata http rule to identify POST requests

Norfo4ik · October 25, 2021, 5:21pm

I can’t figure it out / understand. Need to write a rule that catches an HTTP POST request from one ip address more than three times in 10 seconds and logs it.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP post packet flood "; flow:to_server; ..... count 3, seconds 10;)

What commands should you use instead of dots? Are there examples somewhere or an article describing the use of flags? I don’t understand at the docks on the official website.

lex · October 27, 2021, 1:00pm

With http.method it’s possible to match that request.

https://suricata.readthedocs.io/en/suricata-6.0.3/rules/http-keywords.html#http-method

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP post packet flood "; flow:to_server; http.method; content:"POST"; count 3, seconds 10;)

Topic		Replies	Views
Suricata don`t mutch http post request with my rule Help rules	7	631	November 5, 2021
Detection rule for simple POST request Rules	5	1846	October 7, 2021
Rule using http does not matching get request Rules	2	1014	January 18, 2022
Wanna my suricata ips limit traffic Help ips	2	704	June 14, 2022
Rules - limiting traffic to a specific time Rules ips	7	3058	April 20, 2020

Suricata http rule to identify POST requests

Related Topics