Suricata HTTP rules not working

Hi,

I was able to create some http like this:

# Input http://79.124.59.134/j.ad
alert http any 80 -> any any (msg:"Malicious URL detected - Threatview";http.host;content:"79.124.59.134";http.uri;content:"j.ad";classtype:bad-url;sid:50000070;)

# Input http://81.69.96.149:8089/visit.js
alert http any 8089 -> any any (msg:"Malicious URL detected - Threatview";http.host;content:"81.69.96.149";http.uri;content:"visit.js";classtype:bad-url;sid:50000071;

)

However, somehow this rules are not triggering when they were supposed to trigger. Can someone help me figuring out why or maybe test is they are really working?

Thanks you!

You need to flip the http ports to the destination part of the rule, example:

alert http any any → any 80 ………

This is because you are trying to detect the url, which is in the http request, in the http request packets the source port is normally random and the destination is fixed (eg: 80, 8080).

1 Like

Of couse… I´m so dumb! Thank you!

Despite the change, the rules are still not triggering. A curl command should trigger this type of rule?

Thanks.

Do you have a pcap with the traffic that’s not being alerted on?

1 Like