Hi.
I am trying to create a rule to monitor all the HTTPS request with the destination port 443 which includes all the HTTP methods & all the possible information that could be obtained from the request.
None of the rules i have created have been able to generate detections.
Requesting your assistance to get the rule sorted.
Thanks
Please tell us more details, at least start with the rules and how you did configure your setup.
Keep in mind, that HTTPS is encrypted, so you won’t see too much unless you decrypt it prior to the forwarding.
I am trying to monitor HTTPS requests from two specific ip address to a specific subnet
alert tcp 10.x.x.x any → 10.x.x.x/24 443 (msg:“http request dst 443”; flow:established,toserver; content:“18 21 22 0a 48 54 54 50 2f 31 2e 31|”; http.host; http.request_body; tcp.dport eq 443;)
Suricata is installed on a physical server & the traffic is received from span(core switch)
If you just consume directly from the switch, you are not decrypting. In this case you can’t really look into the contents (and look for things like your content pattern here (in which the leading | is missing BTW) – all you get is a tls event that gives you TLS parameters, certificate metadata, and maybe a SNI (8.16. SSL/TLS Keywords — Suricata 8.0.0-dev documentation). You won’t be able to use the http.* keywords because of the encryption as you can’t even tell whether it’s HTTPS or some other TLS secured protocol.