Project

General

Profile

Actions

Support #1980

closed

Suricata gateway not matching http protocol

Added by wo wo almost 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

I have a test like this:

My env:

os:debian 8

A:172.20.0.1 (gateway  suricata v3.2 )
B:172.20.0.2  (App Server)
C:172.20.0.3  (Client)

My network:

client(C)  ----> gateway suricata A (ids)  -----> AppServer B

My suricata build info:

wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip
unar suricata-3.2.zip
cd suricata-3.2
git clone https://github.com/OISF/libhtp.git
./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install
make install-conf
make install-rules

And load only a test rule:

alert http any any -> any any (msg:"http test"; content:"GET";) #no.1
alert tcp any any -> any any (msg:"tcp test"; content:"GET";) #no.2
alert tcp any any -> any any (msg:"tcp http test"; content:"GET";http_method;) #no.3

A:172.20.0.1 (gateway suricata) OS info:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
iptables -F
iptables -A FORWARD -j ACCEPT

Client send a request as

'http://172.20.0.2/test'

tail the fast.log. Only the #no.2 rule is matched

I have try opened the nat with iptables like:

iptables -t nat -A POSTROUTING -j MASQUERADE

And this time the #no.1 #no.2 #no.3 rules matched

But, The nat was opened that the appserver didn`t get the right client ip

address.

And now , I want use the 7 layer protocol something parameters like
http_uri,http_method and so on. The nat must be closed.

I want the right way ~ ~ ~ Thanks!

Actions

Also available in: Atom PDF