Actions
Support #1980
closedSuricata gateway not matching http protocol
Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Description
I have a test like this:
My env:
os:debian 8
A:172.20.0.1 (gateway suricata v3.2 )
B:172.20.0.2 (App Server)
C:172.20.0.3 (Client)
My network:
client(C) ----> gateway suricata A (ids) -----> AppServer B
My suricata build info:
wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip
unar suricata-3.2.zip
cd suricata-3.2
git clone https://github.com/OISF/libhtp.git
./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install
make install-conf
make install-rules
And load only a test rule:
alert http any any -> any any (msg:"http test"; content:"GET";) #no.1
alert tcp any any -> any any (msg:"tcp test"; content:"GET";) #no.2
alert tcp any any -> any any (msg:"tcp http test"; content:"GET";http_method;) #no.3
A:172.20.0.1 (gateway suricata) OS info:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
iptables -F
iptables -A FORWARD -j ACCEPT
Client send a request as
'http://172.20.0.2/test'
tail the fast.log. Only the #no.2 rule is matched
I have try opened the nat with iptables like:
iptables -t nat -A POSTROUTING -j MASQUERADE
And this time the #no.1 #no.2 #no.3 rules matched
But, The nat was opened that the appserver didn`t get the right client ip
address.
And now , I want use the 7 layer protocol something parameters like
http_uri,http_method and so on. The nat must be closed.
I want the right way ~ ~ ~ Thanks!
Actions