Project

General

Profile

Actions
Copy link

Support #4694

closed

Is suricata detect http request when http traffic not finished possible?

Added by Jiacheng Zhong over 2 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Jiacheng Zhong
Affected Versions:
5.0.0
Label:

Description

I'm writing an Express server to show if the current HTTP Reuqest will cause Suricata to issue an alert.The whole process is in realtime.

The process is:

HTTP-malicious-request -> express -> read alert from eve.json -> send to client

But suricata have no alert when HTTP-malicious-request is arrived express server until http traffic finished or server responce to client.
Is something method available? Thanks :)

Actions
Copy link
 #1

Updated by Andreas Herz about 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Jiacheng Zhong

First of all I would upgrade to a more recent version of Suricata.

So you want the alert before the flow/connection is done?

Actions
Copy link
 #2

Updated by Victor Julien about 2 years ago

  • Status changed from Assigned to Feedback
Actions
Copy link
 #3

Updated by Philippe Antoine 11 months ago

  • Status changed from Feedback to Closed

Closing due to lack of feedback. Feel free to reopen with more info.

I also suggest you can try IPS mode (stream.inline in configuration)

Actions
Copy link

Also available in: Atom PDF