suricata http rule to identify POST requests

Question

I can’t figure it out / understand. Need to write a rule that catches an HTTP POST request from one ip address more than three times in 10 seconds and logs it.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP post packet flood "; flow:to_server; ..... count 3, seconds 10;)

What commands should use instead of dots? Are there examples somewhere or an article describing the use of flags? I don't understand at the docks on the official website.

score 0 · Answer 1 · answered Oct 28 '21 at 18:55

With http.method it’s possible to match that request.

https://suricata.readthedocs.io/en/suricata-6.0.3/rules/http-keywords.html#http-method

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP post packet flood "; flow:to_server; http.method; content:"POST"; count 3, seconds 10;)

suricata http rule to identify POST requests

1 Answers1