0

I can’t figure it out / understand. Need to write a rule that catches an HTTP POST request from one ip address more than three times in 10 seconds and logs it.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP post packet flood "; flow:to_server; ..... count 3, seconds 10;)

What commands should use instead of dots? Are there examples somewhere or an article describing the use of flags? I don't understand at the docks on the official website.

Norfo4ik
  • 1
  • 2

1 Answers1

0

With http.method it’s possible to match that request.

https://suricata.readthedocs.io/en/suricata-6.0.3/rules/http-keywords.html#http-method

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP post packet flood "; flow:to_server; http.method; content:"POST"; count 3, seconds 10;)
Norfo4ik
  • 1
  • 2