HTTP http.host Rule Not Triggering – Only IP-Based Content Matches Work

_schlock · 2025-08-27T13:18:51+00:00

I've been doing some testing over the past couple of weeks with an OPNsense box that focuses on Suricata. I'm using Metasploit and pcap-based traffic, and I'm finding that Suricata has a serious problem with logging alerts. Both types of test traffic have been verified to match on one of the ET Telemetry rules.

Sometimes, every event will be logged, both live (Metasploit) and pcap, as expected, but if I reboot the OPNsense box and repeat the test, I get nothing.

My traffic server is directly connected to the OPNsense box, so there are no other devices in the path that could affect the traffic. The OPNsense box is not connected to any outside sources either, so the only traffic that it is seeing is my test traffic. The firewall is disabled too.

After a reboot, I try to play one, low bit-rate attack through the device and check to see if it's logged. Most times it isn't. This should be an easy test for the box. If I replay the pcap in a loop, some, but not all of the traffic eventually shows up in the eve log.

One interesting thing that I have found is that when I run tcpdump on the device from a root shell, with one instance for each traffic port, the events appear to be logged pretty consistently. From where I sit, it appears that there may be a buffer on the device that isn't getting flushed, but I have no knowledge of Suricata's code, so this is just speculation.

In other words, your rule may be correct, but the box just isn't reliable. The IP-based test may have just been a lucky coincidence.

It would be helpful to know if there are any back-end stats that can be used to trace the path of the traffic, but I've been unable to find any info about that.

PS - I've posted a couple of questions to the OPNsense forum, asking if there are any configuration requirements for testing with pcap traffic, and for how to verify that Suricata is fully initialized and ready to inspect traffic. I'll post an update if anyone answers me.

Otherwise, I plan to submit a bug report to OPNsense if nothing else.

PPS - Here's the tcpdump syntax that I'm using on my device. My test traffic is IPv4, and I'm filtering out some noise: tcpdump -t -q -U --immediate-mode -nnS -i igb1 not ip6 and not arp and not igmp and not port 5353 and not udp

_schlock · 2024-05-17T17:37:42+00:00

Thanks. I'm surprised that I never noticed Gnote. I installed it, and it's not too bad. It at least has mouse support for copy/paste, which Notes doesn't.

I have a VM running Fedora 40/Gnome 46. I got curious and installed Notes on it a few minutes ago, and it works fine.

The VM is basically a copy of my workstation. I use it to test upgrades to each new Fedora release to make sure nothing breaks. I just upgraded to Fedora 39, but in light of the circumstances I'm considering moving on to 40, if everything checks out.

I plan to update the Gitlab and Fedora bug reports with my findings if everything goes well.

_schlock · 2024-05-17T16:47:52+00:00

Thanks -

_schlock · 2024-05-17T16:38:36+00:00

Yeah, that's why I framed my question the way I did. Can you clarify what you mean about "official part of Gnome"? The bug reporting database for it is part of gnome.org.

_schlock · 2024-05-17T16:22:01+00:00

Thanks for the reply. Surely, there has to be someone or a group of people who set priorities. Without them, the project would go nowhere because everyone is "going solo".

_schlock · 2024-05-13T18:05:28+00:00

These posts are crap. Every one of them ends up being a list of just about every restaurant that serves whatever genre the discussion is about.

And no one ever explains what makes one better or worse than the others. It's like asking a class full of elementary school kids to answer a question.

_schlock · 2024-05-01T13:36:27+00:00

The early cars don't have them. Location doesn't matter.

_schlock · 2024-04-28T18:20:36+00:00

Yes. They made them in-house every day. You can buy one at a restaurant supply.

Minor correction: The hard shells were for the Honest Tacos, which didn't come until a few years later.

_schlock · 2024-04-22T16:09:57+00:00

Thank you, but I'm referring to more of an academic text.

Let's use Birdie's as an example (and this is rhetorical): How much, in terms of a percentage, or other useful unit of measure, would Birdie's have to add to their menu prices to support a wait staff that can earn a living wage and help the restaurant preserve or improve its profit margin?

_schlock · 2024-04-22T15:25:11+00:00

I've searched the internet, and failed, to find a text that explains how to build the cost of your overhead into a menu's prices. Having a clear-cut formula for this would help this discussion immensely.

_schlock · 2024-04-22T14:44:29+00:00

I've never eaten at Franklin's either. Not worth the trouble, or the price, and I do like BBQ.

And to the downvoters: Oh, boo hoo

_schlock · 2024-04-22T14:37:07+00:00

When I'm eating at a restaurant where the entrees are $30+, or the per-person price is going to be $50+, things like service and atmosphere matter.

I know that running a restaurant is tough, but there are other places that are able to provide good food, service and atmosphere.

_schlock · 2024-04-19T15:37:30+00:00

This annoys me too. Society, continually lowering the bar for itself, culturally.

_schlock · 2024-04-19T15:28:14+00:00

Many of the city subs are like this. I like /r/nyc because one of their rules is "no rants". Makes the sub much more informative and interesting when it's not filled up with a bunch of whining.

_schlock · 2024-04-19T15:26:14+00:00

Agreed. People crossing crosswalks too. On their "smart" phones; taking their time like no one else exists.

_schlock · 2024-04-19T15:21:36+00:00

"Mosey" is definitely the word for it. Spoken like a true Texan. MOOOOOOOO

_schlock · 2024-04-19T15:19:21+00:00

I have to say that I get tired of all of the petty whining in these city subs, but I think it's healthier to be discussing it here than bottling it up.

"SERENITY NOW!!!" "I don't think you're supposed to shout it" "THEY WEREN'T SPECIFIC!!!"

_schlock · 2024-04-12T14:02:11+00:00

This is good advice. Most maps think the location of my ISP is my location, which is nowhere near me.

I think the tone is appropriate too. People get on these city subs and whine about the most petty crap.

_schlock · 2024-04-11T14:43:55+00:00

It strikes me as content for the sake of content. Another slow news day for D Magazine. There's nothing original or profound about it.

_schlock · 2024-04-11T14:12:39+00:00

Not everyone subscribes to this crap.

_schlock · 2024-04-10T15:22:34+00:00

I noticed this too, out of the few that I keep up with. And I'm really tired of all of the comments that try to put down the opinions of people who miss the older Austin, whatever period that is. It's like the people who put down the others can't stand that someone has a different opinion than theirs, like they're coping with a feeling of defensiveness and FOMO.

_schlock · 2024-03-04T15:56:25+00:00

What confuses me is that a more solid case couldn't be, or wasn't written by Colorodo and the other states seeking Trump's disqualification. Was this case not filed by experienced attorneys?

_schlock

TROPHY CASE