Forum Discussion
hooleylist
Mar 04, 2008Cirrostratus
Hi,
Do you see any matches logged with the existing rule? Can you add logging to the rule to see if it's triggering when you expect it to?
If you modified the STREAM::expression can you post your exact expression?
Here is an example for added logging:
when HTTP_REQUEST
Added this event just to save the host/URI
set url [HTTP::host][HTTP::uri]
}
when HTTP_RESPONSE {
log local0. "Received response for $url"
Need to explicitly disable the stream profile by default so it doesn't stay
enabled for subsequent HTTP requests on the same TCP connection.
STREAM::disable
Apply stream profile against text responses from the application
if { [HTTP::header value Content-Type] contains "text" }{
log local0. "Enabled stream filter for $url, with content-type: [HTTP::header value Content-Type]"
Look for http:// and replace it with https://
STREAM::expression {@http://@https://@}
Enable the stream profile
STREAM::enable
}
}
This section is optional and only needs to be included if you want to log matches. It should be removed before using the rule in production.
when STREAM_MATCHED {
log local0. "Matched: [STREAM::match]"
}
Aaron