I have https://example.com behind my pfsense, in pfsense I configured haproxy in tcp mode in both backend and front on port 443 in front, I can access my site with this configuration.
I whant to use snort/suricata in pfsense too, too have connection rate limit on some url paths like /login, for example requests more than 10 in 60 min be blocked. when I create following custom rules, the first one works but the second one not! what is the problem?
this work and log alerts:
alert tls any any -> any 443 (msg:"HTTPS traffic"; tls.sni; content:"example.com";log http_uri;sid:15000003; rev:1;)
below rule does not work:
alert tls any any -> any 443 (msg:"HTTPS traffic"; tls.sni; content:"example.com"; nocase; pcre:"/login\b";sid:15000003; rev:1;)
what is the problem? why I cant match traffic with specific uri path?
I want to have something like this but it does not work:
alert tls any any -> any 443 (msg:"HTTPS traffic"; tls.sni; content:"example.com"; nocase; pcre:"/login\b";rate: 10/1h;sid:15000003; rev:1;)
