[Oisf-devel] request enhance Suricata v1.3.0beta1 for file_data and negate http_header
Victor Julien
victor at inliniac.net
Fri Apr 6 10:13:01 UTC 2012
On 04/06/2012 10:47 AM, rmkml wrote:
> Thx you Victor for reply,
> but it can break "api" with snort ?
> because snort allow file_data:.... and after http_header or other...
I think this make things confusing. We have a keyword "file_data" that
says "all content after file_data inspects file data". Except when it
doesn't. Logically having the http_header before file_data makes sense
too. Http headers come before file data.
> Im added distance:0 because it's more easy to understand sig: search
> content after distance since file_data...
On the contrary. It suggests that there is a relation with something
before it, that isn't there. Confuses things. In general, adding
unnecessary keywords is confusing.
file_data inspects a different buffer (Snort calls this a sticky buffer
these days), so any suggestion of it being relative to another buffer
is... confusing.
Cheers,
Victor
> Regards
> Rmkml
>
>
> On Fri, 6 Apr 2012, Victor Julien wrote:
>
>> On 04/05/2012 11:10 PM, eileen donlon wrote:
>>> Hi,
>>>
>>> Believe this rule will work if you put the http_header content first:
>>
>> Yes, this is because all contents after "file_data" are considered to be
>> part of file_data, so the http_header doesn't work with them.
>>
>>> alert tcp any 80 -> any any (msg:"negate content http_header";
>>> flow:to_client,established; content:!"def"; http_header; file_data;
>>> content:"abc"; distance:0; classtype:web-application-activity;
>>> sid:92891232; rev:1;)
>>>
>>> Don't think distance:0 does anything in this rule so it could be
>>> removed.
>>
>> Thats correct.
>>
>> Cheers,
>> Victor
>>
>>> Regards,
>>> Eileen
>>>
>>> On Thu, Apr 5, 2012 at 5:34 PM, rmkml <rmkml at yahoo.fr
>>> <mailto:rmkml at yahoo.fr>> wrote:
>>>
>>> Hi,
>>>
>>> Anyone check why this sig not work please?
>>> I request support it because first content are "linked" with
>>> file_data,
>>> and second negated content are linke with http_header:
>>>
>>> alert tcp any 80 -> any any (msg:"negate content http_header";
>>> flow:to_client,established; file_data; content:"abc"; distance:0;
>>> content:!"def"; http_header; classtype:web-application-activity;
>>> sid:92891232; rev:1;)
>>>
>>> Suricata error:
>>> 5/4/2012 -- 23:25:21 - <Error> - [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword found inside
>>> the rule without a content context.
>>> Please use a "content" keyword before using the "http_header"
>>> keyword
>>> 5/4/2012 -- 23:25:21 - <Error> - [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
>>> any 80 -> any any (msg:"negate content
>>> http_header"; flow:to_client,established; file_data; content:"abc";
>>> distance:0; content:!"def"; http_header;
>>> classtype:web-application-activity; sid:92891232; rev:1;)" from file
>>> test.rules at line 1
>>>
>>> If anyone confirm, Im open a new redmine ticket.
>>>
>>> Regards
>>> Rmkml
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> <mailto:Oisf-devel at openinfosecfoundation.org>
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list