[Oisf-devel] DNS/SMTP content modifier fields.

Victor Julien lists at inliniac.net
Mon Apr 1 09:12:58 UTC 2019 

Hi Aditya,

On 26-03-19 09:36, Puranik, Aditya wrote:
> We are trying to explore and add new content modifier fields for
> SMTP/DNS/ SMB protocols. Also we would like to expand this to other
> protocols based on our requirements.
> 
> At present, Suricata has a very good coverage for HTTP protocol.
> 
> https://suricata.readthedocs.io/en/suricata-4.1.2/rules/http-keywords.html
> 
> HTTP content modifiers gives us better control to write a new rule or to
> modify existing signatures.
> 
>  
> 
> We are planning to have similar modifiers for protocols like SMTP, DNS,
> SMB.
> 
> For example: SMTP packet exchange/flow contains a bunch of fields like
> mailfrom, rcptto, date, from, to, cc, reply_to, subject,
> x_originating_ip, user_agent et al.
> 
> Something like : alert smtp $EXTERNAL_NET any -> $HOME_NET
> (content*/:"username at example.com"; mail_from/*; sid:1;)

We are doing all new keywords as 'sticky buffers', so:

'mail_from; content:abc;'

This is simpler to implement in Suricata and simpler from the rule
writer perspective as well.


> The similar requirements holds good for other set of protocols mentioned.
> 
>  
> 
> We are interested in knowing
> 
> 1.       What is the right approach to go about adding or modifying the
> rules with new content modifiers?

Rule modifications are usually done using suricata-update's modify.conf,
or a similar facility in other tools like pulledpork.


> 2.       What is the placeholder in the code if we start adding these
> new modifiers in the rules?

I would suggest having a look a the detect-template-buffer.[ch] files.
In scripts/ we have setup scripts to instantiate them into your own keyword.

See:
https://github.com/OISF/suricata/blob/master/src/detect-template-buffer.c
https://github.com/OISF/suricata/blob/master/src/detect-template-rust-buffer.c
https://github.com/OISF/suricata/blob/master/scripts/setup-app-layer.py


> 3.       If code changes are needed to implement this functionality what
> is the correct approach to accommodate these changes in existing
> Suricata design?

Code changes will certainly be needed. See the template I mentioned above.

Regards,
Victor


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list