<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>First, if you are looking to create a pcap and test it against
Suricata, let me humbly suggest trying out Dalton --
<a class="moz-txt-link-freetext" href="https://github.com/secureworks/dalton">https://github.com/secureworks/dalton</a>. If you just want to craft
the pcap you can use Flowsynth
(<a class="moz-txt-link-freetext" href="https://github.com/secureworks/flowsynth/">https://github.com/secureworks/flowsynth/</a>) but Dalton includes a
Wizard/GUI for Flowsynth that makes it quite easy to create and
test the pcap against a custom rule (or other ruleset).</p>
<p>Second, if you want to make sure the HTTP Host header ends with
"paypal.com", you should do a negated isdataat and use '1' instead
of '0'; for the relative isdataat keyword, there is a difference
between how Snort and Suricata handle it (see
<a class="moz-txt-link-freetext" href="http://suricata.readthedocs.io/en/latest/rules/differences-from-snort.html#isdataat-keyword">http://suricata.readthedocs.io/en/latest/rules/differences-from-snort.html#isdataat-keyword</a>).
So do it like this:<br>
</p>
<p>content:"<a href="http://paypal.com">paypal.com</a>"; http_host;
isdataat!:1,relative</p>
<p>Finally, to answer your question ... a relative isdataat after a
negated content match doesn't really make sense; it will apply to
the previous (non-negated) content match instead (or beginning of
inspection buffer if no previous content matches).<br>
</p>
<p>What exactly are you trying to do here?</p>
<p>Also, be aware of this issue -- "Negated http_* match returns
false if buffer not populated"
(<a class="moz-txt-link-freetext" href="https://redmine.openinfosecfoundation.org/issues/2224">https://redmine.openinfosecfoundation.org/issues/2224</a>).</p>
<p>Hope this helps,<br>
</p>
<p>-David Wharton</p>
<div class="moz-cite-prefix">On 12/07/2017 08:31 AM, erik clark
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAK6atxoydMQ6Xc1xm-iDnz+EVTiyUaaU4gR-1OtfaMqiZ8MaqQ@mail.gmail.com">
<div dir="ltr">So, I have a rule that has the following stub:
<div><br>
</div>
<div><br>
</div>
<div>content:"<a href="http://paypal.com" moz-do-not-send="true">paypal.com</a>";http_host;isdataat:0,relative</div>
<div><br>
</div>
<div>This checks to confirm the host IS <a
href="http://somethingsomething.paypal.com"
moz-do-not-send="true">somethingsomething.paypal.com</a>,
and always ends in <a href="http://paypal.com"
moz-do-not-send="true">paypal.com</a>.</div>
<div><br>
</div>
<div>My question is, and this is conjecture because I am having
a hard time procuring the right pcap, will negating the
content make this fire on anything that does NOT end in <a
href="http://paypal.com" moz-do-not-send="true">paypal.com</a>?
Like so:</div>
<div><br>
</div>
<div>content:!"<a href="http://paypal.com"
moz-do-not-send="true">paypal.com</a>";http_host;isdataat:0,relative</div>
<div><br>
</div>
<div>Thanks!</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>
</blockquote>
<br>
</body>
</html>