<div dir="ltr"><div><span style="font-size:12.8px"><br></span></div><span style="font-size:12.8px"><div><span style="font-size:12.8px">Victor, yes, I am doing !isdataat,0</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">The point is to look for ANY http_host that does not end in <a href="http://paypal.com">paypal.com</a>. </span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">So, </span><span style="font-size:12.8px">'content:"pattern"; isdataat:!1,relative;' finds me only things that end in <a href="http://paypal.com">paypal.com</a>. Great. But that is the opposite of what I want, which is anything that does not end in <a href="http://paypal.com">paypal.com</a>.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">We have ssl breakout, and our signatures fire erroneously for known good domains (because they fit the phish templates). Since I know all the http_hosts that are actually clean, I want to do a negative content match against isdataat:!0,relative (!1 doesnt seem to match http_host properly for some reason).</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">That is why I want the double negate.</span></div><div><span style="font-size:12.8px"><br></span></div></span><span style="font-size:12.8px"><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div>Date: Thu, 7 Dec 2017 16:06:44 +0100</span><br style="font-size:12.8px"><span style="font-size:12.8px">From: Victor Julien <</span><a href="mailto:lists@inliniac.net" style="font-size:12.8px">lists@inliniac.net</a><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">To: </span><a href="mailto:oisf-users@lists.openinfosecfoundation.org" style="font-size:12.8px">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br style="font-size:12.8px"><span style="font-size:12.8px">Subject: Re: [Oisf-users] negative content match</span><br style="font-size:12.8px"><span style="font-size:12.8px">Message-ID: <</span><a href="mailto:c5ba4cf6-59c1-d64e-7280-723d14698755@inliniac.net" style="font-size:12.8px">c5ba4cf6-59c1-d64e-7280-<wbr>723d14698755@inliniac.net</a><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">Content-Type: text/plain; charset=utf-8</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">On 07-12-17 14:31, erik clark wrote:</span><br style="font-size:12.8px"><span style="font-size:12.8px">> So, I have a rule that has the following stub:</span><br style="font-size:12.8px"><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">> content:"</span><a href="http://paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">paypal.com</a><span style="font-size:12.8px"> <</span><a href="http://paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">http://paypal.com</a><span style="font-size:12.8px">>";http_</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">host;isdataat:0,relative</span><br style="font-size:12.8px"><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">> This checks to confirm the host IS </span><a href="http://somethingsomething.paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">somethingsomething.paypal.com</a><br style="font-size:12.8px"><span style="font-size:12.8px">> <</span><a href="http://somethingsomething.paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">http://somethingsomething.<wbr>paypal.com</a><span style="font-size:12.8px">>, and always ends in </span><a href="http://paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">paypal.com</a><br style="font-size:12.8px"><span style="font-size:12.8px">> <</span><a href="http://paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">http://paypal.com</a><span style="font-size:12.8px">>.</span><br style="font-size:12.8px"><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">> My question is, and this is conjecture because I am having a hard time</span><br style="font-size:12.8px"><span style="font-size:12.8px">> procuring the right pcap, will negating the content make this fire on</span><br style="font-size:12.8px"><span style="font-size:12.8px">> anything that does NOT end in </span><a href="http://paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">paypal.com</a><span style="font-size:12.8px"> <</span><a href="http://paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">http://paypal.com</a><span style="font-size:12.8px">>? Like so:</span><br style="font-size:12.8px"><span style="font-size:12.8px">></span><br style="font-size:12.8px"><span style="font-size:12.8px">> content:!"</span><a href="http://paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">paypal.com</a><span style="font-size:12.8px"> <</span><a href="http://paypal.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">http://paypal.com</a><span style="font-size:12.8px">>";http_</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">host;isdataat:0,relative</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">To check 'pattern' is the end of the buffer, use</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">'content:"pattern"; isdataat:!1,relative;'</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">To check that there is data after 'pattern', use</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">'content:"pattern"; isdataat:1,relative;'</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">--</span><br style="font-size:12.8px"><span style="font-size:12.8px">------------------------------</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">---------------</span><br style="font-size:12.8px"><span style="font-size:12.8px">Victor Julien</span><br style="font-size:12.8px"><a href="http://www.inliniac.net/" rel="noreferrer" target="_blank" style="font-size:12.8px">http://www.inliniac.net/</a><br style="font-size:12.8px"><span style="font-size:12.8px">PGP: </span><a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank" style="font-size:12.8px">http://www.inliniac.net/<wbr>victorjulien.asc</a><br style="font-size:12.8px"><span style="font-size:12.8px">------------------------------</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">---------------</span><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 7, 2017 at 12:00 PM, <span dir="ltr"><<a href="mailto:oisf-users-request@lists.openinfosecfoundation.org" target="_blank">oisf-users-request@lists.openinfosecfoundation.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Oisf-users mailing list submissions to<br>
<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:oisf-users-request@lists.openinfosecfoundation.org">oisf-users-request@lists.<wbr>openinfosecfoundation.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:oisf-users-owner@lists.openinfosecfoundation.org">oisf-users-owner@lists.<wbr>openinfosecfoundation.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Oisf-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: negative content match (Victor Julien)<br>
2. Re: negative content match (David Wharton)<br>
3. unix_dgram unix_stream file options (Jesse Cloutier)<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Thu, 7 Dec 2017 16:06:44 +0100<br>
From: Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>><br>
To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] negative content match<br>
Message-ID: <<a href="mailto:c5ba4cf6-59c1-d64e-7280-723d14698755@inliniac.net">c5ba4cf6-59c1-d64e-7280-<wbr>723d14698755@inliniac.net</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 07-12-17 14:31, erik clark wrote:<br>
> So, I have a rule that has the following stub:<br>
><br>
><br>
> content:"<a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a> <<a href="http://paypal.com" rel="noreferrer" target="_blank">http://paypal.com</a>>";http_<wbr>host;isdataat:0,relative<br>
><br>
> This checks to confirm the host IS <a href="http://somethingsomething.paypal.com" rel="noreferrer" target="_blank">somethingsomething.paypal.com</a><br>
> <<a href="http://somethingsomething.paypal.com" rel="noreferrer" target="_blank">http://somethingsomething.<wbr>paypal.com</a>>, and always ends in <a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a><br>
> <<a href="http://paypal.com" rel="noreferrer" target="_blank">http://paypal.com</a>>.<br>
><br>
> My question is, and this is conjecture because I am having a hard time<br>
> procuring the right pcap, will negating the content make this fire on<br>
> anything that does NOT end in <a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a> <<a href="http://paypal.com" rel="noreferrer" target="_blank">http://paypal.com</a>>? Like so:<br>
><br>
> content:!"<a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a> <<a href="http://paypal.com" rel="noreferrer" target="_blank">http://paypal.com</a>>";http_<wbr>host;isdataat:0,relative<br>
<br>
To check 'pattern' is the end of the buffer, use<br>
<br>
'content:"pattern"; isdataat:!1,relative;'<br>
<br>
To check that there is data after 'pattern', use<br>
<br>
'content:"pattern"; isdataat:1,relative;'<br>
<br>
--<br>
------------------------------<wbr>---------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/<wbr>victorjulien.asc</a><br>
------------------------------<wbr>---------------<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 7 Dec 2017 10:12:41 -0500<br>
From: David Wharton <<a href="mailto:oisf@davidwharton.us">oisf@davidwharton.us</a>><br>
To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] negative content match<br>
Message-ID: <<a href="mailto:a7bebdb1-334d-80a3-8e28-81126ddcb369@davidwharton.us">a7bebdb1-334d-80a3-8e28-<wbr>81126ddcb369@davidwharton.us</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
First, if you are looking to create a pcap and test it against Suricata,<br>
let me humbly suggest trying out Dalton --<br>
<a href="https://github.com/secureworks/dalton" rel="noreferrer" target="_blank">https://github.com/<wbr>secureworks/dalton</a>. If you just want to craft the<br>
pcap you can use Flowsynth (<a href="https://github.com/secureworks/flowsynth/" rel="noreferrer" target="_blank">https://github.com/<wbr>secureworks/flowsynth/</a>)<br>
but Dalton includes a Wizard/GUI for Flowsynth that makes it quite easy<br>
to create and test the pcap against a custom rule (or other ruleset).<br>
<br>
Second, if you want to make sure the HTTP Host header ends with<br>
"<a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a>", you should do a negated isdataat and use '1' instead of<br>
'0'; for the relative isdataat keyword, there is a difference between<br>
how Snort and Suricata handle it (see<br>
<a href="http://suricata.readthedocs.io/en/latest/rules/differences-from-snort.html#isdataat-keyword" rel="noreferrer" target="_blank">http://suricata.readthedocs.<wbr>io/en/latest/rules/<wbr>differences-from-snort.html#<wbr>isdataat-keyword</a>). <br>
So do it like this:<br>
<br>
content:"<a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a> <<a href="http://paypal.com" rel="noreferrer" target="_blank">http://paypal.com</a>>"; http_host; isdataat!:1,relative<br>
<br>
Finally, to answer your question ... a relative isdataat after a negated<br>
content match doesn't really make sense; it will apply to the previous<br>
(non-negated) content match instead (or beginning of inspection buffer<br>
if no previous content matches).<br>
<br>
What exactly are you trying to do here?<br>
<br>
Also, be aware of this issue -- "Negated http_* match returns false if<br>
buffer not populated"<br>
(<a href="https://redmine.openinfosecfoundation.org/issues/2224" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/<wbr>issues/2224</a>).<br>
<br>
Hope this helps,<br>
<br>
-David Wharton<br>
<br>
On 12/07/2017 08:31 AM, erik clark wrote:<br>
> So, I have a rule that has the following stub:<br>
><br>
><br>
> content:"<a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a> <<a href="http://paypal.com" rel="noreferrer" target="_blank">http://paypal.com</a>>";http_<wbr>host;isdataat:0,relative<br>
><br>
> This checks to confirm the host IS <a href="http://somethingsomething.paypal.com" rel="noreferrer" target="_blank">somethingsomething.paypal.com</a><br>
> <<a href="http://somethingsomething.paypal.com" rel="noreferrer" target="_blank">http://somethingsomething.<wbr>paypal.com</a>>, and always ends in <a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a><br>
> <<a href="http://paypal.com" rel="noreferrer" target="_blank">http://paypal.com</a>>.<br>
><br>
> My question is, and this is conjecture because I am having a hard time<br>
> procuring the right pcap, will negating the content make this fire on<br>
> anything that does NOT end in <a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a> <<a href="http://paypal.com" rel="noreferrer" target="_blank">http://paypal.com</a>>? Like so:<br>
><br>
> content:!"<a href="http://paypal.com" rel="noreferrer" target="_blank">paypal.com</a> <<a href="http://paypal.com" rel="noreferrer" target="_blank">http://paypal.com</a>>";http_<wbr>host;isdataat:0,relative<br>
><br>
> Thanks!<br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171207/4fe0bb31/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.<wbr>openinfosecfoundation.org/<wbr>pipermail/oisf-users/<wbr>attachments/20171207/4fe0bb31/<wbr>attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Thu, 7 Dec 2017 10:18:57 -0500<br>
From: Jesse Cloutier <<a href="mailto:cloutier.jesse@gmail.com">cloutier.jesse@gmail.com</a>><br>
To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>
Subject: [Oisf-users] unix_dgram unix_stream file options<br>
Message-ID: <<a href="mailto:92eecc8a-237d-abfc-ab37-4b38fb1a23a1@gmail.com">92eecc8a-237d-abfc-ab37-<wbr>4b38fb1a23a1@gmail.com</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
Hello Everyone,<br>
<br>
I was hoping someone could point me to some documentation as to how<br>
unix_dgram and unix_stream filetypes work. If enabled am I supposed to<br>
put the IP:PORT as a filename?<br>
<br>
Thanks<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
______________________________<wbr>_________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@lists.openinfosecfoundation.org">Oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of Oisf-users Digest, Vol 97, Issue 8<br>
******************************<wbr>***********<br>
</blockquote></div><br></div>