<div dir="ltr"><div>On Sat, Jan 20, 2018 at 10:30 AM, Charles Devoe <span dir="ltr"><<a href="mailto:Charles.Devoe@cisecurity.org" target="_blank">Charles.Devoe@cisecurity.org</a>></span> wrote:<br></div><div><br></div><div>Charles,</div><div><br></div><div>Good questions, responses inline.</div><div><br></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_7822581212788697013WordSection1">
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Running Suricata 4.0.0 and 4.0.3, Linux 6.8 (red hat variant), Kernel 3.8.13-118.8.1 and 4.1.12-103.9.2<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">I have the following rule that is looking for a uri that contains abcde.py at the end. As I understand it, if I have 3 content fields these should be a logical AND, not a logical OR. That is,
in this case the packet should include the POST AND /abcde.py AND Content-Length|3a| 56|0d 0a|<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> </span></p></div></div></blockquote><div><br></div><div>Yes, there is no 'OR' (unless using PCRE)</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_7822581212788697013WordSection1"><p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "This alert is for a uri"; content:"POST"; http_method; content:"/abcde.py"; http_uri; urilen:9; content:"Content-Length|3a| 56|0d 0a|"; http_header;
classtype:malware; sid:123456; rev:4;)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> </span></p></div></div></blockquote><div><div><br></div><div>For this rule I would suggest writing as</div><div><span style="font-family:Arial,sans-serif"><br></span></div><div><p class="MsoNormal"><font face="Arial, sans-serif"><span style="font-size:12.8px">alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "This alert is for a uri"; <b>flow:established,to_server;</b> content:"POST"; http_method; content:"/abcde.py"; http_uri; urilen:9; <b>http_content_len; content:"56";</b> sid:123456; rev:<b>5</b>;)</span></font></p></div><div><br></div><div><span style="font-family:Arial,sans-serif">The class type of "malware" does not exist in the typical classification.config, you would need to add that manually if using. </span></div></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_7822581212788697013WordSection1"><p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">The rule is firing and giving me this stream data, the only match I see is “Content-Length: 56”; I do not see the POST nor the abcde.py.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">HTTP/1.1 200 OK<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Content-Type: text/plain<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Accept-Ranges: bytes<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">ETag: "4ccd5def5ce2cb1:0"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Server: Microsoft-IIS/7.5<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">X-Powered-By: <a href="http://ASP.NET" target="_blank">ASP.NET</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Date: Fri, 03 Nov 2017 17:29:31 GMT<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Connection: close<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Content-Length: 56<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">User-agent: *<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Disallow: /downloads/<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Disallow: /videos/HTTP/1.1 200 OK<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Content-Type: text/plain<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Accept-Ranges: bytes<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">ETag: "4ccd5def5ce2cb1:0"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Server: Microsoft-IIS/7.5<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">X-Powered-By: <a href="http://ASP.NET" target="_blank">ASP.NET</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Date: Fri, 03 Nov 2017 17:29:31 GMT<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Connection: close<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Content-Length: 56<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">User-agent: *<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Disallow: /downloads/<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Disallow: /videos/<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> </span></p></div></div></blockquote><div><br></div><div>This is traffic that is seen $EXTERNAL_NET -> $HOME_NET, your rule was written for $HOME_NET -> $EXTERNAL_NET, you may not be looking at the right traffic.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_7822581212788697013WordSection1"><p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Questions<br>
1. I am not getting all of the data?<br>
<br></span></p></div></div></blockquote><div><br></div><div>Not entirely sure what you mean, feel free to share a pcap off list if you would like and we can see what is going on.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_7822581212788697013WordSection1"><p class="MsoNormal"><span style="font-family:Arial,sans-serif">
2. Does it matter if there is a space between content: and “POST”; that is will content: “POST” and content:“POST” behave the same?<br>
<br></span></p></div></div></blockquote><div><br></div><div>It does not matter, but for readability we recommend the format of ----> content:"POST";</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_7822581212788697013WordSection1"><p class="MsoNormal"><span style="font-family:Arial,sans-serif">
3. Other than the Suricata documentation, are there any other good resources for learning to write rules?</span></p></div></div></blockquote><div><br></div><div><a href="https://suricata.readthedocs.io">https://suricata.readthedocs.io</a> is a great reference for buffers and syntax. I recommend to check the rules out in the ET OPEN ruleset. You can also use the pcaps and write ups provided on <a href="https://malware-traffic-analysis.net">https://malware-traffic-analysis.net</a> and try to write some signatures on recent malware.<br></div><div><br></div><div>We (OISF) do live free 4 hour workshops, some materials can be found on last year's defcon workshops page. There is also the recent <a href="http://learnsuricata.com">learnsuricata.com</a> online training that was just launched. Both the workshop and online training cover rule writing basics. </div><div><br></div><div>For more in-depth rule writing training the OISF does live 2 day rule writing trainings, as well as private training events. The proceeds of which goes right back into the OISF for more suricata awesomeness.</div><div><br></div><div>HTH,</div><div><br></div><div>Jason</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_7822581212788697013WordSection1"><p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u><u></u></span></p>
</div>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
<br><br>. . . . .</div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div></div>