<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head><body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Jasaon, thanks for the good info. I’m still curious though about why the alert triggered for the content:”POST” when there is no POST in the session data.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><b>Charles DeVoe Jr.</b><o:p></o:p></p>
<p class="MsoNormal">Manager of Engineering<o:p></o:p></p>
<p class="MsoNormal">Multi-State Information Sharing and Analysis Center (MS-ISAC) <o:p></o:p></p>
<p class="MsoNormal">31 Tech Valley Drive<o:p></o:p></p>
<p class="MsoNormal">East Greenbush, NY 12061<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><a href="mailto:charles.devoe@cisecurity.org"><span style="color:#0563C1">charles.devoe@cisecurity.org</span></a><o:p></o:p></p>
<p class="MsoNormal">(518) 266-3494<o:p></o:p></p>
<p class="MsoNormal">7x24 Security Operations Center<o:p></o:p></p>
<p class="MsoNormal"><a href="mailto:SOC@cisecurity.org"><span style="color:#0563C1">SOC@cisecurity.org</span></a> - 1-866-787-4722<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><img border="0" width="237" height="55" id="_x0000_i1029" src="cid:image001.png@01D3941F.B4CD5950" alt="id:image001.png@01D38B89.513EFFE0"><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <a href="https://www.facebook.com/CenterforIntSec"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="33" id="_x0000_i1028" src="cid:image002.png@01D3941F.B4CD5950" alt="id:image002.png@01D38B89.513EFFE0"></span></a> <a href="https://twitter.com/CISecurity"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="33" id="_x0000_i1027" src="cid:image003.png@01D3941F.B4CD5950" alt="id:image003.png@01D38B89.513EFFE0"></span></a> <a href="https://www.youtube.com/user/TheCISecurity"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="33" id="_x0000_i1026" src="cid:image004.png@01D3941F.B4CD5950" alt="id:image004.png@01D38B89.513EFFE0"></span></a> <a href="https://www.linkedin.com/company/the-center-for-internet-security"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="33" id="_x0000_i1025" src="cid:image005.png@01D3941F.B4CD5950" alt="id:image005.png@01D38B89.513EFFE0"></span></a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Jason Williams <jwilliams@emergingthreats.net><br>
<b>Date: </b>Monday, January 22, 2018 at 4:38 PM<br>
<b>To: </b>Charles Devoe <Charles.Devoe@cisecurity.org><br>
<b>Cc: </b>"oisf-users@lists.openinfosecfoundation.org" <oisf-users@lists.openinfosecfoundation.org><br>
<b>Subject: </b>Re: [Oisf-users] Rule not alerting as expected<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On Sat, Jan 20, 2018 at 10:30 AM, Charles Devoe <<a href="mailto:Charles.Devoe@cisecurity.org" target="_blank">Charles.Devoe@cisecurity.org</a>> wrote:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Charles,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Good questions, responses inline.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Running Suricata 4.0.0 and 4.0.3, Linux 6.8 (red hat variant), Kernel 3.8.13-118.8.1 and 4.1.12-103.9.2</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">I have the following rule that is looking for a uri that contains
<a href="http://abcde.py">
abcde.py</a> at the end. As I understand it, if I have 3 content fields these should be a logical AND, not a logical OR. That is, in this case the packet should include the POST AND
<a href="http:///abcde.py">/abcde.py</a> AND Content-Length|3a| 56|0d 0a|</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Yes, there is no 'OR' (unless using PCRE)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "This alert is for a uri"; content:"POST"; http_method; content:"<a href="http:///abcde.py">/abcde.py</a>";
http_uri; urilen:9; content:"Content-Length|3a| 56|0d 0a|"; http_header; classtype:malware; sid:123456; rev:4;)</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For this rule I would suggest writing as<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.5pt;font-family:"Arial",sans-serif">alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "This alert is for a uri"; <b>flow:established,to_server;</b> content:"POST";
http_method; content:"<a href="http:///abcde.py">/abcde.py</a>"; http_uri; urilen:9; <b>http_content_len; content:"56";</b> sid:123456; rev:<b>5</b>;)</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">The class type of "malware" does not exist in the typical classification.config, you would need to add that manually if using. </span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">The rule is firing and giving me this stream data, the only match I see is “Content-Length: 56”; I do not see the POST nor the
<a href="http://abcde.py">
abcde.py</a>.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">HTTP/1.1 200 OK</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Content-Type: text/plain</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Accept-Ranges: bytes</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">ETag: "4ccd5def5ce2cb1:0"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Server: Microsoft-IIS/7.5</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">X-Powered-By:
<a href="http://ASP.NET" target="_blank">
ASP.NET</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Date: Fri, 03 Nov 2017 17:29:31 GMT</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Connection: close</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Content-Length: 56</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">User-agent: *</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Disallow: /downloads/</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Disallow: /videos/HTTP/1.1 200 OK</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Content-Type: text/plain</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Accept-Ranges: bytes</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">ETag: "4ccd5def5ce2cb1:0"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Server: Microsoft-IIS/7.5</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">X-Powered-By:
<a href="http://ASP.NET" target="_blank">
ASP.NET</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Date: Fri, 03 Nov 2017 17:29:31 GMT</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Connection: close</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Content-Length: 56</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">User-agent: *</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Disallow: /downloads/</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">Disallow: /videos/</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is traffic that is seen $EXTERNAL_NET -> $HOME_NET, your rule was written for $HOME_NET -> $EXTERNAL_NET, you may not be looking at the right traffic.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-family:"Arial",sans-serif">Questions<br>
1. I am not getting all of the data?</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Not entirely sure what you mean, feel free to share a pcap off list if you would like and we can see what is going on.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-family:"Arial",sans-serif">2. Does it matter if there is a space between content: and “POST”; that is will content: “POST” and content:“POST” behave the same?</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It does not matter, but for readability we recommend the format of ----> content:"POST";<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif">3. Other than the Suricata documentation, are there any other good resources for learning to write rules?</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://suricata.readthedocs.io">https://suricata.readthedocs.io</a> is a great reference for buffers and syntax. I recommend to check the rules out in the ET OPEN ruleset.
You can also use the pcaps and write ups provided on <a href="https://malware-traffic-analysis.net">
https://malware-traffic-analysis.net</a> and try to write some signatures on recent malware.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We (OISF) do live free 4 hour workshops, some materials can be found on last year's defcon workshops page. There is also the recent
<a href="http://learnsuricata.com">
learnsuricata.com</a> online training that was just launched. Both the workshop and online training cover rule writing basics. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For more in-depth rule writing training the OISF does live 2 day rule writing trainings, as well as private training events. The proceeds of which goes right back into the OISF for more suricata awesomeness.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">HTH,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Jason<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited.
Please notify the sender immediately and permanently delete the message and any attachments.
<br>
<br>
. . . . .<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">
oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">
http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">
http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" target="_blank">
https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" target="_blank">
https://suricata-ids.org/training/</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
..... <br>
<br>
<o:p></o:p></p>
</div>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
<br /><br />. . . . .</body></html>