<div dir="ltr">Hello,<div><br></div><div>You can match anywhere in the content you want, if you want to match things at the end of the buffer say something like </div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>content:"<span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">105,110,105)</span><wbr style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">)</span>"; http_uri; isdataat:!1,relative; </div></blockquote><div><br></div><div>Or if you are using Suricata 4.1beta you can do </div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">content:"</span><span style="font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);font-family:arial;background-color:rgb(255,255,255);float:none;display:inline">105,110,105)</span><wbr style="font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);font-family:arial;background-color:rgb(255,255,255)"><span style="font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);font-family:arial;background-color:rgb(255,255,255);float:none;display:inline">)</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">"; endswith; </span></div></blockquote><div><br></div><div>For your rule:</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><i><span style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">alert http any any -> any any (msg:"---(1)-test union select"; content:"load_file"; </span><wbr style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">http_uri; http_client_body; </span><wbr style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">nocase; classtype:test; sid:</span><wbr style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">203456189; rev:1;) </span></i></div></blockquote><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">You have an error here --> "<span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">http_uri; http_client_body;" - y</span></span><span style="color:rgb(0,0,0);font-family:arial">ou must specify contents one per buffer.</span></div><div><span style="color:rgb(0,0,0);font-family:arial"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial">You would also need to add classtype of 'test' to classifications.config or your rule will error. </span></div><div><span style="color:rgb(0,0,0);font-family:arial"><br></span></div><div><font color="#000000" face="arial">This should work (but will probably give false positives and may not be very efficient):</font></div><div><span style="color:rgb(0,0,0);font-family:arial"><br></span></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><span style="color:rgb(0,0,0);font-family:arial"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">alert http any any -> any any (msg:"---(1)-test union select"; content:"load_file"; </span><wbr style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">http_uri; </span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">nocase; sid:</span><wbr style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">203456189; rev:1;) </span></div></span></div></blockquote><div><span style="color:rgb(0,0,0);font-family:arial"><br class="gmail-Apple-interchange-newline">Thanks,</span></div><div><span style="color:rgb(0,0,0);font-family:arial"><br></span></div><div><font color="#000000" face="arial">Jason</font></div><div><span style="color:rgb(0,0,0);font-family:arial;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 8, 2018 at 10:04 PM, 7ym0n <span dir="ltr"><<a href="mailto:hackking@126.com" target="_blank">hackking@126.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="color:#000;font-size:14px;font-family:arial"><div>HI all:<br>    When I was using suricata, I encountered the following problems. Using Google,bing didn't find a solution, How can solve this problem??<br>    1.How do I start a match from the reciprocal N bytes of a payload or buffer?<br>    e.g:<br>        <a class="m_839772643549979634external" href="http://localhost/?id=1&test=-1" target="_blank">http://localhost/?id=<wbr>1&page=-1</a> union select 1,1,1,load_file(char(99,58,47,<wbr>98,111,111,116,46,105,110,105)<wbr>)</div><div>    <br></div><div>    The match starts at the end of the uri:"116,46,105,110,105"<br><br></div><div>    2. cannot specify multiple HTTP keywords in the content?<br>    e.g:<br>    alert http any any -> any any (msg:"---(1)-test union select";content:"load_file";<wbr>http_uri;http_client_body;<wbr>nocase;classtype:test;sid:<wbr>203456189;rev:1;)    <br>    it's not work!<br><br>    need to check whether there are related features in multiple fields in HTTP, and how to present them in a rule?<br></div></div><div><br><br><span title="neteasefooter"><p> </p></span></div><br><br><span title="neteasefooter"><p> </p></span><br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div></div>