<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Calligraphy";
panose-1:3 1 1 1 1 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi Eric,<o:p></o:p></p>
<p class="MsoNormal">Thanks for the testing the rules. I’m also using 4.1.2. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">pcap file attached<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ena<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>From:</b> Eric Urban <eurban@umn.edu> <br>
<b>Sent:</b> Tuesday, February 19, 2019 12:31 PM<br>
<b>To:</b> GORHAM JOHNSON, OZELINA <og1939@att.com><br>
<b>Cc:</b> oisf-users@lists.openinfosecfoundation.org<br>
<b>Subject:</b> Re: [Oisf-users] rule using http protocol not working<br>
<b>Importance:</b> High<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hello Ena,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I was looking into something similar to what you reported so decided to test your scenario. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Both rules triggered an alert in my tests. I did modify the second rule, which is the one that works for you, to use "any" instead of "$HTTP_PORTS" due to my environment. Other than that I left them the same.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don't know that it should matter, but I am testing this on 4.1.2. It might be useful for you to provide a packet capture as it is possible there is something else going on.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">- Eric<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Mon, Feb 18, 2019 at 10:06 AM GORHAM JOHNSON, OZELINA <<a href="mailto:og1939@att.com">og1939@att.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Trying to create a signature using http protocol with keywords http_header and http_uri but the signature does not match the packet<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">alert http any any -> any any (msg:"Test http headers"; content:"Host|3A|
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=3hWe-28004sNaG5taYzIh_5B99Lvw6dER28sJrmuLS4&e=" target="_blank">
www.test1.url.com</a>"; http_header; content:"page2"; http_uri; fast_pattern; classtype:bad-unknown; rev:10; sid:9902;)<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">But if I use protocol tcp the signature matches<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">alert tcp any any -> any $HTTP_PORTS (msg:"Test REJECT page2"; content:"Host|3A|
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=3hWe-28004sNaG5taYzIh_5B99Lvw6dER28sJrmuLS4&e=" target="_blank">
www.test1.url.com</a>"; content:"page2"; fast_pattern; classtype:bad-unknown; rev:10; sid:2;)<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Sample Packet<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Raw packet data<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hypertext Transfer Protocol<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> GET /page2 HTTP/1.1\r\n<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Host:
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=3hWe-28004sNaG5taYzIh_5B99Lvw6dER28sJrmuLS4&e=" target="_blank">
www.test1.url.com</a>\r\n<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Connection: close\r\n<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Accept: */*\r\n<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Accept-Language: en-us\r\n<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Accept-Encoding: gzip, deflate, compress\r\n<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> \r\n<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> [Full request URI:
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com_page2&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=ypBFXA7-7YlZtgKdRAT4_GHk6xFJBNyc7akyxACObMo&e=" target="_blank">
http://www.test1.url.com/page2</a>]<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> [HTTP request 1/1]<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Would someone explain why the signature using the http protocol does not work<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Lucida Calligraphy"">Ena
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span style="font-size:9.0pt"> </span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">
oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=7suNYyGlmUg345kKFBzSpQNhifJzf7HOYgzl9SV8yYo&e=" target="_blank">
http://suricata-ids.org</a> | Support: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org_support_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=1Gjw-xwZ1sLRdsM-Gb7dwkaLEnEtY-A32TvJTtCWRWQ&e=" target="_blank">
http://suricata-ids.org/support/</a><br>
List: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=y_UAjlz6GRgar4bpdpBLqrfTo6mTMZahhxBsfaBh-Xk&e=" target="_blank">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__suricon.net&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=pk2kcOZY2KxyjonUDJreY-Iol7QokkHZWyxAp-VcFYc&e=" target="_blank">
https://suricon.net</a><br>
Trainings: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__suricata-2Dids.org_training_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=_ec4Pfk3ysKPLtpj4-Phcl5vdG392KYU4qvDc4OAVHc&e=" target="_blank">
https://suricata-ids.org/training/</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
</body>
</html>