[Discussion] Submitted Ideas
Victor Julien
lists at inliniac.net
Thu Feb 5 18:59:51 UTC 2009
Frank Knobbe wrote:
> On Thu, 2009-02-05 at 07:25 +0100, Victor Julien wrote:
>> Same here, for all of them though, except the alert message substitution
>> and on the fly rule updates...
>>
>> It all sounds very interesting... if I only knew what it meant ;-)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GET request
> for $VAR1 detected."; content:"GET "; depth:4;
> assignvar:offset_4,depth_100,until_space,to_VAR1;)
>
> Request "GET /sumthin" results in alert message: "GET request
> for /sumthin detected."
>
> Or something like that... :)
I got that part, I meant to say I didn't get the points on the list
except this one and the rules reload one :)
In my prototype code I can already capture vars using pcre substring
capturing, although adding an additional way to do this outside of pcre
could be interesting too:
alert tcp any any -> any $HTTP_PORTS (msg:"HTTP GET URI cap";
flow:to_server; content:"GET "; depth:4; pcre:"/^GET
(?P<pkt_http_uri>.*) HTTP\/\d\.\d\r\n/G"; noalert; sid:1;)
This captures the http uri into the var "pkt_http_uri", which is stored
in a packet context. Similarly, "flow_http_uri" stores it in a flow, so
other packets in the same flow can access it. I'm thinking about adding
the same for 'global', 'host', 'stream' and maybe more...
Wrt the alerting, I like this idea, it's pretty simple to implement too.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Discussion
mailing list