[Discussion] Content-based alert message substitution
Martin Fong
martin.fong at sri.com
Fri Feb 6 02:18:46 UTC 2009
Victor Julien wrote:
> Frank Knobbe wrote:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GET request
>> for $VAR1 detected."; content:"GET "; depth:4;
>> assignvar:offset_4,depth_100,until_space,to_VAR1;)
>>
>> Request "GET /sumthin" results in alert message: "GET request
>> for /sumthin detected."
>>
>> Or something like that... :)
>
> I got that part, I meant to say I didn't get the points on the list
> except this one and the rules reload one :)
>
> In my prototype code I can already capture vars using pcre substring
> capturing, although adding an additional way to do this outside of pcre
> could be interesting too:
>
> alert tcp any any -> any $HTTP_PORTS (msg:"HTTP GET URI cap";
> flow:to_server; content:"GET "; depth:4; pcre:"/^GET
> (?P<pkt_http_uri>.*) HTTP\/\d\.\d\r\n/G"; noalert; sid:1;)
>
> This captures the http uri into the var "pkt_http_uri", which is stored
> in a packet context. Similarly, "flow_http_uri" stores it in a flow, so
> other packets in the same flow can access it. I'm thinking about adding
> the same for 'global', 'host', 'stream' and maybe more...
>
> Wrt the alerting, I like this idea, it's pretty simple to implement too.
I've implemented a prototype as a patch and have included some notes
in this e-mail. The major problem is _where_ to stow derived data.
Cheers!
...Martin
------------------------------------------------------------------------
msg: (parser.c:ParseMessage (char *))
msg:"*"[, FieldSpecifier]*
FieldSpecifier ::= FieldFormatter '.' FieldName [':' FormatSpecifier]
decode.h:Packet
EtherHdr eh.ether_{dst,src,type}
WifiHdr wifih.{addr[1-4],frame_control,duration_id,seq_control}
EtherARP ah.ARPHdr ea_hdr.ar_op
IPHdr {iph,orig_iph}.ip_{verhl,tos,len,id,off,ttl,proto,csum,src,dst}
TCPHdr {tcph,orgi_tcph}.th_{[sd]port,seq,ack,offx2,flags,win,sum,urp}
u_int8_t *tcp_options_data
UDPHdr {udph,orgi_udph}.th_{[sd]port}
u_int16_t actual_ip_len
preprocessor bhsd_inbound_msg: \
"E1[bh] Detected %s %s scan by %s %s of %s IPs: %s", \
bhsd.in.ipsweep, \
bhsd.in.port_focus, \
bhsd.in.scanner_addr, \
bhsd.in.SMOI, \
bhsd.in.num_IPs \
bhsd.in.addresses:ports
preprocessor bhsd_outbound_msg: \
"E%s[bh] Detected %s %s port scanning of %s IPs (%s /24s) %s: %s", \
bhsd.out.category_type, \
bhsd.out.ipsweep, \
bhsd.out.port_focus, \
bhsd.out.num_IPs, \
bhsd.out.num_class_C, \
bhsd.out.SMOI, \
bhsd.out.ports:counts
alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET [135:139,445] (msg:"My test rule with %s/%s: %s, %s (%s), %s", test.this.label, test.skip.other, 42, Packet.EtherHdr.ether_type:name, Packet.EtherHdr.ether_type, Packet.EtherHdr.ether_src;
flow:established; content:"|3131313131313131313131313131313131313131313131|"; classtype:attempted-admin; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html;
sid:292000032; rev:99; )
11/14-11:29:45.167337 [**] [1:292000032:99] My test rule with this.label/other: 42, IP protocol (0x0800), 00:21:1C:EE:14:00 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 95.28.87.240:21460 -> 192.168.132.9:445
11/14-11:29:47.355986 [**] [1:292000032:99] My test rule with this.label/other: 42, IP protocol (0x0800), 00:21:1C:EE:14:00 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 95.28.87.240:21478 -> 192.168.135.80:445
------------------------------------------------------------------------
MessageFormat \
match:"(^My test.+\\)).*"; \
replace:"\\1, MAC: %s", Packet.EtherHdr.ether_src
MessageFormat \
match:"(^E1\\[bh\\].+ IPs):.*"; \
replace:"\\1: ANONYMIZED"
MessageFormat \
match:"^E[58].+"; \
replace:"\\&, MAC: %s", Packet.EtherHdr.ether_src
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5193 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090205/b18adbaa/attachment.bin>
More information about the Discussion
mailing list