[Oisf-devel] http buffers

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Feb 17 13:24:07 UTC 2012


I definitely agree, it'd be great to have more header firlds directly exposed to rule options. 

I like the structure we're going for with the ssl stuff, which if I recall correctly is like:

ssl.client.cert.ou:"....

How about something similar for http, like:

http.host:"...

or http.useragent:"....";

I'd really like to avoid more modifier tags for content matches. That's getting out of hand. 

Matt

On Feb 14, 2012, at 12:35 PM, Will Metcalf wrote:

> +1 for being able to match on common named http headers.  In some
> cases this means we don't have to invoke the PCRE performance
> devil....
> 
> Regards,
> 
> Will
> 
> On Tue, Feb 14, 2012 at 11:29 AM, Anoop Saldanha
> <anoopsaldanha at gmail.com> wrote:
>> On Tue, Feb 14, 2012 at 7:11 PM, Victor Julien <victor at inliniac.net> wrote:
>>> On 02/14/2012 01:12 PM, Chris Wakelin wrote:
>>>> On 14/02/12 11:52, Victor Julien wrote:
>>>>> Noticed quite a few ET rules match completely in HTTP buffers (uri,
>>>>> headers, etc) except for the request and/or response protocol.
>>>>> 
>>>>> What about adding http_proto (http request proto) and http_stat_proto
>>>>> (http response proto) in Suricata? Any use for that?
>>>>> 
>>>>> They would contain "HTTP/1.1" or "HTTP/1.0".
>>>> 
>>>> Sounds useful!
>>>> 
>>>> What about other common headers such as "Host:" and "Referer:"? Would we
>>>> get a performance boost?
>>> 
>>> Preparing the buffer would require some cycles, we'd safe some on
>>> inspection. My guess is a minor speedup, but hard to predict.
>>> 
>>> Adding more buffers is certainly possible. User-agent would be a good
>>> candidate too I think.
>>> 
>>>> 
>>>>> The HTTP/0.9 case is interesting, as it commits this field. We could
>>>>> forge it, so you can match on "HTTP/0.9". Thoughts?
>>>> 
>>>> You mean "omits" rather than "commits" I think? Forging it makes sense,
>>>> I guess.
>>> 
>>> Ya omits indeed :)
>>> 
>>>> 
>>>> One thing I wondered about the HTTP engine is would it be possible to
>>>> have single rule check both request and response headers, or even
>>>> request headers and response body, or will we need to use flowbits?
>>> 
>>> Technically it's possible, and in some cases it may even already work.
>>> We've been enforcing adding a direction on some keywords though.
>>> 
>>> I think we never really made a decision on where to go with this. The
>>> rule language and current rule writers think in one direction I think.
>>> But bidirectional, especially for HTTP, is possible since we inspect the
>>> full HTTP state.
>>> 
>> 
>> We had a sorta discussion on this in one of our devel threads for
>> response headers.  I like the idea of inspection of http state across
>> both directions irrespective of sig direction.  More like the
>> direction for keywords overrides sig direction.  This way we don't
>> have to resort to flowbits to write such rules.
>> 
>>>> e.g. I have a couple of rules using flowbits that look for an executable
>>>> downloaded from "/" without a referrer.
>>> 
>>> Ya I can see the use. Have you tried a sig like this? I wonder about
>>> performance too.
>> 
>> --
>> Anoop Saldanha
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------




More information about the Oisf-devel mailing list