[Oisf-devel] DNS/SMTP content modifier fields.

Puranik, Aditya apuranik at visa.com
Mon Apr 1 12:07:17 UTC 2019 

Hi Victor,
Thanks for the response on the query. I will go through the files you have mentioned and try to add these functionality.
Will reach out to you in case I need further details.

Regards,
Aditya 

-----Original Message-----
From: Victor Julien <lists at inliniac.net> 
Sent: Monday, April 1, 2019 2:43 PM
To: Puranik, Aditya <apuranik at visa.com>; oisf-devel at lists.openinfosecfoundation.org
Cc: Hossain, Mahmud <mahhossa at visa.com>; Samaroo, Joel <jsamaroo at visa.com>; Arabally, Gopal <garaball at visa.com>
Subject: Re: [Oisf-devel] DNS/SMTP content modifier fields.

Hi Aditya,

On 26-03-19 09:36, Puranik, Aditya wrote:
> We are trying to explore and add new content modifier fields for 
> SMTP/DNS/ SMB protocols. Also we would like to expand this to other 
> protocols based on our requirements.
> 
> At present, Suricata has a very good coverage for HTTP protocol.
> 
> https://suricata.readthedocs.io/en/suricata-4.1.2/rules/http-keywords.
> html
> 
> HTTP content modifiers gives us better control to write a new rule or 
> to modify existing signatures.
> 
>  
> 
> We are planning to have similar modifiers for protocols like SMTP, 
> DNS, SMB.
> 
> For example: SMTP packet exchange/flow contains a bunch of fields like 
> mailfrom, rcptto, date, from, to, cc, reply_to, subject, 
> x_originating_ip, user_agent et al.
> 
> Something like : alert smtp $EXTERNAL_NET any -> $HOME_NET 
> (content*/:"username at example.com"; mail_from/*; sid:1;)

We are doing all new keywords as 'sticky buffers', so:

'mail_from; content:abc;'

This is simpler to implement in Suricata and simpler from the rule writer perspective as well.


> The similar requirements holds good for other set of protocols mentioned.
> 
>  
> 
> We are interested in knowing
> 
> 1.       What is the right approach to go about adding or modifying 
> the rules with new content modifiers?

Rule modifications are usually done using suricata-update's modify.conf, or a similar facility in other tools like pulledpork.


> 2.       What is the placeholder in the code if we start adding these 
> new modifiers in the rules?

I would suggest having a look a the detect-template-buffer.[ch] files.
In scripts/ we have setup scripts to instantiate them into your own keyword.

See:
https://github.com/OISF/suricata/blob/master/src/detect-template-buffer.c
https://github.com/OISF/suricata/blob/master/src/detect-template-rust-buffer.c
https://github.com/OISF/suricata/blob/master/scripts/setup-app-layer.py


> 3.       If code changes are needed to implement this functionality 
> what is the correct approach to accommodate these changes in existing 
> Suricata design?

Code changes will certainly be needed. See the template I mentioned above.

Regards,
Victor


--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list