[Oisf-users] HTTP parsing events in Suricata

[Victor Julien]

>From my blog
http://www.inliniac.net/blog/2012/01/11/http-parsing-events-in-suricata.html:

"With the 1.2rc1 release you will notice no more HTTP errors on the
screen. Or SMTP errors. This output has been disabled finally. This was
a long time annoyance.

As you may still be interested in the errors they are now available
through the rule language. In rules/http-events.rules and
rules/smtp-events.rules rules for all possible events/errors can be found.

Example:
app-layer-event:http.missing_host_header;

This will match on HTTP/1.1 requests without a Host header.

Some of these rules might be noisy (they are not in my local network),
but rather than disabling them I'd suggest suppressing then. The reason
is that for each time they hit a flowint will be incremented:

flowint:http.anomaly.count,+,1;

This will allow you to get alerts on streams with high anomaly counts:

alert http any any -> any any (msg:"LOCAL really poor HTTP session";
flowint:http.anomaly.count,>,5; sid:123; rev:1;)

This will give you an alert if there have been more than 5 anomalies
detected.

Blog spammers, malware and other unwanted HTTP users often use HTTP with
all kinds of issues, so this may be a helpful tool in detecting those."

I would be interested to hear experiences on busy networks with these
rules enabled!

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------