[Oisf-users] Suricata 1.4 http keywords in rule options, how does matching occur for http_header?

[Vincent Fang]

Since I cannot rely on external ip addresses, I've been testing out a new
rule that examines the http content, specificially the http header. Looking
at the http-keyword page on redmine, this is the new rule I created for
testing

alert http any any -> any any (msg:"rule fired"; content:"businessweek.com";
http_header;)

Looking at the example, it explains it would look at the http header for
any matching and create an alert if it matches. My one question is how
exactly does it do the matching?


For instance, the businessweek.com address can appear in two places based
on what I examined in the wireshark http packets

Host: www.businessweek.com\r\n

or

Referer: http://www.businessweek.com/\r\n

The examples shown in redmine only show it matching to the Host field but
would this same rule also match if the address showed up in the Referer
field? Right now I'm running into issues with Chrome caching which is
fuddling my results so I can't tell based on my testing, but I was
wondering if anyone had any experience and knows what Suricata is doing
with the content matching in the header field.

Also is it possible to specify a wildcard * in the content: "*
businessweek.com" for matching?

The end goal is for me to maybe specify that

content:"Host: *businessweek.com"; http_header;

so that Suricata would match all packets going to this address. I ran a
test with the modified rule

alert http any any -> any any (msg:"rule fired"; content:"*businessweek.com";
http_header;)

and fast.log isn't populating. I'm not sure if I'm doing it wrong or if
wildcards are not supported in Suricata rules.

Vince
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/4071e775/attachment.html>