[Oisf-users] Suricata 1.4 http keywords in rule options, how does matching occur for http_header?

Anoop Saldanha anoopsaldanha at gmail.com
Tue Jan 15 08:11:11 UTC 2013 

On Tue, Jan 15, 2013 at 3:30 AM, Vincent Fang <vincent.y.fang at gmail.com> wrote:
> Since I cannot rely on external ip addresses, I've been testing out a new
> rule that examines the http content, specificially the http header. Looking
> at the http-keyword page on redmine, this is the new rule I created for
> testing
>
> alert http any any -> any any (msg:"rule fired"; content:"businessweek.com";
> http_header;)
>
> Looking at the example, it explains it would look at the http header for any
> matching and create an alert if it matches. My one question is how exactly
> does it do the matching?
>
>
> For instance, the businessweek.com address can appear in two places based on
> what I examined in the wireshark http packets
>
> Host: www.businessweek.com\r\n
>
> or
>
> Referer: http://www.businessweek.com/\r\n
>
> The examples shown in redmine only show it matching to the Host field but
> would this same rule also match if the address showed up in the Referer
> field? Right now I'm running into issues with Chrome caching which is
> fuddling my results so I can't tell based on my testing, but I was wondering
> if anyone had any experience and knows what Suricata is doing with the
> content matching in the header field.
>
> Also is it possible to specify a wildcard * in the content:
> "*businessweek.com" for matching?

No.

>
> The end goal is for me to maybe specify that
>
> content:"Host: *businessweek.com"; http_header;

This would work instead, although you are stuck with the subdomain -

content:"Host: www.businessweek.com"; http_header;

Contents can have fixed strings only.

If you'd want to use wildcards you can use pcre -

pcre:"/Host: .*businessweek.com"/H";

The option "H" refers to matching on the http header filed.  We have
other such pcre options to match on different http fields/buffers.

>
> so that Suricata would match all packets going to this address. I ran a test
> with the modified rule
>
> alert http any any -> any any (msg:"rule fired";
> content:"*businessweek.com"; http_header;)
>
> and fast.log isn't populating. I'm not sure if I'm doing it wrong or if
> wildcards are not supported in Suricata rules.
>


-- 
Anoop Saldanha

More information about the Oisf-users mailing list