[Oisf-users] Suricata 1.4 http keywords in rule options, how does matching occur for http_header?

Vincent Fang vincent.y.fang at gmail.com
Thu Jan 24 16:59:19 UTC 2013


Here's the new results, I will run the tests again to see if it's
consistent but using the wireshark filter

http contains "businessweek.com"

there were 75 matches

and in the fast.log there were 138 total alerts from the two new rules you
specified
grep -c "http header" fast.log -> 69 lines
grep -c "pcre version" fast.log -> 69 lines

so they're both the same. Ran suricata in offline mode and the results were
the same so that's good since they're consistent.

Here's a copy of the two rules

alert ip $HOME_NET any -> any any (msg:"pcre version rule fired";
pcre:"/\s.*?\.businessweek.com/H"; sid:1;)

alert ip $HOME_NET any -> any any (msg:"http header rule fired"; content:".
businessweek.com"; http_header; sid:2;)

In the next few runs I also plan to change the protocol to http instead of
ip, and I technically should get the same numbers yes?


On Thu, Jan 24, 2013 at 9:44 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> Sound good.  Will open a feature request for "http_host" keyword;
>
> On Thu, Jan 24, 2013 at 7:45 PM, Matt <matt at somedamn.com> wrote:
> > I would find that useful, especially if it increases efficiency in the
> same
> > way as http_user_agent.  Among other things, I use Suricata to match
> > blacklists of known bad URLs, and all those rules include a content match
> > for the HTTP Host.
> >
> > Matt
> >
> > On 1/24/2013 3:13 AM, Peter Manev wrote:
> >
> >
> >
> > On Thu, Jan 24, 2013 at 9:11 AM, Anoop Saldanha <anoopsaldanha at gmail.com
> >
> > wrote:
> >>
> >> On Thu, Jan 24, 2013 at 1:37 PM, Peter Manev <petermanev at gmail.com>
> wrote:
> >> >
> >> >> However, any of the techniques mentioned above isn't a foolproof way
> >> >> to match on the host header.  The right way would be to provide a new
> >> >> keyword called "http_host".
> >> >>
> >> > Anoop or Vincent would you please put in feature request for that?
> >> >
> >>
> >> We should probably consult users/rule-writers if such a keyword would
> >> be useful to them?
> >>
> >> --
> >> Anoop Saldanha
> >
> > sure
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
> >
>
>
>
> --
> Anoop Saldanha
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130124/e4881c49/attachment-0002.html>


More information about the Oisf-users mailing list