[Oisf-users] Suricata 1.4 http keywords in rule options, how does matching occur for http_header?

Fri Jan 25 03:17:20 UTC 2013

On Thu, Jan 24, 2013 at 10:29 PM, Vincent Fang <vincent.y.fang at gmail.com> wrote:
> Here's the new results, I will run the tests again to see if it's consistent
> but using the wireshark filter
>
> http contains "businessweek.com"
>
> there were 75 matches
>
> and in the fast.log there were 138 total alerts from the two new rules you
> specified
> grep -c "http header" fast.log -> 69 lines
> grep -c "pcre version" fast.log -> 69 lines
>
> so they're both the same. Ran suricata in offline mode and the results were
> the same so that's good since they're consistent.
>
> Here's a copy of the two rules
>
> alert ip $HOME_NET any -> any any (msg:"pcre version rule fired";
> pcre:"/\s.*?\.businessweek.com/H"; sid:1;)
>
> alert ip $HOME_NET any -> any any (msg:"http header rule fired";
> content:".businessweek.com"; http_header; sid:2;)
>
> In the next few runs I also plan to change the protocol to http instead of
> ip, and I technically should get the same numbers yes?
>

Yes, you should.

Keep in mind that the above rules can also match on other headers
containing businessweek.com, for example the referer header.

>
> On Thu, Jan 24, 2013 at 9:44 AM, Anoop Saldanha <anoopsaldanha at gmail.com>
> wrote:
>>
>> Sound good.  Will open a feature request for "http_host" keyword;
>>
>> On Thu, Jan 24, 2013 at 7:45 PM, Matt <matt at somedamn.com> wrote:
>> > I would find that useful, especially if it increases efficiency in the
>> > same
>> > way as http_user_agent.  Among other things, I use Suricata to match
>> > blacklists of known bad URLs, and all those rules include a content
>> > match
>> > for the HTTP Host.
>> >
>> > Matt
>> >
>> > On 1/24/2013 3:13 AM, Peter Manev wrote:
>> >
>> >
>> >
>> > On Thu, Jan 24, 2013 at 9:11 AM, Anoop Saldanha
>> > <anoopsaldanha at gmail.com>
>> > wrote:
>> >>
>> >> On Thu, Jan 24, 2013 at 1:37 PM, Peter Manev <petermanev at gmail.com>
>> >> wrote:
>> >> >
>> >> >> However, any of the techniques mentioned above isn't a foolproof way
>> >> >> to match on the host header.  The right way would be to provide a
>> >> >> new
>> >> >> keyword called "http_host".
>> >> >>
>> >> > Anoop or Vincent would you please put in feature request for that?
>> >> >
>> >>
>> >> We should probably consult users/rule-writers if such a keyword would
>> >> be useful to them?
>> >>
>> >> --
>> >> Anoop Saldanha
>> >
>> > sure
>> >
>> >
>> > --
>> > Regards,
>> > Peter Manev
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>> >
>> >
>>
>>
>>
>> --
>> Anoop Saldanha
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>

-- 
Anoop Saldanha