[Oisf-users] Suricata 1.4 http keywords in rule options, how does matching occur for http_header?

William Metcalf william.metcalf at gmail.com
Fri Jan 25 14:47:08 UTC 2013 

If the CRLF is normalized out from a rule writers perspective we probably continue to use http_header in most cases as generally you want to match on say google.com what you really want to match is .google.com\r\n and not .somethinggoogle.com.ru. Would it be possible to add a endswith modifier for this normalized buffer?

Regards,

Will
On Jan 25, 2013, at 7:19 AM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:

> Try this patch out(you can apply the patch using "git am -3 <patch>")
> 
> It introduces a new keyword + pcre modifier that would inspect just
> the host header.
> 
> The keyword being "http_host" and the pcre modifier being "W"
> 
> You can now use it in a rule like this -
> 
> alert ip $HOME_NET any -> any any (msg:"pcre version rule fired";
> pcre:"/\.businessweek.com/W"; sid:1;)
> alert ip $HOME_NET any -> any any (msg:"http header rule fired";
> content:".businessweek.com"; http_host; sid:2;)
> 
> Let me know how it works with the above rules.
> 
> On Fri, Jan 25, 2013 at 8:47 AM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
>> On Thu, Jan 24, 2013 at 10:29 PM, Vincent Fang <vincent.y.fang at gmail.com> wrote:
>>> Here's the new results, I will run the tests again to see if it's consistent
>>> but using the wireshark filter
>>> 
>>> http contains "businessweek.com"
>>> 
>>> there were 75 matches
>>> 
>>> and in the fast.log there were 138 total alerts from the two new rules you
>>> specified
>>> grep -c "http header" fast.log -> 69 lines
>>> grep -c "pcre version" fast.log -> 69 lines
>>> 
>>> so they're both the same. Ran suricata in offline mode and the results were
>>> the same so that's good since they're consistent.
>>> 
>>> Here's a copy of the two rules
>>> 
>>> alert ip $HOME_NET any -> any any (msg:"pcre version rule fired";
>>> pcre:"/\s.*?\.businessweek.com/H"; sid:1;)
>>> 
>>> alert ip $HOME_NET any -> any any (msg:"http header rule fired";
>>> content:".businessweek.com"; http_header; sid:2;)
>>> 
>>> In the next few runs I also plan to change the protocol to http instead of
>>> ip, and I technically should get the same numbers yes?
>> 
>> Yes, you should.
>> 
>> Keep in mind that the above rules can also match on other headers
>> containing businessweek.com, for example the referer header.
>> 
>>> 
>>> On Thu, Jan 24, 2013 at 9:44 AM, Anoop Saldanha <anoopsaldanha at gmail.com>
>>> wrote:
>>>> 
>>>> Sound good.  Will open a feature request for "http_host" keyword;
>>>> 
>>>> On Thu, Jan 24, 2013 at 7:45 PM, Matt <matt at somedamn.com> wrote:
>>>>> I would find that useful, especially if it increases efficiency in the
>>>>> same
>>>>> way as http_user_agent.  Among other things, I use Suricata to match
>>>>> blacklists of known bad URLs, and all those rules include a content
>>>>> match
>>>>> for the HTTP Host.
>>>>> 
>>>>> Matt
>>>>> 
>>>>> On 1/24/2013 3:13 AM, Peter Manev wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> On Thu, Jan 24, 2013 at 9:11 AM, Anoop Saldanha
>>>>> <anoopsaldanha at gmail.com>
>>>>> wrote:
>>>>>> 
>>>>>> On Thu, Jan 24, 2013 at 1:37 PM, Peter Manev <petermanev at gmail.com>
>>>>>> wrote:
>>>>>>> 
>>>>>>>> However, any of the techniques mentioned above isn't a foolproof way
>>>>>>>> to match on the host header.  The right way would be to provide a
>>>>>>>> new
>>>>>>>> keyword called "http_host".
>>>>>>> Anoop or Vincent would you please put in feature request for that?
>>>>>> 
>>>>>> We should probably consult users/rule-writers if such a keyword would
>>>>>> be useful to them?
>>>>>> 
>>>>>> --
>>>>>> Anoop Saldanha
>>>>> 
>>>>> sure
>>>>> 
>>>>> 
>>>>> --
>>>>> Regards,
>>>>> Peter Manev
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>> Site: http://suricata-ids.org | Support:
>>>>> http://suricata-ids.org/support/
>>>>> List:
>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>> OISF: http://www.openinfosecfoundation.org/
>>>> 
>>>> 
>>>> 
>>>> --
>>>> Anoop Saldanha
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> OISF: http://www.openinfosecfoundation.org/
>> 
>> 
>> 
>> --
>> Anoop Saldanha
> 
> 
> 
> -- 
> Anoop Saldanha
> <0001-Add-support-for-a-new-keyword-to-inspect-http_host-h.patch>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list