[Oisf-users] Suricata 1.4 http keywords in rule options, how does matching occur for http_header?

Will Metcalf william.metcalf at gmail.com
Fri Jan 25 15:23:12 UTC 2013 

While we are talking about having len and endswith would be really
useful for at least http_uri, http_user_agent, and http_host_header.
The first for performing exact matches i.e.

content:"Mozilla"; http_user_agent; http_user_agent_len:7;

to match

User-Agent: Mozilla\r\n

or

content:".exe"; http_uri; endswith;

to match

GET /blah/blat/foo.exe HTTP/1.1\r\n


etc... Want a feature request? :)

Regards,

Will

On Fri, Jan 25, 2013 at 8:47 AM, William Metcalf
<william.metcalf at gmail.com> wrote:
> If the CRLF is normalized out from a rule writers perspective we probably continue to use http_header in most cases as generally you want to match on say google.com what you really want to match is .google.com\r\n and not .somethinggoogle.com.ru. Would it be possible to add a endswith modifier for this normalized buffer?
>
> Regards,
>
> Will
> On Jan 25, 2013, at 7:19 AM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
>
>> Try this patch out(you can apply the patch using "git am -3 <patch>")
>>
>> It introduces a new keyword + pcre modifier that would inspect just
>> the host header.
>>
>> The keyword being "http_host" and the pcre modifier being "W"
>>
>> You can now use it in a rule like this -
>>
>> alert ip $HOME_NET any -> any any (msg:"pcre version rule fired";
>> pcre:"/\.businessweek.com/W"; sid:1;)
>> alert ip $HOME_NET any -> any any (msg:"http header rule fired";
>> content:".businessweek.com"; http_host; sid:2;)
>>
>> Let me know how it works with the above rules.
>>
>> On Fri, Jan 25, 2013 at 8:47 AM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
>>> On Thu, Jan 24, 2013 at 10:29 PM, Vincent Fang <vincent.y.fang at gmail.com> wrote:
>>>> Here's the new results, I will run the tests again to see if it's consistent
>>>> but using the wireshark filter
>>>>
>>>> http contains "businessweek.com"
>>>>
>>>> there were 75 matches
>>>>
>>>> and in the fast.log there were 138 total alerts from the two new rules you
>>>> specified
>>>> grep -c "http header" fast.log -> 69 lines
>>>> grep -c "pcre version" fast.log -> 69 lines
>>>>
>>>> so they're both the same. Ran suricata in offline mode and the results were
>>>> the same so that's good since they're consistent.
>>>>
>>>> Here's a copy of the two rules
>>>>
>>>> alert ip $HOME_NET any -> any any (msg:"pcre version rule fired";
>>>> pcre:"/\s.*?\.businessweek.com/H"; sid:1;)
>>>>
>>>> alert ip $HOME_NET any -> any any (msg:"http header rule fired";
>>>> content:".businessweek.com"; http_header; sid:2;)
>>>>
>>>> In the next few runs I also plan to change the protocol to http instead of
>>>> ip, and I technically should get the same numbers yes?
>>>
>>> Yes, you should.
>>>
>>> Keep in mind that the above rules can also match on other headers
>>> containing businessweek.com, for example the referer header.
>>>
>>>>
>>>> On Thu, Jan 24, 2013 at 9:44 AM, Anoop Saldanha <anoopsaldanha at gmail.com>
>>>> wrote:
>>>>>
>>>>> Sound good.  Will open a feature request for "http_host" keyword;
>>>>>
>>>>> On Thu, Jan 24, 2013 at 7:45 PM, Matt <matt at somedamn.com> wrote:
>>>>>> I would find that useful, especially if it increases efficiency in the
>>>>>> same
>>>>>> way as http_user_agent.  Among other things, I use Suricata to match
>>>>>> blacklists of known bad URLs, and all those rules include a content
>>>>>> match
>>>>>> for the HTTP Host.
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> On 1/24/2013 3:13 AM, Peter Manev wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Jan 24, 2013 at 9:11 AM, Anoop Saldanha
>>>>>> <anoopsaldanha at gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> On Thu, Jan 24, 2013 at 1:37 PM, Peter Manev <petermanev at gmail.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> However, any of the techniques mentioned above isn't a foolproof way
>>>>>>>>> to match on the host header.  The right way would be to provide a
>>>>>>>>> new
>>>>>>>>> keyword called "http_host".
>>>>>>>> Anoop or Vincent would you please put in feature request for that?
>>>>>>>
>>>>>>> We should probably consult users/rule-writers if such a keyword would
>>>>>>> be useful to them?
>>>>>>>
>>>>>>> --
>>>>>>> Anoop Saldanha
>>>>>>
>>>>>> sure
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Peter Manev
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>>> Site: http://suricata-ids.org | Support:
>>>>>> http://suricata-ids.org/support/
>>>>>> List:
>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>> OISF: http://www.openinfosecfoundation.org/
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Anoop Saldanha
>>>>> _______________________________________________
>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>> OISF: http://www.openinfosecfoundation.org/
>>>
>>>
>>>
>>> --
>>> Anoop Saldanha
>>
>>
>>
>> --
>> Anoop Saldanha
>> <0001-Add-support-for-a-new-keyword-to-inspect-http_host-h.patch>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list