[Oisf-users] Suricata 1.4 http keywords in rule options, how does matching occur for http_header?

Vincent Fang vincent.y.fang at gmail.com
Sat Jan 26 01:16:14 UTC 2013 

I applied the patch in the source code directory patch <
0001-Add-support-for-a-new-keyword-to-inspect-http_host-h.patch

and ran the tests with the new alert rules and the following wireshark
filter:

http.host contains "businessweek.com" && ip.src == 192.168.32.136

and after visiting the website, I had 28 results in wireshark

fast.log had 56 lines
28 were from the http_host rule
28 were from the pcre rule

so far everything looks good. From Brian's response, if it's true that
hostname can appear elsewhere and not in the http header, that would be a
problem but unfortunately I do not know enough on that field and will be
reading up on it. All I can say for now is the patch appears to work as
intended.


On Fri, Jan 25, 2013 at 8:19 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> Try this patch out(you can apply the patch using "git am -3 <patch>")
>
> It introduces a new keyword + pcre modifier that would inspect just
> the host header.
>
> The keyword being "http_host" and the pcre modifier being "W"
>
> You can now use it in a rule like this -
>
> alert ip $HOME_NET any -> any any (msg:"pcre version rule fired";
> pcre:"/\.businessweek.com/W"; sid:1;)
> alert ip $HOME_NET any -> any any (msg:"http header rule fired";
> content:".businessweek.com"; http_host; sid:2;)
>
> Let me know how it works with the above rules.
>
> On Fri, Jan 25, 2013 at 8:47 AM, Anoop Saldanha <anoopsaldanha at gmail.com>
> wrote:
> > On Thu, Jan 24, 2013 at 10:29 PM, Vincent Fang <vincent.y.fang at gmail.com>
> wrote:
> >> Here's the new results, I will run the tests again to see if it's
> consistent
> >> but using the wireshark filter
> >>
> >> http contains "businessweek.com"
> >>
> >> there were 75 matches
> >>
> >> and in the fast.log there were 138 total alerts from the two new rules
> you
> >> specified
> >> grep -c "http header" fast.log -> 69 lines
> >> grep -c "pcre version" fast.log -> 69 lines
> >>
> >> so they're both the same. Ran suricata in offline mode and the results
> were
> >> the same so that's good since they're consistent.
> >>
> >> Here's a copy of the two rules
> >>
> >> alert ip $HOME_NET any -> any any (msg:"pcre version rule fired";
> >> pcre:"/\s.*?\.businessweek.com/H"; sid:1;)
> >>
> >> alert ip $HOME_NET any -> any any (msg:"http header rule fired";
> >> content:".businessweek.com"; http_header; sid:2;)
> >>
> >> In the next few runs I also plan to change the protocol to http instead
> of
> >> ip, and I technically should get the same numbers yes?
> >>
> >
> > Yes, you should.
> >
> > Keep in mind that the above rules can also match on other headers
> > containing businessweek.com, for example the referer header.
> >
> >>
> >> On Thu, Jan 24, 2013 at 9:44 AM, Anoop Saldanha <
> anoopsaldanha at gmail.com>
> >> wrote:
> >>>
> >>> Sound good.  Will open a feature request for "http_host" keyword;
> >>>
> >>> On Thu, Jan 24, 2013 at 7:45 PM, Matt <matt at somedamn.com> wrote:
> >>> > I would find that useful, especially if it increases efficiency in
> the
> >>> > same
> >>> > way as http_user_agent.  Among other things, I use Suricata to match
> >>> > blacklists of known bad URLs, and all those rules include a content
> >>> > match
> >>> > for the HTTP Host.
> >>> >
> >>> > Matt
> >>> >
> >>> > On 1/24/2013 3:13 AM, Peter Manev wrote:
> >>> >
> >>> >
> >>> >
> >>> > On Thu, Jan 24, 2013 at 9:11 AM, Anoop Saldanha
> >>> > <anoopsaldanha at gmail.com>
> >>> > wrote:
> >>> >>
> >>> >> On Thu, Jan 24, 2013 at 1:37 PM, Peter Manev <petermanev at gmail.com>
> >>> >> wrote:
> >>> >> >
> >>> >> >> However, any of the techniques mentioned above isn't a foolproof
> way
> >>> >> >> to match on the host header.  The right way would be to provide a
> >>> >> >> new
> >>> >> >> keyword called "http_host".
> >>> >> >>
> >>> >> > Anoop or Vincent would you please put in feature request for that?
> >>> >> >
> >>> >>
> >>> >> We should probably consult users/rule-writers if such a keyword
> would
> >>> >> be useful to them?
> >>> >>
> >>> >> --
> >>> >> Anoop Saldanha
> >>> >
> >>> > sure
> >>> >
> >>> >
> >>> > --
> >>> > Regards,
> >>> > Peter Manev
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> >>> > Site: http://suricata-ids.org | Support:
> >>> > http://suricata-ids.org/support/
> >>> > List:
> >>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>> > OISF: http://www.openinfosecfoundation.org/
> >>> >
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> Anoop Saldanha
> >>> _______________________________________________
> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >>> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>> OISF: http://www.openinfosecfoundation.org/
> >>
> >>
> >
> >
> >
> > --
> > Anoop Saldanha
>
>
>
> --
> Anoop Saldanha
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130125/875016db/attachment-0002.html>

More information about the Oisf-users mailing list