[Oisf-users] HTTP missing user agent detection

Sun Nov 2 00:14:59 UTC 2014

Here you go these should work, I have also done one for HOST header being
missing which is also common. with no positive content match I worry these
may FP for various odd reasons on otherwise legit traffic but hopefully
not. Also one for connection to IP which is also common where a user would
go to your site by its name like mysite.com but a automated attack tool,
scanner, exploit etc will hit it by IP so this gets a large percentage of
them.

All of these will have TERRIBLE performance and you are better off
deploying a web firewall if you can either commercial or modsecurity which
also has information rules like this but you also have the ability to see
in HTTPS. You can then use auditconsole to monitor alerts and things.

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL-WEB
Connection Missing User-Agent Header Common In Automated Malicious
Traffic"; flow:established,to_server; content:!"User-Agent|3A 20|";
http_header; classtype:web-application-attack; sid:134991; rev:1;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL-WEB
Connection Missing Host Header Common In Automated Malicious Traffic";
flow:established,to_server; content:!"Host|3A 20|"; http_header;
classtype:web-application-attack; sid:134992; rev:1;)

This rule can be improved locally in following ways:
- If you know what IPs your server have simply create one such as instead
of all the content matches stuff and PCRE to match an IP in the header use
simply content:"Host|3A 20|10.10.10.10"; http_header; (with the address
being what it is yours). This would drastically increase the performance
and accuracy of this rule for you and make it actually of the 3 the most
worthwhile one to use as it will get most attack traffic and as a result of
your IP being defined (or multiple rules with each/PCRE to match them) will
be much better.
- You could also add in something like content:!"Host|3A 20|mysitename.com";
http_header; and negate next matches too if you are using the below rule.

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL-WEB
Connection To Server IP Rather Than Hostname Common In Automated Malicious
Traffic"; flow:established,to_server; content:"Host|3A 20|"; http_header;
content:|2E|"; http_header; distance:1; within:3; content:|2E|";
http_header; distance:1; within:3; content:|2E|"; http_header; distance:1;
within:3; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H";
classtype:web-application-attack; sid:134993; rev:1;)

Anyway I hope this helps you but again I would recommend you look at a web
firewall of some sort as it is better equipped although in theory the
combination of the 3 rules above can detect a large percentage of the
automated attack activity.

Kind Regards,
Kevin Ross

On 30 October 2014 10:21, Evrard, Benjamin <benjamin.evrard at adelpha.be>
wrote:

> Hi everyone !
>
> I've been trying to find if it's possible to write a rule that's
> triggered when specific fields are completely absent from a request or
> empty.
>
> In this specific case, I'd like to trigger an alert when no user agent
> is sent with an HTTP request.
>
> I have found rulesets achieving the same kind of match I try to
> (https://github.com/decanio/suricata/blob/master/rules/http-events.rules)
> but could see no trace of a way to specifically match the absence of
> user-agent. I also looked at the source code of the app-layer-htp
> module (
> https://github.com/inliniac/suricata/blob/master/src/app-layer-htp.c)
> but could not find any lead there either.
>
> Does this feature exist somewhere else or is it planned to be included
> in some future release ?
>
> Best regards,
> Evrard B.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141102/d2de58c9/attachment-0002.html>