[Oisf-users] How do I match a URL with a Suricata rule?
Marius
wishinet at gmail.com
Thu Dec 10 16:56:08 UTC 2015
Hi,
I am working on a way for URL matching using Suri (2.0.8, but I can
upgrade)
I think the easiest way is using LuaJIT in a rule. The use case is matching
"bad URLs" - which are from dynamic Malware analysis.
Here is what I tried so far:
I create a file and put the bad URLs in there - like this:
http://badstuff.com/bad/malware.exe
http://reallybadstuff.com/worse/evilware.msi
I want to match these URLs with Suri. To do this I write a quick rule:
$$ more /etc/suricata/rules/custom.rules
alert http any any -> any any (msg:"LUAJIT test"; luajit:file.lua;
sid:900000; flow:established; rev:1)
I have compiled suricata 2.0.8 on a Gentoo system:
./configure --enable-luajit --with-libpcap_ng-libraries=/usr/local/lib
--with-libpcap_ng-includes=/usr/local/include/ --prefix=/usr/
--sysconfdir=/etc/ --localstatedir=/var/ --disable-gccmarch-native
--enable-gccprotect --with-libluajit-includes=/usr/include/luajit-2.0
...
libnss support: no
libnspr support: no
libjansson support: yes
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: yes
....
That looks fine to me. Now I test it:
sudo suricata --af-packet=eno1 -S /etc/suricata/rules/custom.rules -v
I see the following error:
<Info> - Loading rule file: /etc/suricata/rules/custom.rules
<Error> - [ERRCODE: SC_ERR_LUAJIT_ERROR(212)] - unsupported data type
protocol
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error par
sing signature "alert http any any -> any any (msg:"LUAJIT test";
luajit:file.lua; sid:900000; flow:established; rev:1)" from file
/etc/suricata/rules/custom.rules at line 1
<Error> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from
/etc/suricata/rules/custom.rules
Does someone know why the rule parser steps out? From what I see the
feature is compiled into the engine. I don't see what the error message
indicates.
Below is my current lua code for reference. I tested some simpler lua
scripts with the same error in the log.
Best,
Marius
local open = io.open
function init (args)
local needs = {}
needs["protocol"] = "http"
-- needs["http.uri"] = tostring(true)
return needs
end
function setup (args)
filename = SCLogPath() .. "/" .. name
file = assert(io.open(filename, "a"))
SCLogInfo("HTTP Log Filename " .. filename)
http = 0
end
function match(args)
--for line in io.lines("bad_urls.txt") do
-- print(line)
-- end
http_host = HttpGetRequestHost()
if http_host == nil then
return 0
end
http_uri = HttpGetRequestUriNormalized()
if http_uri == nil then
return 0
end
local file = io.open("bad_urls.txt", "r");
local arr = {}
for line in file:lines() do
table.insert (arr, line);
end
ts = SCPacketTimeString()
ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
file:write(ts .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
http_ua .. " [**] " .. srcip .. ":" .. sp .. " -> " ..
dstip .. ":" .. dp .. "\n")
file:flush()
a = tostring(args["http.uri"])
a = http_host + "/" + a
for url in arr do
net_url = "http://" .. http_host .. http_uri
if url == net_url then
-- file:write(net_url .. " matches bad url - potential
Malware\n")
return 1
end
end
return 0
end
function deinit (args)
SCLogInfo ("Bad URLs transactions logged");
file:close(file)
end
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151210/f98aa7d1/attachment-0001.html>
More information about the Oisf-users
mailing list