[Oisf-users] How do I match a URL with a Suricata rule?

Alan Wanderley dos Santos alan.santos at rnp.br
Thu Dec 10 17:11:20 UTC 2015 

Hi all, 

Very interesting work... 

We have this issue here, so, i wrote a script (using shell) that read http.log and match it with a bad urls list. If match, the script send me a email with the fullpath URL in mail body and http.log line attached. Works fine for us. For example: 

Domain: terr a .com.br 
URL: http://terra.com.br 
LOGs attached 
10/05/15-10:11:41.484357;172.22.73.88;HTTP/1.0;GET;disqus.com;/embed/comments/?base=default&version=0e711e2730e4c6cf1685e5e4dfedf9c9&f=terranetworks&t_u=http%3A%2F%2Fnoticias.terra.com.br%2Fbrasil%2Fbolsa-familia%2F&t_d=Bolsa%20fam%C3%ADlia%2010%20anos%3A%20hist%C3%B3ria%2C%20estados%20que%20mais%20receberam%20ajuda%2C%20cases%20e%20mais&t_t=Bolsa%20fam%C3%ADlia%2010%20anos%3A%20hist%C3%B3ria%2C%20estados%20que%20mais%20receberam%20ajuda%2C%20cases%20e%20mais&s_o=default;-;0;200.134.48.2:47682;->;104.156.85.134:80 
If you want, i can share the script. 

att, 

----------------------------------------------- 
Alan Santos 
Analista de Segurança 
Centro de Atendimento a Incidentes de Segurança (CAIS) 
Rede Nacional de Ensino e Pesquisa (RNP) 
(19) 3787-3314 | alan.santos at rnp.br 


De: "Marius" <wishinet at gmail.com> 
Para: "oisf-users" <oisf-users at openinfosecfoundation.org> 
Enviadas: Quinta-feira, 10 de dezembro de 2015 14:56:08 
Assunto: [Oisf-users] How do I match a URL with a Suricata rule? 

Hi, 

I am working on a way for URL matching using Suri (2.0.8, but I can upgrade) 

I think the easiest way is using LuaJIT in a rule. The use case is matching "bad URLs" - which are from dynamic Malware analysis. 

Here is what I tried so far: 

I create a file and put the bad URLs in there - like this: 

http://badstuff.com/bad/malware.exe 
http://reallybadstuff.com/worse/evilware.msi 

I want to match these URLs with Suri. To do this I write a quick rule: 

$$ more /etc/suricata/rules/custom.rules 
alert http any any -> any any (msg:"LUAJIT test"; luajit:file.lua; sid:900000; flow:established; rev:1) 

I have compiled suricata 2.0.8 on a Gentoo system: 

./configure --enable-luajit --with-libpcap_ng-libraries=/usr/local/lib --with-libpcap_ng-includes=/usr/local/include/ --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --disable-gccmarch-native --enable-gccprotect --with-libluajit-includes=/usr/include/luajit-2.0 

... 
libnss support: no 
libnspr support: no 
libjansson support: yes 
Prelude support: no 
PCRE jit: yes 
LUA support: yes 
libluajit: yes 
.... 

That looks fine to me. Now I test it: 
sudo suricata --af-packet=eno1 -S /etc/suricata/rules/custom.rules -v 

I see the following error: 
<Info> - Loading rule file: /etc/suricata/rules/custom.rules 
<Error> - [ERRCODE: SC_ERR_LUAJIT_ERROR(212)] - unsupported data type protocol 
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error par 
sing signature "alert http any any -> any any (msg:"LUAJIT test"; luajit:file.lua; sid:900000; flow:established; rev:1)" from file /etc/suricata/rules/custom.rules at line 1 
<Error> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/custom.rules 

Does someone know why the rule parser steps out? From what I see the feature is compiled into the engine. I don't see what the error message indicates. 

Below is my current lua code for reference. I tested some simpler lua scripts with the same error in the log. 

Best, 
Marius 


local open = io.open 

function init (args) 
local needs = {} 
needs["protocol"] = "http" 
-- needs["http.uri"] = tostring(true) 
return needs 
end 


function setup (args) 
filename = SCLogPath() .. "/" .. name 
file = assert(io.open(filename, "a")) 
SCLogInfo("HTTP Log Filename " .. filename) 
http = 0 
end 


function match(args) 
--for line in io.lines("bad_urls.txt") do 
-- print(line) 
-- end 
http_host = HttpGetRequestHost() 
if http_host == nil then 
return 0 
end 

http_uri = HttpGetRequestUriNormalized() 
if http_uri == nil then 
return 0 
end 

local file = io.open("bad_urls.txt", "r"); 
local arr = {} 
for line in file:lines() do 
table.insert (arr, line); 
end 

ts = SCPacketTimeString() 
ipver, srcip, dstip, proto, sp, dp = SCFlowTuple() 

file:write(ts .. " " .. http_host .. " [**] " .. http_uri .. " [**] " .. 
http_ua .. " [**] " .. srcip .. ":" .. sp .. " -> " .. 
dstip .. ":" .. dp .. "\n") 
file:flush() 


a = tostring(args["http.uri"]) 
a = http_host + "/" + a 

for url in arr do 
net_url = "http://" .. http_host .. http_uri 
if url == net_url then 
-- file:write(net_url .. " matches bad url - potential Malware\n") 
return 1 
end 
end 

return 0 
end 

function deinit (args) 
SCLogInfo ("Bad URLs transactions logged"); 
file:close(file) 
end 

_______________________________________________ 
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151210/7d8f3425/attachment-0002.html>

More information about the Oisf-users mailing list