[Oisf-users] How do I match a URL with a Suricata rule?
Cooper F. Nelson
cnelson at ucsd.edu
Thu Dec 10 19:49:00 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Easiest/fasted way as mentioned would be to use the http logging and
fgrep, as mentioned.
If you want live alerts, I would write a script to generate to http
signatures from a file. I did something like this recently using a
simple loop and a template like this:
> alert http any any -> any any (msg:"LOCAL known bad uri $URI"; flow:to_server,established; content:"$URI"; http_uri; classtype:trojan-activity; sid:$SID;)
- -Coop
On 12/10/2015 8:56 AM, Marius wrote:
> Hi,
>
> I am working on a way for URL matching using Suri (2.0.8, but I can
> upgrade)
>
> I think the easiest way is using LuaJIT in a rule. The use case is
> matching "bad URLs" - which are from dynamic Malware analysis.
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWadcsAAoJEKIFRYQsa8FW7DYH/2pfXjgEjke4HGNZW3Qjny4R
fwaSLbtzTF0MrTRQ75OrP0ZEBJToujCWv5VQjoq0DNgGRpqeatPTR6jEWlr+EByz
tsJ72kNWTkVSTEHrepp5HyiTv+z8YkkSYSTcpgJcji8grpNc8JGVdh8sGW0wqJZ5
b2ZFv25eIW008e5YCT0Ye0N36CfwpMKXZfI67Vndzs03hONA2aWxyAg6WSUx22Nt
CP9LxQWUXIEYaTXg4aKoFLkSapF98FXz81KrLePNQ96LiYtLEIXanrpoyJvHXQrm
rXTmKB5c2Fwnd6X8ky3ZE2VfS3tyLUGwx8o/ZvaVBYT3T0Bcs1JWZeM6SOWYGco=
=h0xG
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list