[Oisf-users] How do I match a URL with a Suricata rule?

Marius wishinet at gmail.com
Mon Dec 14 11:50:47 UTC 2015


I completed the LuaJIT script so that it works:

Some of the exported functions to the Lua API have been removed over time.
So if you google for scripts, the ones which have functions which are not
documented here, do not work any more:

* I don't think that a awk -F " " {'print $2$4'}  http.log | grep -f
bad_urls.txt is a good alerting workflow, because I want this to be handled
by an IDS engine. Sure you can pipe matches into syslog and configure an
event trigger, but this is an additional process. It needs to be reliable
and report matches in real time and so on. Suri's Lua scripting should
cover this in a better way.

* On a related note I did not have success with this script and the http
keyword in the Suricata rule instead of TCP. For an odd reason I do _not_
see outgoing requests when I used "tcp" on my test machine. This is the
reason why I do the protocol detection in Lua for HTTP and that is why I
use the "tcp" keyword. This is probably a bug in the payload buffer access.

* I would also like to get access to multiple http buffers at a time, so be
able to use the http functions instead of payload.
* I am also looking for a good way to debug these Lua scripts, without file
output and try & error.


On 10 December 2015 at 19:49, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Hash: SHA1
> Easiest/fasted way as mentioned would be to use the http logging and
> fgrep, as mentioned.
> If you want live alerts, I would write a script to generate to http
> signatures from a file.  I did something like this recently using a
> simple loop and a template like this:
> > alert http any any -> any any (msg:"LOCAL known bad uri $URI";
> flow:to_server,established; content:"$URI"; http_uri;
> classtype:trojan-activity; sid:$SID;)
> - -Coop
> On 12/10/2015 8:56 AM, Marius wrote:
> > Hi,
> >
> > I am working on a way for URL matching using Suri (2.0.8, but I can
> > upgrade)
> >
> > I think the easiest way is using LuaJIT in a rule. The use case is
> > matching "bad URLs" - which are from dynamic Malware analysis.
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> fwaSLbtzTF0MrTRQ75OrP0ZEBJToujCWv5VQjoq0DNgGRpqeatPTR6jEWlr+EByz
> tsJ72kNWTkVSTEHrepp5HyiTv+z8YkkSYSTcpgJcji8grpNc8JGVdh8sGW0wqJZ5
> b2ZFv25eIW008e5YCT0Ye0N36CfwpMKXZfI67Vndzs03hONA2aWxyAg6WSUx22Nt
> rXTmKB5c2Fwnd6X8ky3ZE2VfS3tyLUGwx8o/ZvaVBYT3T0Bcs1JWZeM6SOWYGco=
> =h0xG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151214/455ce176/attachment-0002.html>

More information about the Oisf-users mailing list