[Oisf-users] How do I match a URL with a Suricata rule?

Mon Dec 14 12:05:22 UTC 2015

On 14-12-15 12:50, Marius wrote:
> Hey, 
> 
> I completed the LuaJIT script so that it
> works: https://gist.github.com/norandom/f3d5006b858c77810e63 

That doesn't seem to be a good approach.

I would suggest having a look at
https://github.com/EmergingThreats/et-luajit-scripts/blob/master/suri-styx-url.lua

It shows how you can get just the URI.

> 
> Some of the exported functions to the Lua API have been removed over
> time. So if you google for scripts, the ones which have functions which
> are not documented here, do not work any more: 
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting 

I don't think we've removed anything. Keep in mind that we support much
more in our dev code (3.0dev).

The example script above show work with 2.0.x though.

Cheers,
Victor

> 
> * I don't think that a awk -F " " {'print $2$4'}  http.log | grep -f
> bad_urls.txt is a good alerting workflow, because I want this to be
> handled by an IDS engine. Sure you can pipe matches into syslog and
> configure an event trigger, but this is an additional process. It needs
> to be reliable and report matches in real time and so on. Suri's Lua
> scripting should cover this in a better way.
> 
> * On a related note I did not have success with this script and the http
> keyword in the Suricata rule instead of TCP. For an odd reason I do
> _not_ see outgoing requests when I used "tcp" on my test machine. This
> is the reason why I do the protocol detection in Lua for HTTP and that
> is why I use the "tcp" keyword. This is probably a bug in the payload
> buffer access. 
> 
> * I would also like to get access to multiple http buffers at a time, so
> be able to use the http functions instead of payload.
> * I am also looking for a good way to debug these Lua scripts, without
> file output and try & error.
> 
> Best,
> Marius
> 
> 
> On 10 December 2015 at 19:49, Cooper F. Nelson <cnelson at ucsd.edu
> <mailto:cnelson at ucsd.edu>> wrote:
> 
> Easiest/fasted way as mentioned would be to use the http logging and
> fgrep, as mentioned.
> 
> If you want live alerts, I would write a script to generate to http
> signatures from a file.  I did something like this recently using a
> simple loop and a template like this:
> 
>> alert http any any -> any any (msg:"LOCAL known bad uri $URI";
> flow:to_server,established; content:"$URI"; http_uri;
> classtype:trojan-activity; sid:$SID;)
> 
> -Coop
> 
> On 12/10/2015 8:56 AM, Marius wrote:
>> Hi,
> 
>> I am working on a way for URL matching using Suri (2.0.8, but I can
>> upgrade)
> 
>> I think the easiest way is using LuaJIT in a rule. The use case is
>> matching "bad URLs" - which are from dynamic Malware analysis.
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------