[Oisf-users] How do I match a URL with a Suricata rule?

Marius mciepluch at web.de
Mon Dec 14 12:46:37 UTC 2015 

On 14 December 2015 at 12:05, Victor Julien <lists at inliniac.net> wrote:

> On 14-12-15 12:50, Marius wrote:
> > Hey,
> >
> > I completed the LuaJIT script so that it
> > works: https://gist.github.com/norandom/f3d5006b858c77810e63
>
> That doesn't seem to be a good approach.
>
> I would suggest having a look at
>
> https://github.com/EmergingThreats/et-luajit-scripts/blob/master/suri-styx-url.lua
>
> It shows how you can get just the URI.
>
>
I am aware of this, but I want the UR_L_. That is the point of this. URI
matching can be done much easier.



> >
> > Some of the exported functions to the Lua API have been removed over
> > time. So if you google for scripts, the ones which have functions which
> > are not documented here, do not work any more:
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting
>
> I don't think we've removed anything. Keep in mind that we support much
> more in our dev code (3.0dev).
>

Most functions from here are gone:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output

 SCLogInfo()

HttpGetRequestUriRaw()

For example.




> The example script above show work with 2.0.x though.
>
> Cheers,
> Victor
>
>
> >
> > * I don't think that a awk -F " " {'print $2$4'}  http.log | grep -f
> > bad_urls.txt is a good alerting workflow, because I want this to be
> > handled by an IDS engine. Sure you can pipe matches into syslog and
> > configure an event trigger, but this is an additional process. It needs
> > to be reliable and report matches in real time and so on. Suri's Lua
> > scripting should cover this in a better way.
> >
> > * On a related note I did not have success with this script and the http
> > keyword in the Suricata rule instead of TCP. For an odd reason I do
> > _not_ see outgoing requests when I used "tcp" on my test machine. This
> > is the reason why I do the protocol detection in Lua for HTTP and that
> > is why I use the "tcp" keyword. This is probably a bug in the payload
> > buffer access.
> >
> > * I would also like to get access to multiple http buffers at a time, so
> > be able to use the http functions instead of payload.
> > * I am also looking for a good way to debug these Lua scripts, without
> > file output and try & error.
> >
> > Best,
> > Marius
> >
> >
> > On 10 December 2015 at 19:49, Cooper F. Nelson <cnelson at ucsd.edu
> > <mailto:cnelson at ucsd.edu>> wrote:
> >
> > Easiest/fasted way as mentioned would be to use the http logging and
> > fgrep, as mentioned.
> >
> > If you want live alerts, I would write a script to generate to http
> > signatures from a file.  I did something like this recently using a
> > simple loop and a template like this:
> >
> >> alert http any any -> any any (msg:"LOCAL known bad uri $URI";
> > flow:to_server,established; content:"$URI"; http_uri;
> > classtype:trojan-activity; sid:$SID;)
> >
> > -Coop
> >
> > On 12/10/2015 8:56 AM, Marius wrote:
> >> Hi,
> >
> >> I am working on a way for URL matching using Suri (2.0.8, but I can
> >> upgrade)
> >
> >> I think the easiest way is using LuaJIT in a rule. The use case is
> >> matching "bad URLs" - which are from dynamic Malware analysis.
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
> >
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151214/09747eaf/attachment-0002.html>

More information about the Oisf-users mailing list