[Oisf-users] How do I match a URL with a Suricata rule?

Victor Julien lists at inliniac.net
Mon Dec 14 14:47:00 UTC 2015 

On 14-12-15 13:46, Marius wrote:
> 
> On 14 December 2015 at 12:05, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
> 
>     On 14-12-15 12:50, Marius wrote:
>     > Hey,
>     >
>     > I completed the LuaJIT script so that it
>     > works: https://gist.github.com/norandom/f3d5006b858c77810e63
> 
>     That doesn't seem to be a good approach.
> 
>     I would suggest having a look at
>     https://github.com/EmergingThreats/et-luajit-scripts/blob/master/suri-styx-url.lua
> 
>     It shows how you can get just the URI.
> 
> 
> I am aware of this, but I want the UR_L_. That is the point of this. URI
> matching can be done much easier.

In this case it might work to register the script to the
"http.request_headers". Then you can be sure the request line has been
parsed as well. The script should be called once per request.

Then use:
HttpGetRequestUriRaw/HttpGetRequestUriNormalized
HttpGetRequestHost

to construct the URL.

Some of this may require 3.0dev, I have no time to check that.

Cheers,
Victor



>  
> 
>     >
>     > Some of the exported functions to the Lua API have been removed over
>     > time. So if you google for scripts, the ones which have functions which
>     > are not documented here, do not work any more:
>     > https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting
> 
>     I don't think we've removed anything. Keep in mind that we support much
>     more in our dev code (3.0dev).
> 
> 
> Most functions from here are
> gone: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output 
> 
>  SCLogInfo()
> 
> HttpGetRequestUriRaw()
> 
> For example.
> 
> 
>  
> 
>     The example script above show work with 2.0.x though.
> 
>     Cheers,
>     Victor
> 
> 
>     >
>     > * I don't think that a awk -F " " {'print $2$4'}  http.log | grep -f
>     > bad_urls.txt is a good alerting workflow, because I want this to be
>     > handled by an IDS engine. Sure you can pipe matches into syslog and
>     > configure an event trigger, but this is an additional process. It needs
>     > to be reliable and report matches in real time and so on. Suri's Lua
>     > scripting should cover this in a better way.
>     >
>     > * On a related note I did not have success with this script and the http
>     > keyword in the Suricata rule instead of TCP. For an odd reason I do
>     > _not_ see outgoing requests when I used "tcp" on my test machine. This
>     > is the reason why I do the protocol detection in Lua for HTTP and that
>     > is why I use the "tcp" keyword. This is probably a bug in the payload
>     > buffer access.
>     >
>     > * I would also like to get access to multiple http buffers at a time, so
>     > be able to use the http functions instead of payload.
>     > * I am also looking for a good way to debug these Lua scripts, without
>     > file output and try & error.
>     >
>     > Best,
>     > Marius
>     >
>     >
>     > On 10 December 2015 at 19:49, Cooper F. Nelson <cnelson at ucsd.edu <mailto:cnelson at ucsd.edu>
>     > <mailto:cnelson at ucsd.edu <mailto:cnelson at ucsd.edu>>> wrote:
>     >
>     > Easiest/fasted way as mentioned would be to use the http logging and
>     > fgrep, as mentioned.
>     >
>     > If you want live alerts, I would write a script to generate to http
>     > signatures from a file.  I did something like this recently using a
>     > simple loop and a template like this:
>     >
>     >> alert http any any -> any any (msg:"LOCAL known bad uri $URI";
>     > flow:to_server,established; content:"$URI"; http_uri;
>     > classtype:trojan-activity; sid:$SID;)
>     >
>     > -Coop
>     >
>     > On 12/10/2015 8:56 AM, Marius wrote:
>     >> Hi,
>     >
>     >> I am working on a way for URL matching using Suri (2.0.8, but I can
>     >> upgrade)
>     >
>     >> I think the easiest way is using LuaJIT in a rule. The use case is
>     >> matching "bad URLs" - which are from dynamic Malware analysis.
>     >
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>     > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     > Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>     >
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     Suricata User Conference November 4 & 5 in Barcelona:
>     http://oisfevents.net
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list