[Oisf-users] How do I match a URL with a Suricata rule?
Victor Julien
lists at inliniac.net
Mon Dec 14 14:47:00 UTC 2015
On 14-12-15 13:46, Marius wrote:
>
> On 14 December 2015 at 12:05, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
>
> On 14-12-15 12:50, Marius wrote:
> > Hey,
> >
> > I completed the LuaJIT script so that it
> > works: https://gist.github.com/norandom/f3d5006b858c77810e63
>
> That doesn't seem to be a good approach.
>
> I would suggest having a look at
> https://github.com/EmergingThreats/et-luajit-scripts/blob/master/suri-styx-url.lua
>
> It shows how you can get just the URI.
>
>
> I am aware of this, but I want the UR_L_. That is the point of this. URI
> matching can be done much easier.
In this case it might work to register the script to the
"http.request_headers". Then you can be sure the request line has been
parsed as well. The script should be called once per request.
Then use:
HttpGetRequestUriRaw/HttpGetRequestUriNormalized
HttpGetRequestHost
to construct the URL.
Some of this may require 3.0dev, I have no time to check that.
Cheers,
Victor
>
>
> >
> > Some of the exported functions to the Lua API have been removed over
> > time. So if you google for scripts, the ones which have functions which
> > are not documented here, do not work any more:
> > https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting
>
> I don't think we've removed anything. Keep in mind that we support much
> more in our dev code (3.0dev).
>
>
> Most functions from here are
> gone: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
>
> SCLogInfo()
>
> HttpGetRequestUriRaw()
>
> For example.
>
>
>
>
> The example script above show work with 2.0.x though.
>
> Cheers,
> Victor
>
>
> >
> > * I don't think that a awk -F " " {'print $2$4'} http.log | grep -f
> > bad_urls.txt is a good alerting workflow, because I want this to be
> > handled by an IDS engine. Sure you can pipe matches into syslog and
> > configure an event trigger, but this is an additional process. It needs
> > to be reliable and report matches in real time and so on. Suri's Lua
> > scripting should cover this in a better way.
> >
> > * On a related note I did not have success with this script and the http
> > keyword in the Suricata rule instead of TCP. For an odd reason I do
> > _not_ see outgoing requests when I used "tcp" on my test machine. This
> > is the reason why I do the protocol detection in Lua for HTTP and that
> > is why I use the "tcp" keyword. This is probably a bug in the payload
> > buffer access.
> >
> > * I would also like to get access to multiple http buffers at a time, so
> > be able to use the http functions instead of payload.
> > * I am also looking for a good way to debug these Lua scripts, without
> > file output and try & error.
> >
> > Best,
> > Marius
> >
> >
> > On 10 December 2015 at 19:49, Cooper F. Nelson <cnelson at ucsd.edu <mailto:cnelson at ucsd.edu>
> > <mailto:cnelson at ucsd.edu <mailto:cnelson at ucsd.edu>>> wrote:
> >
> > Easiest/fasted way as mentioned would be to use the http logging and
> > fgrep, as mentioned.
> >
> > If you want live alerts, I would write a script to generate to http
> > signatures from a file. I did something like this recently using a
> > simple loop and a template like this:
> >
> >> alert http any any -> any any (msg:"LOCAL known bad uri $URI";
> > flow:to_server,established; content:"$URI"; http_uri;
> > classtype:trojan-activity; sid:$SID;)
> >
> > -Coop
> >
> > On 12/10/2015 8:56 AM, Marius wrote:
> >> Hi,
> >
> >> I am working on a way for URL matching using Suri (2.0.8, but I can
> >> upgrade)
> >
> >> I think the easiest way is using LuaJIT in a rule. The use case is
> >> matching "bad URLs" - which are from dynamic Malware analysis.
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> >
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list