[Oisf-users] Suricata Cookie Header Questions
Duane Howard
duane.security at gmail.com
Thu Apr 14 20:16:59 UTC 2016
According to:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords
"""Although cookies are sent in an HTTP header, you can not match on them
with the http_header keyword. Cookies are matched with their own keyword,
namely http_cookie."""
I had a couple of questions about this:
1. Is this documentation still accurate?
2. Does this mean that Suricata will effectively strip the 'Cookie:
foo=120398' out from the http_header buffer? Or will it still contain
'Cookie:' for example? [0]
3. If above is true, is the correct way to perform relative matches of
'Cookie: foo=12398' to other header fields to use a plain content match,
and not the http_header buffer?
If my understanding of this is correct I think there's at least one ET
rules that are probably not working as intended, since I see content
negations of 'Cookie|3A|'; http_header; as well as Cookie value checks
against http_header. Example rule from ET Open[1]
[0] Does this:
GET /foo.js HTTP/1.1
Host: no.evil.com
Cookie: UID=17220493a47a2391519d61c144a531063; UIDR=1649534063; CP3=4
Connection: keep-alive
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/49.0.2623.110 Safari/537.36
Referer: http://www.referme.com
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
yield this for http_header?
Host: no.evil.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/49.0.2623.110 Safari/537.36
Referer: http://www.referme.com
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Example of ET Rule that's probably broken:
[1] alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server;
*content:"Cookie|3a|
visited=TRUE"; http_header;* *content:"Cookie|3a| mutex="; http_header;*
reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/;
reference:url,
www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack;
reference:url,
blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/;
classtype:bad-unknown; sid:2014407; rev:3;)
Thanks,
Duane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160414/5b89c575/attachment.html>
More information about the Oisf-users
mailing list