[Oisf-users] suricata rules for url matching

Erich Lerch erich.lerch at gmail.com
Tue Jan 12 11:51:03 UTC 2016


Paolo,
Suricata knows the not well-documented keyword "http_host" (don't know
if it's only in the newer versions, though?). You should also use
"http_method" when matching GET requests, and the "http" protocol
identifier.
So you can write your rule that way:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ACCESS BLOCKED
SITE: example.com"; content:"GET"; http_method; content:"example.com";
http_host; threshold: type limit, track by_src, count 1, seconds 300;
classtype:policy-violation; sid:600; rev:1;)

It performs much better than a solution with PCRE (which is also a
possibility, of course).

Cheers,
erich

2016-01-12 9:53 GMT+01:00 Paolo D'Angeli <paolo.dangeli at asdc.asi.it>:
> I want write custom rule for identify access to specific domain and
> subdomain (like example.com - example.com/blablabla - subdomain.example.com
> - subdomain.example.com/blablabla ...).
>
> I try this:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ACCESS BLOCKED
> SITE: example.com"; content:"GET"; depth:3; content:"example.com"; http_uri;
> nocase; threshold: type limit, track by_src, count 1, seconds 300;
> classtype:policy-violation; sid:600; rev
> 1;)
>
> It work fine, but match also when I visit url that contain "BLOCKED SITE"
> like this GOODSITE/index.php?url=example.com
>
> How can I correct this rule?
>
> Thanks
>
> PD
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



More information about the Oisf-users mailing list