[Oisf-users] suricata rules for url matching

Paolo D'Angeli paolo.dangeli at asdc.asi.it
Tue Jan 12 12:55:50 UTC 2016


It work, but match also host like BLABLABLAexample.com, and not only 
*.example.com and example.com.

Can you help me?

Thanks

PD

On 12/01/2016 12:51, Erich Lerch wrote:
> Paolo,
> Suricata knows the not well-documented keyword "http_host" (don't know
> if it's only in the newer versions, though?). You should also use
> "http_method" when matching GET requests, and the "http" protocol
> identifier.
> So you can write your rule that way:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ACCESS BLOCKED
> SITE: example.com"; content:"GET"; http_method; content:"example.com";
> http_host; threshold: type limit, track by_src, count 1, seconds 300;
> classtype:policy-violation; sid:600; rev:1;)
>
> It performs much better than a solution with PCRE (which is also a
> possibility, of course).
>
> Cheers,
> erich
>
> 2016-01-12 9:53 GMT+01:00 Paolo D'Angeli <paolo.dangeli at asdc.asi.it>:
>> I want write custom rule for identify access to specific domain and
>> subdomain (like example.com - example.com/blablabla - subdomain.example.com
>> - subdomain.example.com/blablabla ...).
>>
>> I try this:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ACCESS BLOCKED
>> SITE: example.com"; content:"GET"; depth:3; content:"example.com"; http_uri;
>> nocase; threshold: type limit, track by_src, count 1, seconds 300;
>> classtype:policy-violation; sid:600; rev
>> 1;)
>>
>> It work fine, but match also when I visit url that contain "BLOCKED SITE"
>> like this GOODSITE/index.php?url=example.com
>>
>> How can I correct this rule?
>>
>> Thanks
>>
>> PD
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
>
> -----
> Nessun virus nel messaggio.
> Controllato da AVG - www.avg.com
> Versione: 2016.0.7303 / Database dei virus: 4489/11381 -  Data di rilascio: 12/01/2016




More information about the Oisf-users mailing list