[Oisf-users] suricata rules for url matching
Erich Lerch
erich.lerch at gmail.com
Tue Jan 12 13:15:57 UTC 2016
Personally, in that particular case I would prefer to write two separate rules:
# matches the exact domain (string "example.com" is 11 characters long)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ACCESS BLOCKED
SITE: example.com"; content:"GET"; http_method; content:"example.com";
http_host; depth:11; threshold: type limit, track by_src, count 1, seconds 300;
classtype:policy-violation; sid:600; rev:1;)
# matches all subdomains of domain
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ACCESS BLOCKED
SITE: *.example.com"; content:"GET"; http_method; content:".example.com";
http_host; threshold: type limit, track by_src, count 1, seconds 300;
classtype:policy-violation; sid:601; rev:1;)
2016-01-12 13:55 GMT+01:00 Paolo D'Angeli <paolo.dangeli at asdc.asi.it>:
> It work, but match also host like BLABLABLAexample.com, and not only
> *.example.com and example.com.
>
> Can you help me?
>
> Thanks
>
> PD
>
>
> On 12/01/2016 12:51, Erich Lerch wrote:
>>
>> Paolo,
>> Suricata knows the not well-documented keyword "http_host" (don't know
>> if it's only in the newer versions, though?). You should also use
>> "http_method" when matching GET requests, and the "http" protocol
>> identifier.
>> So you can write your rule that way:
>>
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ACCESS BLOCKED
>> SITE: example.com"; content:"GET"; http_method; content:"example.com";
>> http_host; threshold: type limit, track by_src, count 1, seconds 300;
>> classtype:policy-violation; sid:600; rev:1;)
>>
>> It performs much better than a solution with PCRE (which is also a
>> possibility, of course).
>>
>> Cheers,
>> erich
>>
>> 2016-01-12 9:53 GMT+01:00 Paolo D'Angeli <paolo.dangeli at asdc.asi.it>:
>>>
>>> I want write custom rule for identify access to specific domain and
>>> subdomain (like example.com - example.com/blablabla -
>>> subdomain.example.com
>>> - subdomain.example.com/blablabla ...).
>>>
>>> I try this:
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ACCESS BLOCKED
>>> SITE: example.com"; content:"GET"; depth:3; content:"example.com";
>>> http_uri;
>>> nocase; threshold: type limit, track by_src, count 1, seconds 300;
>>> classtype:policy-violation; sid:600; rev
>>> 1;)
>>>
>>> It work fine, but match also when I visit url that contain "BLOCKED SITE"
>>> like this GOODSITE/index.php?url=example.com
>>>
>>> How can I correct this rule?
>>>
>>> Thanks
>>>
>>> PD
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona:
>>> http://oisfevents.net
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>>
>>
>> -----
>> Nessun virus nel messaggio.
>> Controllato da AVG - www.avg.com
>> Versione: 2016.0.7303 / Database dei virus: 4489/11381 - Data di
>> rilascio: 12/01/2016
>
>
More information about the Oisf-users
mailing list