[Oisf-users] suricata rules for url matching

Peter Manev petermanev at gmail.com
Tue Jan 19 10:53:23 UTC 2016 

On Tue, Jan 12, 2016 at 2:15 PM, Erich Lerch <erich.lerch at gmail.com> wrote:
> Personally, in that particular case I would prefer to write two separate rules:
>
> # matches the exact domain (string "example.com" is 11 characters long)
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ACCESS BLOCKED
> SITE: example.com"; content:"GET"; http_method; content:"example.com";
> http_host; depth:11; threshold: type limit, track by_src, count 1, seconds 300;
> classtype:policy-violation; sid:600; rev:1;)
>
> # matches all subdomains of domain
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ACCESS BLOCKED
> SITE: *.example.com"; content:"GET"; http_method; content:".example.com";
> http_host; threshold: type limit, track by_src, count 1, seconds 300;
> classtype:policy-violation; sid:601; rev:1;)
>
>

I got curious as to what the optimal way would be to match exactly on
"example.com" and nothing else.
Thanks to Will Metcalf's suggestion and the discussion on
emerging-threats IRC  - you might want to give this a try :

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Match on :
example.com"; content:"GET"; http_method; content:"example.com";
http_host; depth: 11; isdataat:!1,relative;
classtype:policy-violation; sid:666; rev:1;)
(isdataat - there is no byte after that position in the buffer)
Feedback is welcome.


>
> 2016-01-12 13:55 GMT+01:00 Paolo D'Angeli <paolo.dangeli at asdc.asi.it>:
>> It work, but match also host like BLABLABLAexample.com, and not only
>> *.example.com and example.com.
>>
>> Can you help me?
>>
>> Thanks
>>
>> PD
>>
>>
>> On 12/01/2016 12:51, Erich Lerch wrote:
>>>
>>> Paolo,
>>> Suricata knows the not well-documented keyword "http_host" (don't know
>>> if it's only in the newer versions, though?). You should also use
>>> "http_method" when matching GET requests, and the "http" protocol
>>> identifier.
>>> So you can write your rule that way:
>>>
>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ACCESS BLOCKED
>>> SITE: example.com"; content:"GET"; http_method; content:"example.com";
>>> http_host; threshold: type limit, track by_src, count 1, seconds 300;
>>> classtype:policy-violation; sid:600; rev:1;)
>>>
>>> It performs much better than a solution with PCRE (which is also a
>>> possibility, of course).
>>>
>>> Cheers,
>>> erich
>>>
>>> 2016-01-12 9:53 GMT+01:00 Paolo D'Angeli <paolo.dangeli at asdc.asi.it>:
>>>>
>>>> I want write custom rule for identify access to specific domain and
>>>> subdomain (like example.com - example.com/blablabla -
>>>> subdomain.example.com
>>>> - subdomain.example.com/blablabla ...).
>>>>
>>>> I try this:
>>>>
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ACCESS BLOCKED
>>>> SITE: example.com"; content:"GET"; depth:3; content:"example.com";
>>>> http_uri;
>>>> nocase; threshold: type limit, track by_src, count 1, seconds 300;
>>>> classtype:policy-violation; sid:600; rev
>>>> 1;)
>>>>
>>>> It work fine, but match also when I visit url that contain "BLOCKED SITE"
>>>> like this GOODSITE/index.php?url=example.com
>>>>
>>>> How can I correct this rule?
>>>>
>>>> Thanks
>>>>
>>>> PD
>>>>
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 4 & 5 in Barcelona:
>>>> http://oisfevents.net
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona:
>>> http://oisfevents.net
>>>
>>>
>>> -----
>>> Nessun virus nel messaggio.
>>> Controllato da AVG - www.avg.com
>>> Versione: 2016.0.7303 / Database dei virus: 4489/11381 -  Data di
>>> rilascio: 12/01/2016
>>
>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list