[Oisf-users] Need example of the http_uri with filestore
Erich Lerch
erich.lerch at gmail.com
Wed Jun 22 20:46:38 UTC 2016
Yuli
I prefer doing this making use of two rules, with flowbits.
Something like this:
# first rule matching on hostname and URI, setting the flowbit:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GET request";
flow:established,to_server; content:"example.com"; http_host;
content:"/file.exe"; http_uri; flowbits:set,catchexe; flowbits:noalert;
sid:1; rev:1;)
# second rule checking flowbit, doing additional checks if required, and
saving the file:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GET reponse with
filestore"; flowbits:isset,catchexe; flow:established,to_client;
filemagic:"PE32 executable"; filestore; sid:2; rev:1;)
That way it works reliably. There seems to be a way (according to
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/file-keywords)
to do it with a single rule, didn't try that one so far, though.
Cheers,
erich
On 22.06.2016 15:04, Yuli Stremovsky wrote:
> Hello
>
> Can anybody give a working example of the suricata rule with saving http
> response using the filestore and checking for the specific uri.
>
> Thanks
> Yuli
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>
More information about the Oisf-users
mailing list