[Oisf-users] Oisf-users Digest, Vol 97, Issue 8

erik clark philosnef at gmail.com
Thu Dec 7 17:54:23 UTC 2017


Victor, yes, I am doing !isdataat,0

The point is to look for ANY http_host that does not end in paypal.com.

So, 'content:"pattern"; isdataat:!1,relative;' finds me only things that
end in paypal.com. Great. But that is the opposite of what I want, which is
anything that does not end in paypal.com.

We have ssl breakout, and our signatures fire erroneously for known good
domains (because they fit the phish templates). Since I know all the
http_hosts that are actually clean, I want to do a negative content match
against isdataat:!0,relative (!1 doesnt seem to match http_host properly
for some reason).

That is why I want the double negate.



Date: Thu, 7 Dec 2017 16:06:44 +0100
From: Victor Julien <lists at inliniac.net>
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] negative content match
Message-ID: <c5ba4cf6-59c1-d64e-7280-723d14698755 at inliniac.net>
Content-Type: text/plain; charset=utf-8

On 07-12-17 14:31, erik clark wrote:
> So, I have a rule that has the following stub:
>
>
> content:"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
>
> This checks to confirm the host IS somethingsomething.paypal.com
> <http://somethingsomething.paypal.com>, and always ends in paypal.com
> <http://paypal.com>.
>
> My question is, and this is conjecture because I am having a hard time
> procuring the right pcap, will negating the content make this fire on
> anything that does NOT end in paypal.com <http://paypal.com>? Like so:
>
> content:!"paypal.com <http://paypal.com>";http_host;isdataat:0,relative

To check 'pattern' is the end of the buffer, use

'content:"pattern"; isdataat:!1,relative;'

To check that there is data after 'pattern', use

'content:"pattern"; isdataat:1,relative;'

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

On Thu, Dec 7, 2017 at 12:00 PM, <
oisf-users-request at lists.openinfosecfoundation.org> wrote:

> Send Oisf-users mailing list submissions to
>         oisf-users at lists.openinfosecfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> or, via email, send a message with subject or body 'help' to
>         oisf-users-request at lists.openinfosecfoundation.org
>
> You can reach the person managing the list at
>         oisf-users-owner at lists.openinfosecfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-users digest..."
>
>
> Today's Topics:
>
>    1. Re: negative content match (Victor Julien)
>    2. Re: negative content match (David Wharton)
>    3. unix_dgram unix_stream file options (Jesse Cloutier)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 7 Dec 2017 16:06:44 +0100
> From: Victor Julien <lists at inliniac.net>
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] negative content match
> Message-ID: <c5ba4cf6-59c1-d64e-7280-723d14698755 at inliniac.net>
> Content-Type: text/plain; charset=utf-8
>
> On 07-12-17 14:31, erik clark wrote:
> > So, I have a rule that has the following stub:
> >
> >
> > content:"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
> >
> > This checks to confirm the host IS somethingsomething.paypal.com
> > <http://somethingsomething.paypal.com>, and always ends in paypal.com
> > <http://paypal.com>.
> >
> > My question is, and this is conjecture because I am having a hard time
> > procuring the right pcap, will negating the content make this fire on
> > anything that does NOT end in paypal.com <http://paypal.com>? Like so:
> >
> > content:!"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
>
> To check 'pattern' is the end of the buffer, use
>
> 'content:"pattern"; isdataat:!1,relative;'
>
> To check that there is data after 'pattern', use
>
> 'content:"pattern"; isdataat:1,relative;'
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 7 Dec 2017 10:12:41 -0500
> From: David Wharton <oisf at davidwharton.us>
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] negative content match
> Message-ID: <a7bebdb1-334d-80a3-8e28-81126ddcb369 at davidwharton.us>
> Content-Type: text/plain; charset="utf-8"
>
> First, if you are looking to create a pcap and test it against Suricata,
> let me humbly suggest trying out Dalton --
> https://github.com/secureworks/dalton.  If you just want to craft the
> pcap you can use Flowsynth (https://github.com/secureworks/flowsynth/)
> but Dalton includes a Wizard/GUI for Flowsynth that makes it quite easy
> to create and test the pcap against a custom rule (or other ruleset).
>
> Second, if you want to make sure the HTTP Host header ends with
> "paypal.com", you should do a negated isdataat and use '1' instead of
> '0'; for the relative isdataat keyword, there is a difference between
> how Snort and Suricata handle it (see
> http://suricata.readthedocs.io/en/latest/rules/
> differences-from-snort.html#isdataat-keyword).
> So do it like this:
>
> content:"paypal.com <http://paypal.com>"; http_host; isdataat!:1,relative
>
> Finally, to answer your question ... a relative isdataat after a negated
> content match doesn't really make sense; it will apply to the previous
> (non-negated) content match instead (or beginning of inspection buffer
> if no previous content matches).
>
> What exactly are you trying to do here?
>
> Also, be aware of this issue -- "Negated http_* match returns false if
> buffer not populated"
> (https://redmine.openinfosecfoundation.org/issues/2224).
>
> Hope this helps,
>
> -David Wharton
>
> On 12/07/2017 08:31 AM, erik clark wrote:
> > So, I have a rule that has the following stub:
> >
> >
> > content:"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
> >
> > This checks to confirm the host IS somethingsomething.paypal.com
> > <http://somethingsomething.paypal.com>, and always ends in paypal.com
> > <http://paypal.com>.
> >
> > My question is, and this is conjecture because I am having a hard time
> > procuring the right pcap, will negating the content make this fire on
> > anything that does NOT end in paypal.com <http://paypal.com>? Like so:
> >
> > content:!"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
> >
> > Thanks!
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/
> attachments/20171207/4fe0bb31/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 7 Dec 2017 10:18:57 -0500
> From: Jesse Cloutier <cloutier.jesse at gmail.com>
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: [Oisf-users] unix_dgram unix_stream file options
> Message-ID: <92eecc8a-237d-abfc-ab37-4b38fb1a23a1 at gmail.com>
> Content-Type: text/plain; charset=utf-8
>
> Hello Everyone,
>
> I was hoping someone could point me to some documentation as to how
> unix_dgram and unix_stream filetypes work. If enabled am I supposed to
> put the IP:PORT as a filename?
>
> Thanks
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> ------------------------------
>
> End of Oisf-users Digest, Vol 97, Issue 8
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171207/9e6e92ad/attachment-0001.html>


More information about the Oisf-users mailing list