[Oisf-users] negative content match

David Wharton oisf at davidwharton.us
Thu Dec 7 15:12:41 UTC 2017

First, if you are looking to create a pcap and test it against Suricata,
let me humbly suggest trying out Dalton --
https://github.com/secureworks/dalton.  If you just want to craft the
pcap you can use Flowsynth (https://github.com/secureworks/flowsynth/)
but Dalton includes a Wizard/GUI for Flowsynth that makes it quite easy
to create and test the pcap against a custom rule (or other ruleset).

Second, if you want to make sure the HTTP Host header ends with
"paypal.com", you should do a negated isdataat and use '1' instead of
'0'; for the relative isdataat keyword, there is a difference between
how Snort and Suricata handle it (see
So do it like this:

content:"paypal.com <http://paypal.com>"; http_host; isdataat!:1,relative

Finally, to answer your question ... a relative isdataat after a negated
content match doesn't really make sense; it will apply to the previous
(non-negated) content match instead (or beginning of inspection buffer
if no previous content matches).

What exactly are you trying to do here?

Also, be aware of this issue -- "Negated http_* match returns false if
buffer not populated"

Hope this helps,

-David Wharton

On 12/07/2017 08:31 AM, erik clark wrote:
> So, I have a rule that has the following stub:
> content:"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
> This checks to confirm the host IS somethingsomething.paypal.com
> <http://somethingsomething.paypal.com>, and always ends in paypal.com
> <http://paypal.com>.
> My question is, and this is conjecture because I am having a hard time
> procuring the right pcap, will negating the content make this fire on
> anything that does NOT end in paypal.com <http://paypal.com>? Like so:
> content:!"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
> Thanks!
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171207/4fe0bb31/attachment-0002.html>

More information about the Oisf-users mailing list