[Oisf-users] negative content match
David Wharton
oisf at davidwharton.us
Thu Dec 7 15:12:41 UTC 2017
First, if you are looking to create a pcap and test it against Suricata,
let me humbly suggest trying out Dalton --
https://github.com/secureworks/dalton. If you just want to craft the
pcap you can use Flowsynth (https://github.com/secureworks/flowsynth/)
but Dalton includes a Wizard/GUI for Flowsynth that makes it quite easy
to create and test the pcap against a custom rule (or other ruleset).
Second, if you want to make sure the HTTP Host header ends with
"paypal.com", you should do a negated isdataat and use '1' instead of
'0'; for the relative isdataat keyword, there is a difference between
how Snort and Suricata handle it (see
http://suricata.readthedocs.io/en/latest/rules/differences-from-snort.html#isdataat-keyword).
So do it like this:
content:"paypal.com <http://paypal.com>"; http_host; isdataat!:1,relative
Finally, to answer your question ... a relative isdataat after a negated
content match doesn't really make sense; it will apply to the previous
(non-negated) content match instead (or beginning of inspection buffer
if no previous content matches).
What exactly are you trying to do here?
Also, be aware of this issue -- "Negated http_* match returns false if
buffer not populated"
(https://redmine.openinfosecfoundation.org/issues/2224).
Hope this helps,
-David Wharton
On 12/07/2017 08:31 AM, erik clark wrote:
> So, I have a rule that has the following stub:
>
>
> content:"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
>
> This checks to confirm the host IS somethingsomething.paypal.com
> <http://somethingsomething.paypal.com>, and always ends in paypal.com
> <http://paypal.com>.
>
> My question is, and this is conjecture because I am having a hard time
> procuring the right pcap, will negating the content make this fire on
> anything that does NOT end in paypal.com <http://paypal.com>? Like so:
>
> content:!"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
>
> Thanks!
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171207/4fe0bb31/attachment-0002.html>
More information about the Oisf-users
mailing list