[Oisf-users] Detecting Unicode/UTF html

Clark Kent ctyk3322 at gmail.com
Tue Feb 21 13:24:15 UTC 2017


I could do that, but that would mean I need to create two sets of
signatures. Also forgot to mention that the same signature would be used to
search for content in file attachment of the email too. Which is why I am
using the file_data modifier to search in the base64 encoded attachments.
In Snort, it will search both in html body and attachment without having to
use the "=".

On Mon, Feb 20, 2017 at 4:07 PM, Andreas Herz <andi at geekosphere.org> wrote:

> On 20/02/17 at 08:45, Clark Kent wrote:
> > I am having an issue with detecting Unicode/UTF characters in html
> > formatted email. So for example let say I want to detect “This is
> awesome”
> > in Traditional Chinese (“這太棒了”). The signature would be written
> > basically with content:”| E98099E5A4AAE6A392E4BA86|”. As far as I know I
> > can’t supply a content match in Unicode/UTF. Instead I have to convert
> > those characters into hex so that Suricata can understand what I am
> looking
> > for.
> >
> > If the email is html format, the hex bytes will have = between the bytes
> > (ie. “E9=80=99=E5=A4=AA=E6=A3=92=E4=BA=86=”). This causes the signature
> to
> > not alert in Suricata. However, in Snort if you supply the file_data
> > modifier in the signature. It will drop the = and trigger the alert
> > correctly because it matches the signature. This also might be the case
> > for html format web pages, but I haven’t confirmed. I assume that it is
> > probably the same case too.
> >
> > Any thoughts if there is a solution in Suricata?
>
> You could include the hex value for "=" as well?
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170221/946edb1e/attachment-0002.html>


More information about the Oisf-users mailing list