[Oisf-users] question about http_uri and file_data

Erich Lerch erich.lerch at gmail.com
Thu Jan 26 20:28:44 UTC 2017


Erik,

Your rule would have to be split in two, something like this:

# part 1, client --> server, noalert
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"packer";
flow:to_server,established; content:"menu|2e|js"; http_uri;
flowbits:set,packerbit; flowbits:noalert; sid:1;rev:1;)

# part 2, server --> client
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"packer";
flow:from_server,established; flowbits:isset,packerbit; file_data;
content:"eval(function(p,a,c,k,e,d)"; sid:2;rev:1)


Cheers,
erich


On 26.01.2017 17:52, erik clark wrote:
> I have a pcap I am trying to get a signature to fire off of. Here is the
> sig:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"packer";
> content:"menu|2e|js"; http_uri; file_data;
> content:"eval(function(p,a,c,k,e,d)"; fast_pattern:only; sid:1; rev:7;)
> 
> I can't provide a pcap, but this is a standard dean edwards packer menu
> javascript.
> 
> The problem I have is:
> 
> the http_uri hit comes from local to remote (this is a get request).
> the file_data hit comes remote to local
> 
> Is there any way to get one rule to fire off this? Maybe with flowbits?
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 



More information about the Oisf-users mailing list