[Oisf-users] [suricata]About rules question

Jason Williams jwilliams at emergingthreats.net
Mon Apr 9 17:58:29 UTC 2018 

Hello,

You can match anywhere in the content you want, if you want to match things
at the end of the buffer say something like

content:"105,110,105))"; http_uri; isdataat:!1,relative;


Or if you are using Suricata 4.1beta you can do

content:"105,110,105))"; endswith;


For your rule:

*alert http any any -> any any (msg:"---(1)-test union select";
content:"load_file"; http_uri; http_client_body; nocase; classtype:test;
sid:203456189; rev:1;) *


You have an error here --> "http_uri; http_client_body;" - you must specify
contents one per buffer.

You would also need to add classtype of 'test' to classifications.config or
your rule will error.

This should work (but will probably give false positives and may not be
very efficient):

alert http any any -> any any (msg:"---(1)-test union select";
content:"load_file"; http_uri; nocase; sid:203456189; rev:1;)


Thanks,

Jason


On Sun, Apr 8, 2018 at 10:04 PM, 7ym0n <hackking at 126.com> wrote:

> HI all:
>     When I was using suricata, I encountered the following problems. Using
> Google,bing didn't find a solution, How can solve this problem??
>     1.How do I start a match from the reciprocal N bytes of a payload or
> buffer?
>     e.g:
>         http://localhost/?id=1&page=-1 <http://localhost/?id=1&test=-1>
> union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))
>
>     The match starts at the end of the uri:"116,46,105,110,105"
>
>     2. cannot specify multiple HTTP keywords in the content?
>     e.g:
>     alert http any any -> any any (msg:"---(1)-test union
> select";content:"load_file";http_uri;http_client_body;
> nocase;classtype:test;sid:203456189;rev:1;)
>     it's not work!
>
>     need to check whether there are related features in multiple fields in
> HTTP, and how to present them in a rule?
>
>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180409/fb847fcb/attachment.html>

More information about the Oisf-users mailing list