[Oisf-users] [suricata]About rules question

7ym0n hackking at 126.com
Tue Apr 10 01:50:08 UTC 2018 

Hi:
     thanks! @Jason Williams A detailed answer.
    
    I known add classtype of 'test' to classifications.config,
    but, Why can't a feature specify multiple detection items?
    e.g:
======
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip, deflate, br
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Connection: keep-alive
    Content-Length: 355
    Content-Type: text/plain;charset=UTF-8
    Cookie: SRCHD=AF=NOFORM;

    id=1&page=2&c=SRCHD=AF=NOFORM
======
    content:"SRCHD=AF=NOFORM"; "http_cookie; http_client_body;"






在2018年04月10 01时58分, "Jason Williams"<jwilliams at emergingthreats.net>写道:


Hello,


You can match anywhere in the content you want, if you want to match things at the end of the buffer say something like 


content:"105,110,105))"; http_uri; isdataat:!1,relative; 


Or if you are using Suricata 4.1beta you can do 


content:"105,110,105))"; endswith; 


For your rule:


alert http any any -> any any (msg:"---(1)-test union select"; content:"load_file"; http_uri; http_client_body; nocase; classtype:test; sid:203456189; rev:1;) 


You have an error here --> "http_uri; http_client_body;" - you must specify contents one per buffer.


You would also need to add classtype of 'test' to classifications.config or your rule will error. 


This should work (but will probably give false positives and may not be very efficient):


alert http any any -> any any (msg:"---(1)-test union select"; content:"load_file"; http_uri; nocase; sid:203456189; rev:1;) 

Thanks,


Jason




On Sun, Apr 8, 2018 at 10:04 PM, 7ym0n <hackking at 126.com> wrote:

HI all:
    When I was using suricata, I encountered the following problems. Using Google,bing didn't find a solution, How can solve this problem??
    1.How do I start a match from the reciprocal N bytes of a payload or buffer?
    e.g:
        http://localhost/?id=1&page=-1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))
    

    The match starts at the end of the uri:"116,46,105,110,105"


    2. cannot specify multiple HTTP keywords in the content?
    e.g:
    alert http any any -> any any (msg:"---(1)-test union select";content:"load_file";http_uri;http_client_body;nocase;classtype:test;sid:203456189;rev:1;)   
    it's not work!

    need to check whether there are related features in multiple fields in HTTP, and how to present them in a rule?





 





 


_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180410/350b0d15/attachment-0001.html>

More information about the Oisf-users mailing list