[Oisf-users] [suricata]About rules question

Travis Green travis at travisgreen.net
Tue Apr 10 14:21:15 UTC 2018


Hi there, you likely want to do this:

content:"SRCHD=AF=NOFORM"; http_cookie; content:"SRCHD=AF=NOFORM";
http_client_body;

On Mon, Apr 9, 2018 at 7:50 PM, 7ym0n <hackking at 126.com> wrote:

> Hi:
>      thanks! @Jason Williams A detailed answer.
>
>     I known add classtype of 'test' to classifications.config,
>     but, Why can't a feature specify multiple detection items?
>     e.g:
> ======
>     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
> q=0.8
>     Accept-Encoding: gzip, deflate, br
>     Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-
> HK;q=0.5,en-US;q=0.3,en;q=0.2
>     Connection: keep-alive
>     Content-Length: 355
>     Content-Type: text/plain;charset=UTF-8
>     Cookie: SRCHD=AF=NOFORM;
>
>     id=1&page=2&c=SRCHD=AF=NOFORM
> ======
>     content:"SRCHD=AF=NOFORM"; "http_cookie; http_client_body;"
>
>
>
> 在2018年04月10 01时58分, "Jason Williams"<jwilliams at emergingthreats.net>写道:
>
>
> Hello,
>
> You can match anywhere in the content you want, if you want to match
> things at the end of the buffer say something like
>
> content:"105,110,105))"; http_uri; isdataat:!1,relative;
>
>
> Or if you are using Suricata 4.1beta you can do
>
> content:"105,110,105))"; endswith;
>
>
> For your rule:
>
> *alert http any any -> any any (msg:"---(1)-test union select";
> content:"load_file"; http_uri; http_client_body; nocase; classtype:test;
> sid:203456189; rev:1;) *
>
>
> You have an error here --> "http_uri; http_client_body;" - you must
> specify contents one per buffer.
>
> You would also need to add classtype of 'test' to classifications.config
> or your rule will error.
>
> This should work (but will probably give false positives and may not be
> very efficient):
>
> alert http any any -> any any (msg:"---(1)-test union select";
> content:"load_file"; http_uri; nocase; sid:203456189; rev:1;)
>
>
> Thanks,
>
> Jason
>
>
> On Sun, Apr 8, 2018 at 10:04 PM, 7ym0n <hackking at 126.com> wrote:
>
>> HI all:
>>     When I was using suricata, I encountered the following problems.
>> Using Google,bing didn't find a solution, How can solve this problem??
>>     1.How do I start a match from the reciprocal N bytes of a payload or
>> buffer?
>>     e.g:
>>         http://localhost/?id=1&page=-1 <http://localhost/?id=1&test=-1>
>> union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105)
>> )
>>
>>     The match starts at the end of the uri:"116,46,105,110,105"
>>
>>     2. cannot specify multiple HTTP keywords in the content?
>>     e.g:
>>     alert http any any -> any any (msg:"---(1)-test union
>> select";content:"load_file";http_uri;http_client_body;nocase
>> ;classtype:test;sid:203456189;rev:1;)
>>     it's not work!
>>
>>     need to check whether there are related features in multiple fields
>> in HTTP, and how to present them in a rule?
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>



-- 
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180410/408d7c16/attachment-0001.html>


More information about the Oisf-users mailing list