[Oisf-users] HTTP Stream rule evaluation confusion

Wilson, Derek Derek_Wilson at troweprice.com
Wed Apr 11 20:47:44 UTC 2018

Hi everyone,

I was wondering if you guys could shed some light on how rule evaluation is done on HTTP streams.

Basically I’d like to know if suricata rule evaluation evaluates both the client request and the server response together on HTTP streams.

There’s an ETPRO rule that seems to rely on a negative match in the http client request to filter out false positives. After looking for some safe domains in the header the rule jumps the pointer to file data and looks for a file magic and some PCRE.

Example Rule:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"bad file sometimes"; flow:from_Server,established; content:!"microsoft.com|0d 0a|"; http_header; file_data; content:"MSCF"; fast_pattern; within:4; pcre:"/bad stuf/R";

I suppose I could be reading this wrong and the negative matches are for servers that send their domain back in the HTTP Response. Or it could be that the stream is passing but the rule is doing per packet eval and is triggering on the response. I’m honestly not sure.

Any help or clarification is appreciated. Please let me know if you need more information or if this was confusing.


T. Rowe Price (including T. Rowe Price Group, Inc. and its affiliates) and its associates do not provide legal or tax advice.  Any tax-related discussion contained in this e-mail, including any attachments, is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding any tax penalties or (ii) promoting, marketing, or recommending to any other party any transaction or matter addressed herein.  Please consult your independent legal counsel and/or professional tax advisor regarding any legal or tax issues raised in this e-mail.

The contents of this e-mail and any attachments are intended solely for the use of the named addressee(s) and may contain confidential and/or privileged information. Any unauthorized use, copying, disclosure, or distribution of the contents of this e-mail is strictly prohibited by the sender and may be unlawful. If you are not the intended recipient, please notify the sender immediately and delete this e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180411/56533328/attachment.html>

More information about the Oisf-users mailing list