[Oisf-users] HTTP Stream rule evaluation confusion

Travis Green travis at travisgreen.net
Wed Apr 11 21:32:17 UTC 2018 

Derek, I agree that those negated domains do not belong there (as though
they were negating Host: header in a client request). That seems to be an
error in that sig, which I'll fix for tomorrow's release (sid:2821014;).

Thanks!

-Travis

On Wed, Apr 11, 2018 at 2:47 PM, Wilson, Derek <Derek_Wilson at troweprice.com>
wrote:

> Hi everyone,
>
>
>
> I was wondering if you guys could shed some light on how rule evaluation
> is done on HTTP streams.
>
>
>
> Basically I’d like to know if suricata rule evaluation evaluates both the
> client request and the server response together on HTTP streams.
>
>
>
> There’s an ETPRO rule that seems to rely on a negative match in the http
> client request to filter out false positives. After looking for some safe
> domains in the header the rule jumps the pointer to file data and looks for
> a file magic and some PCRE.
>
>
>
> Example Rule:
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"bad file sometimes";
> flow:from_Server,established; content:!"microsoft.com|0d 0a|";
> http_header; file_data; content:"MSCF"; fast_pattern; within:4; pcre:"/bad
> stuf/R";
>
>
>
> I suppose I could be reading this wrong and the negative matches are for
> servers that send their domain back in the HTTP Response. Or it could be
> that the stream is passing but the rule is doing per packet eval and is
> triggering on the response. I’m honestly not sure.
>
>
>
> Any help or clarification is appreciated. Please let me know if you need
> more information or if this was confusing.
>
>
>
> Thanks,
>
> Derek
>
>
> T. Rowe Price (including T. Rowe Price Group, Inc. and its affiliates) and
> its associates do not provide legal or tax advice.  Any tax-related
> discussion contained in this e-mail, including any attachments, is not
> intended or written to be used, and cannot be used, for the purpose of (i)
> avoiding any tax penalties or (ii) promoting, marketing, or recommending to
> any other party any transaction or matter addressed herein.  Please consult
> your independent legal counsel and/or professional tax advisor regarding
> any legal or tax issues raised in this e-mail.
>
> The contents of this e-mail and any attachments are intended solely for
> the use of the named addressee(s) and may contain confidential and/or
> privileged information. Any unauthorized use, copying, disclosure, or
> distribution of the contents of this e-mail is strictly prohibited by the
> sender and may be unlawful. If you are not the intended recipient, please
> notify the sender immediately and delete this e-mail.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>



-- 
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180411/e9519057/attachment.html>

More information about the Oisf-users mailing list