[Oisf-users] [suricata]About rules question

Travis Green travis at travisgreen.net
Thu Apr 12 15:21:36 UTC 2018


In that case you can simply not specify a buffer, or possibly make 2 rules
if performance is a concern.

On Thu, Apr 12, 2018 at 8:45 AM, 7ym0n <hackking at 126.com> wrote:

> sorry,I didn't express clearly.
> what I want to say is that * http_cookie* or  *http_client_body* Contain
> *SRCHD=AF=NOFORM*
>
>
> 在2018年04月10 22时21分, "Travis Green"<travis at travisgreen.net>写道:
>
>
> Hi there, you likely want to do this:
>
> content:"SRCHD=AF=NOFORM"; http_cookie; content:"SRCHD=AF=NOFORM";
> http_client_body;
>
> On Mon, Apr 9, 2018 at 7:50 PM, 7ym0n <hackking at 126.com> wrote:
>
>> Hi:
>>      thanks! @Jason Williams A detailed answer.
>>
>>     I known add classtype of 'test' to classifications.config,
>>     but, Why can't a feature specify multiple detection items?
>>     e.g:
>> ======
>>     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=
>> 0.8
>>     Accept-Encoding: gzip, deflate, br
>>     Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-
>> HK;q=0.5,en-US;q=0.3,en;q=0.2
>>     Connection: keep-alive
>>     Content-Length: 355
>>     Content-Type: text/plain;charset=UTF-8
>>     Cookie: SRCHD=AF=NOFORM;
>>
>>     id=1&page=2&c=SRCHD=AF=NOFORM
>> ======
>>     content:"SRCHD=AF=NOFORM"; "http_cookie; http_client_body;"
>>
>>
>>
>> 在2018年04月10 01时58分, "Jason Williams"<jwilliams at emergingthreats.net>写道:
>>
>>
>> Hello,
>>
>> You can match anywhere in the content you want, if you want to match
>> things at the end of the buffer say something like
>>
>> content:"105,110,105))"; http_uri; isdataat:!1,relative;
>>
>>
>> Or if you are using Suricata 4.1beta you can do
>>
>> content:"105,110,105))"; endswith;
>>
>>
>> For your rule:
>>
>> *alert http any any -> any any (msg:"---(1)-test union select";
>> content:"load_file"; http_uri; http_client_body; nocase; classtype:test;
>> sid:203456189; rev:1;) *
>>
>>
>> You have an error here --> "http_uri; http_client_body;" - you must
>> specify contents one per buffer.
>>
>> You would also need to add classtype of 'test' to classifications.config
>> or your rule will error.
>>
>> This should work (but will probably give false positives and may not be
>> very efficient):
>>
>> alert http any any -> any any (msg:"---(1)-test union select";
>> content:"load_file"; http_uri; nocase; sid:203456189; rev:1;)
>>
>>
>> Thanks,
>>
>> Jason
>>
>>
>> On Sun, Apr 8, 2018 at 10:04 PM, 7ym0n <hackking at 126.com> wrote:
>>
>>> HI all:
>>>     When I was using suricata, I encountered the following problems.
>>> Using Google,bing didn't find a solution, How can solve this problem??
>>>     1.How do I start a match from the reciprocal N bytes of a payload or
>>> buffer?
>>>     e.g:
>>>         http://localhost/?id=1&page=-1 <http://localhost/?id=1&test=-1>
>>> union select 1,1,1,load_file(char(99,58,47,
>>> 98,111,111,116,46,105,110,105))
>>>
>>>     The match starts at the end of the uri:"116,46,105,110,105"
>>>
>>>     2. cannot specify multiple HTTP keywords in the content?
>>>     e.g:
>>>     alert http any any -> any any (msg:"---(1)-test union
>>> select";content:"load_file";http_uri;http_client_body;nocase
>>> ;classtype:test;sid:203456189;rev:1;)
>>>     it's not work!
>>>
>>>     need to check whether there are related features in multiple fields
>>> in HTTP, and how to present them in a rule?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/suppor
>>> t/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/ois
>>> f-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>
>
> --
> PGP: ABE625E6
> keybase.io/travisbgreen
>
>
>
>
>



-- 
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180412/22ee984d/attachment-0001.html>


More information about the Oisf-users mailing list