[Oisf-users] Can anyone give me some help for a suricata rule

[David Wharton]

Specifically, "http" isn't typically going to be in the http_raw_uri 
buffer unless you are looking at the request to a proxy.

Generally, this rule isn't going to be effective or performant. But, to 
put lipstick on a pig, why not replace "[^\n]*" (which will never be 
seen in the http_raw_uri buffer anyway) with something like 
"[^\x26\Z]*".  (The assumption is that you are looking for these 
characters in HTTP parameter values.) And since you look for encoded and 
unencoded everything else, did you forget the encoded dashes 
("%2D%2D")?  Also, are you worried about double encoding situations? If 
not, there isn't a need to look for the encoded equals sign.

-David

On 12/11/18 9:51 PM, bush wrote:
> Hi
>
> I write a rule to detect single quotes('), number 
> sign(#),  semicolon(;),  and line-through(--) which appear in HTTP 
> connections; But when i test it, i found the rule can not detect these 
> signs. I do not know what is wrong with this rule. Can anyone give me 
> some help to take a look at it.
>
> The rule:
> /alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS any (msg:"SQL Injection 
> - Paranoid"; flow:established; content:"http"; nocase; http_raw_uri; 
> pcre:"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(%23)|(\#)|(\%3B)|(\;))/Ii"; 
> classtype:web-application-attack; sid:30000000; rev:1;)/
> /
> /
> Thanks.
>
> Best Regards
> DeJin Wang
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181211/885b0f1e/attachment.html>