[Oisf-users] Rule not alerting as expected

Charles Devoe Charles.Devoe at cisecurity.org
Sat Jan 20 16:30:14 UTC 2018


Running Suricata 4.0.0 and 4.0.3, Linux 6.8 (red hat variant), Kernel 3.8.13-118.8.1 and 4.1.12-103.9.2

I have the following rule that is looking for a uri that contains abcde.py at the end.  As I understand it, if I have 3 content fields these should be a logical AND, not a logical OR.  That is, in this case the packet should include the POST AND /abcde.py AND Content-Length|3a| 56|0d 0a|

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "This alert is for a uri"; content:"POST"; http_method; content:"/abcde.py"; http_uri; urilen:9; content:"Content-Length|3a| 56|0d 0a|"; http_header; classtype:malware; sid:123456; rev:4;)


The rule is firing and giving me this stream  data, the only match I see is "Content-Length: 56"; I do not see the POST nor the abcde.py.


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT
Accept-Ranges: bytes
ETag: "4ccd5def5ce2cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 03 Nov 2017 17:29:31 GMT
Connection: close
Content-Length: 56

User-agent: *
Disallow: /downloads/
Disallow: /videos/HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT
Accept-Ranges: bytes
ETag: "4ccd5def5ce2cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 03 Nov 2017 17:29:31 GMT
Connection: close
Content-Length: 56

User-agent: *
Disallow: /downloads/
Disallow: /videos/


Questions
1.    I am not getting all of the data?

2.  Does it matter if there is a space between content: and "POST"; that is will content: "POST" and content:"POST" behave the same?

3.  Other than the Suricata documentation, are there any other good resources for learning to write rules?
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180120/e64e164f/attachment.html>


More information about the Oisf-users mailing list