[Oisf-users] Rule not alerting as expected

Jason Williams jwilliams at emergingthreats.net
Mon Jan 22 21:38:39 UTC 2018 

On Sat, Jan 20, 2018 at 10:30 AM, Charles Devoe <
Charles.Devoe at cisecurity.org> wrote:

Charles,

Good questions, responses inline.

Running Suricata 4.0.0 and 4.0.3, Linux 6.8 (red hat variant), Kernel
> 3.8.13-118.8.1 and 4.1.12-103.9.2
>
>
>
> I have the following rule that is looking for a uri that contains abcde.py
> at the end.  As I understand it, if I have 3 content fields these should be
> a logical AND, not a logical OR.  That is, in this case the packet should
> include the POST AND /abcde.py AND Content-Length|3a| 56|0d 0a|
>
>
>

Yes, there is no 'OR' (unless using PCRE)


> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "This alert is for a
> uri"; content:"POST"; http_method; content:"/abcde.py"; http_uri; urilen:9;
> content:"Content-Length|3a| 56|0d 0a|"; http_header; classtype:malware;
> sid:123456; rev:4;)
>
>
>

For this rule I would suggest writing as

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "This alert is for a
uri"; *flow:established,to_server;* content:"POST"; http_method;
content:"/abcde.py"; http_uri; urilen:9; *http_content_len;
content:"56";* sid:123456;
rev:*5*;)

The class type of "malware" does not exist in the typical
classification.config, you would need to add that manually if using.


>
>
> The rule is firing and giving me this stream  data, the only match I see
> is “Content-Length: 56”; I do not see the POST nor the abcde.py.
>
>
>
>
>
> HTTP/1.1 200 OK
>
> Content-Type: text/plain
>
> Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT
>
> Accept-Ranges: bytes
>
> ETag: "4ccd5def5ce2cb1:0"
>
> Server: Microsoft-IIS/7.5
>
> X-Powered-By: ASP.NET
>
> Date: Fri, 03 Nov 2017 17:29:31 GMT
>
> Connection: close
>
> Content-Length: 56
>
>
>
> User-agent: *
>
> Disallow: /downloads/
>
> Disallow: /videos/HTTP/1.1 200 OK
>
> Content-Type: text/plain
>
> Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT
>
> Accept-Ranges: bytes
>
> ETag: "4ccd5def5ce2cb1:0"
>
> Server: Microsoft-IIS/7.5
>
> X-Powered-By: ASP.NET
>
> Date: Fri, 03 Nov 2017 17:29:31 GMT
>
> Connection: close
>
> Content-Length: 56
>
>
>
> User-agent: *
>
> Disallow: /downloads/
>
> Disallow: /videos/
>
>
>

This is traffic that is seen $EXTERNAL_NET -> $HOME_NET, your rule was
written for $HOME_NET -> $EXTERNAL_NET, you may not be looking at the right
traffic.


>
>
> Questions
> 1.    I am not getting all of the data?
>
>
Not entirely sure what you mean, feel free to share a pcap off list if you
would like and we can see what is going on.


> 2.  Does it matter if there is a space between content: and “POST”; that
> is will content: “POST” and content:“POST” behave the same?
>
>
It does not matter, but for readability we recommend the format of  ---->
content:"POST";


> 3.  Other than the Suricata documentation, are there any other good
> resources for learning to write rules?
>

https://suricata.readthedocs.io is a great reference for buffers and
syntax. I recommend to check the rules out in the ET OPEN ruleset. You can
also use the pcaps and write ups provided on
https://malware-traffic-analysis.net and try to write some signatures on
recent malware.

We (OISF) do live free 4 hour workshops, some materials can be found on
last year's defcon workshops page. There is also the recent
learnsuricata.com online training that was just launched. Both the workshop
and online training cover rule writing basics.

For more in-depth rule writing training the OISF does live 2 day rule
writing trainings, as well as private training events. The proceeds of
which goes right back into the OISF for more suricata awesomeness.

HTH,

Jason

This message and attachments may contain confidential information. If it
> appears that this message was sent to you by mistake, any retention,
> dissemination, distribution or copying of this message and attachments is
> strictly prohibited. Please notify the sender immediately and permanently
> delete the message and any attachments.
>
> . . . . .
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180122/9d367bf5/attachment-0002.html>

More information about the Oisf-users mailing list