[Oisf-users] Rule not alerting as expected

Charles Devoe Charles.Devoe at cisecurity.org
Tue Jan 23 12:56:42 UTC 2018 

Jasaon, thanks for the good info.  I’m still curious though about why the alert triggered for the content:”POST”  when there is no POST in the session data.


Charles DeVoe Jr.
Manager of Engineering
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061

charles.devoe at cisecurity.org<mailto:charles.devoe at cisecurity.org>
(518) 266-3494
7x24 Security Operations Center
SOC at cisecurity.org<mailto:SOC at cisecurity.org> - 1-866-787-4722


[id:image001.png at 01D38B89.513EFFE0]
       [id:image002.png at 01D38B89.513EFFE0] <https://www.facebook.com/CenterforIntSec>     [id:image003.png at 01D38B89.513EFFE0] <https://twitter.com/CISecurity>    [id:image004.png at 01D38B89.513EFFE0] <https://www.youtube.com/user/TheCISecurity>     [id:image005.png at 01D38B89.513EFFE0] <https://www.linkedin.com/company/the-center-for-internet-security>

From: Jason Williams <jwilliams at emergingthreats.net>
Date: Monday, January 22, 2018 at 4:38 PM
To: Charles Devoe <Charles.Devoe at cisecurity.org>
Cc: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Rule not alerting as expected



On Sat, Jan 20, 2018 at 10:30 AM, Charles Devoe <Charles.Devoe at cisecurity.org<mailto:Charles.Devoe at cisecurity.org>> wrote:

Charles,

Good questions, responses inline.

Running Suricata 4.0.0 and 4.0.3, Linux 6.8 (red hat variant), Kernel 3.8.13-118.8.1 and 4.1.12-103.9.2

I have the following rule that is looking for a uri that contains abcde.py<http://abcde.py> at the end.  As I understand it, if I have 3 content fields these should be a logical AND, not a logical OR.  That is, in this case the packet should include the POST AND /abcde.py<http:///abcde.py> AND Content-Length|3a| 56|0d 0a|


Yes, there is no 'OR' (unless using PCRE)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "This alert is for a uri"; content:"POST"; http_method; content:"/abcde.py<http:///abcde.py>"; http_uri; urilen:9; content:"Content-Length|3a| 56|0d 0a|"; http_header; classtype:malware; sid:123456; rev:4;)


For this rule I would suggest writing as

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "This alert is for a uri"; flow:established,to_server; content:"POST"; http_method; content:"/abcde.py<http:///abcde.py>"; http_uri; urilen:9; http_content_len; content:"56"; sid:123456; rev:5;)

The class type of "malware" does not exist in the typical classification.config, you would need to add that manually if using.


The rule is firing and giving me this stream  data, the only match I see is “Content-Length: 56”; I do not see the POST nor the abcde.py<http://abcde.py>.


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT
Accept-Ranges: bytes
ETag: "4ccd5def5ce2cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET<http://ASP.NET>
Date: Fri, 03 Nov 2017 17:29:31 GMT
Connection: close
Content-Length: 56

User-agent: *
Disallow: /downloads/
Disallow: /videos/HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Mon, 14 Mar 2011 15:31:49 GMT
Accept-Ranges: bytes
ETag: "4ccd5def5ce2cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET<http://ASP.NET>
Date: Fri, 03 Nov 2017 17:29:31 GMT
Connection: close
Content-Length: 56

User-agent: *
Disallow: /downloads/
Disallow: /videos/


This is traffic that is seen $EXTERNAL_NET -> $HOME_NET, your rule was written for $HOME_NET -> $EXTERNAL_NET, you may not be looking at the right traffic.


Questions
1.    I am not getting all of the data?

Not entirely sure what you mean, feel free to share a pcap off list if you would like and we can see what is going on.

2.  Does it matter if there is a space between content: and “POST”; that is will content: “POST” and content:“POST” behave the same?

It does not matter, but for readability we recommend the format of  ----> content:"POST";

3.  Other than the Suricata documentation, are there any other good resources for learning to write rules?

https://suricata.readthedocs.io<https://suricata.readthedocs.io> is a great reference for buffers and syntax. I recommend to check the rules out in the ET OPEN ruleset. You can also use the pcaps and write ups provided on https://malware-traffic-analysis.net<https://malware-traffic-analysis.net> and try to write some signatures on recent malware.

We (OISF) do live free 4 hour workshops, some materials can be found on last year's defcon workshops page. There is also the recent learnsuricata.com<http://learnsuricata.com> online training that was just launched. Both the workshop and online training cover rule writing basics.

For more in-depth rule writing training the OISF does live 2 day rule writing trainings, as well as private training events. The proceeds of which goes right back into the OISF for more suricata awesomeness.

HTH,

Jason

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<http://suricata-ids.org> | Support: http://suricata-ids.org/support/<http://suricata-ids.org/support/>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>

Conference: https://suricon.net<https://suricon.net>
Trainings: https://suricata-ids.org/training/<https://suricata-ids.org/training/>


.....

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180123/80a87ad0/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14326 bytes
Desc: image001.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180123/80a87ad0/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1895 bytes
Desc: image002.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180123/80a87ad0/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2179 bytes
Desc: image003.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180123/80a87ad0/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1892 bytes
Desc: image004.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180123/80a87ad0/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2061 bytes
Desc: image005.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180123/80a87ad0/attachment-0014.png>

More information about the Oisf-users mailing list