[Oisf-users] rule using http protocol not working

Eric Urban eurban at umn.edu
Tue Feb 19 17:31:28 UTC 2019 

Hello Ena,

I was looking into something similar to what you reported so decided to
test your scenario.

Both rules triggered an alert in my tests.  I did modify the second rule,
which is the one that works for you, to use "any" instead of "$HTTP_PORTS"
due to my environment.  Other than that I left them the same.

I don't know that it should matter, but I am testing this on 4.1.2.  It
might be useful for you to provide a packet capture as it is possible there
is something else going on.

- Eric


On Mon, Feb 18, 2019 at 10:06 AM GORHAM JOHNSON, OZELINA <og1939 at att.com>
wrote:

> Trying to create a signature using http protocol with keywords http_header
> and http_uri but the signature does not match the packet
>
> alert http any any -> any any (msg:"Test http headers"; content:"Host|3A|
> www.test1.url.com"; http_header; content:"page2"; http_uri; fast_pattern;
> classtype:bad-unknown; rev:10; sid:9902;)
>
>
>
>
>
> But if I use protocol tcp the signature matches
>
> alert tcp any any -> any $HTTP_PORTS (msg:"Test REJECT page2";
> content:"Host|3A| www.test1.url.com"; content:"page2"; fast_pattern;
> classtype:bad-unknown; rev:10; sid:2;)
>
>
>
>
>
> Sample Packet
>
> Raw packet data
>
> Hypertext Transfer Protocol
>
>     GET /page2 HTTP/1.1\r\n
>
>     Host: www.test1.url.com\r\n
>
>     Connection: close\r\n
>
>     User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8)
> Gecko/20050511 Firefox/1.0.4\r\n
>
>     Accept: */*\r\n
>
>     Accept-Language: en-us\r\n
>
>     Accept-Encoding: gzip, deflate, compress\r\n
>
>     \r\n
>
>     [Full request URI: http://www.test1.url.com/page2]
>
>     [HTTP request 1/1]
>
>
>
>
>
> Would someone explain why the signature using the http protocol does not
> work
>
>
>
> Ena
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190219/c6209f23/attachment.html>

More information about the Oisf-users mailing list