[Oisf-users] rule using http protocol not working

GORHAM JOHNSON, OZELINA og1939 at att.com
Tue Feb 19 18:38:13 UTC 2019 

Hi Eric,
Thanks for the testing the rules.  I’m also using 4.1.2.

pcap file attached

Ena

From: Eric Urban <eurban at umn.edu>
Sent: Tuesday, February 19, 2019 12:31 PM
To: GORHAM JOHNSON, OZELINA <og1939 at att.com>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] rule using http protocol not working
Importance: High

Hello Ena,

I was looking into something similar to what you reported so decided to test your scenario.

Both rules triggered an alert in my tests.  I did modify the second rule, which is the one that works for you, to use "any" instead of "$HTTP_PORTS" due to my environment.  Other than that I left them the same.

I don't know that it should matter, but I am testing this on 4.1.2.  It might be useful for you to provide a packet capture as it is possible there is something else going on.

- Eric


On Mon, Feb 18, 2019 at 10:06 AM GORHAM JOHNSON, OZELINA <og1939 at att.com<mailto:og1939 at att.com>> wrote:
Trying to create a signature using http protocol with keywords http_header and http_uri but the signature does not match the packet
alert http any any -> any any (msg:"Test http headers"; content:"Host|3A| www.test1.url.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=3hWe-28004sNaG5taYzIh_5B99Lvw6dER28sJrmuLS4&e=>"; http_header; content:"page2"; http_uri; fast_pattern; classtype:bad-unknown; rev:10; sid:9902;)


But if I use protocol tcp the signature matches
alert tcp any any -> any $HTTP_PORTS (msg:"Test REJECT page2"; content:"Host|3A| www.test1.url.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=3hWe-28004sNaG5taYzIh_5B99Lvw6dER28sJrmuLS4&e=>"; content:"page2"; fast_pattern; classtype:bad-unknown; rev:10; sid:2;)


Sample Packet
Raw packet data
Hypertext Transfer Protocol
    GET /page2 HTTP/1.1\r\n
    Host: www.test1.url.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=3hWe-28004sNaG5taYzIh_5B99Lvw6dER28sJrmuLS4&e=>\r\n
    Connection: close\r\n
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n
    Accept: */*\r\n
    Accept-Language: en-us\r\n
    Accept-Encoding: gzip, deflate, compress\r\n
    \r\n
    [Full request URI: http://www.test1.url.com/page2<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com_page2&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=ypBFXA7-7YlZtgKdRAT4_GHk6xFJBNyc7akyxACObMo&e=>]
    [HTTP request 1/1]


Would someone explain why the signature using the http protocol does not work

Ena


_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=7suNYyGlmUg345kKFBzSpQNhifJzf7HOYgzl9SV8yYo&e=> | Support: http://suricata-ids.org/support/<https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org_support_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=1Gjw-xwZ1sLRdsM-Gb7dwkaLEnEtY-A32TvJTtCWRWQ&e=>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=y_UAjlz6GRgar4bpdpBLqrfTo6mTMZahhxBsfaBh-Xk&e=>

Conference: https://suricon.net<https://urldefense.proofpoint.com/v2/url?u=https-3A__suricon.net&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=pk2kcOZY2KxyjonUDJreY-Iol7QokkHZWyxAp-VcFYc&e=>
Trainings: https://suricata-ids.org/training/<https://urldefense.proofpoint.com/v2/url?u=https-3A__suricata-2Dids.org_training_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=_ec4Pfk3ysKPLtpj4-Phcl5vdG392KYU4qvDc4OAVHc&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190219/913cd600/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.pcap.1550265015
Type: application/octet-stream
Size: 1863172 bytes
Desc: log.pcap.1550265015
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190219/913cd600/attachment-0001.obj>

More information about the Oisf-users mailing list