[Oisf-users] writing custom rule

Greg Grasmehr greg.grasmehr at caltech.edu
Fri Feb 22 01:47:47 UTC 2019


Hello,

Your only option is to drop those connections on the destination server
itself or you could also use a mod_security proxy to perform that
action, a WAF is the optimal solution in cases like this.

Greg

On 02/22/19 01:19:29, Vieri wrote:
> Hi,
> 
> I'd like to drop a connection when a web client tries to access a URI such as:
> 
> https://mydomain.org/path/index.php?something=' type='text'> <script>prompt(1)</script> <a alt='
> 
> I tried these custom rules:
> 
> drop http $EXTERNAL_NET any -> any any (msg:"Custom Block Policy for code injection"; flow:established,to_server; content:"/"; nocase; http_uri; content:"/"; nocase; http_uri; pcre:"/<script\>.*<\/script\>/i"; classtype:web-application-attack; sid:5010004; rev:1;)
> 
> drop tcp $EXTERNAL_NET any -> any any (msg:"Custom Block Policy for code injection via tcp"; flow:established,to_server; content:"/"; pcre:"/<script\>.*<\/script\>/i"; classtype:web-application-attack; sid:5010005; rev:1;)
> 
> However, none of these two rules seem to match.
> 
> Actually, maybe SID 2009714 should match before these custom rules, but it doesn't.
> 
> I'm supposing it's because it's https instead of http, so the GET parameters are not in clear text.
> If so, how could I apply these rules to https?
> 
> Vieri
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


More information about the Oisf-users mailing list