[Oisf-users] rule using http protocol not working
Victor Julien
lists at inliniac.net
Mon Feb 25 14:45:30 UTC 2019
See
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2019-February/thread.html#16662
On 25-02-19 15:44, GORHAM JOHNSON, OZELINA wrote:
> Last week I was not receiving feeds so if anyone responded to my inquiry
> would you please resend.
>
>
>
> Thanks,
>
>
>
> Ena
>
>
>
> *From:* GORHAM JOHNSON, OZELINA
> *Sent:* Tuesday, February 19, 2019 1:38 PM
> *To:* 'Eric Urban' <eurban at umn.edu>
> *Cc:* 'oisf-users at lists.openinfosecfoundation.org'
> <oisf-users at lists.openinfosecfoundation.org>
> *Subject:* RE: [Oisf-users] rule using http protocol not working
>
>
>
> Hi Eric,
>
> Thanks for the testing the rules. I’m also using 4.1.2.
>
>
>
> pcap file attached
>
>
>
> Ena
>
>
>
> *From:* Eric Urban <eurban at umn.edu>
> *Sent:* Tuesday, February 19, 2019 12:31 PM
> *To:* GORHAM JOHNSON, OZELINA <og1939 at att.com>
> *Cc:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* Re: [Oisf-users] rule using http protocol not working
> *Importance:* High
>
>
>
> Hello Ena,
>
>
>
> I was looking into something similar to what you reported so decided to
> test your scenario.
>
>
>
> Both rules triggered an alert in my tests. I did modify the second
> rule, which is the one that works for you, to use "any" instead of
> "$HTTP_PORTS" due to my environment. Other than that I left them the same.
>
>
>
> I don't know that it should matter, but I am testing this on 4.1.2. It
> might be useful for you to provide a packet capture as it is possible
> there is something else going on.
>
>
>
> - Eric
>
>
>
>
>
> On Mon, Feb 18, 2019 at 10:06 AM GORHAM JOHNSON, OZELINA <og1939 at att.com
> <mailto:og1939 at att.com>> wrote:
>
> Trying to create a signature using http protocol with keywords
> http_header and http_uri but the signature does not match the packet
>
> alert http any any -> any any (msg:"Test http headers";
> content:"Host|3A| www.test1.url.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=3hWe-28004sNaG5taYzIh_5B99Lvw6dER28sJrmuLS4&e=>";
> http_header; content:"page2"; http_uri; fast_pattern;
> classtype:bad-unknown; rev:10; sid:9902;)
>
>
>
>
>
> But if I use protocol tcp the signature matches
>
> alert tcp any any -> any $HTTP_PORTS (msg:"Test REJECT page2";
> content:"Host|3A| www.test1.url.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=3hWe-28004sNaG5taYzIh_5B99Lvw6dER28sJrmuLS4&e=>";
> content:"page2"; fast_pattern; classtype:bad-unknown; rev:10; sid:2;)
>
>
>
>
>
> Sample Packet
>
> Raw packet data
>
> Hypertext Transfer Protocol
>
> GET /page2 HTTP/1.1\r\n
>
> Host: www.test1.url.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=3hWe-28004sNaG5taYzIh_5B99Lvw6dER28sJrmuLS4&e=>\r\n
>
> Connection: close\r\n
>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
> rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n
>
> Accept: */*\r\n
>
> Accept-Language: en-us\r\n
>
> Accept-Encoding: gzip, deflate, compress\r\n
>
> \r\n
>
> [Full request URI: http://www.test1.url.com/page2
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.test1.url.com_page2&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=ypBFXA7-7YlZtgKdRAT4_GHk6xFJBNyc7akyxACObMo&e=>]
>
> [HTTP request 1/1]
>
>
>
>
>
> Would someone explain why the signature using the http protocol does
> not work
>
>
>
> Ena
>
> / /
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=7suNYyGlmUg345kKFBzSpQNhifJzf7HOYgzl9SV8yYo&e=>
> | Support: http://suricata-ids.org/support/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org_support_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=1Gjw-xwZ1sLRdsM-Gb7dwkaLEnEtY-A32TvJTtCWRWQ&e=>
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=y_UAjlz6GRgar4bpdpBLqrfTo6mTMZahhxBsfaBh-Xk&e=>
>
> Conference: https://suricon.net
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__suricon.net&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=pk2kcOZY2KxyjonUDJreY-Iol7QokkHZWyxAp-VcFYc&e=>
> Trainings: https://suricata-ids.org/training/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__suricata-2Dids.org_training_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=eJehesX00QnTdVaAXdnzcQ&m=pnqTfTRiXhc5dbBk3RWOOVOjZacy6EkI4hBcaVfwmJc&s=_ec4Pfk3ysKPLtpj4-Phcl5vdG392KYU4qvDc4OAVHc&e=>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list