Project

General

Profile

Actions
Copy link

Feature #3494

open
JW OD

rules: Keyword for determining if the http_host is an ip address

Feature #3494: rules: Keyword for determining if the http_host is an ip address

Added by Jason Williams about 6 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

In the ET ruleset in order to express the fact that http communications are going to an IP address rather than a hostname we have to do pcre.

Some variation of this is all over the place, often not properly using the http_host buffer:

pcre:"/^?:\d{1,3}\.){3}.\d{1,3}(?:\x3a\d{1,5})?$/W";

If it wouldn't be too taxing, it would be very useful to have a simple statement to express that the hostname in the http_header is an ip address. I don't know that a transform is the right place for it as we're not looking to do anything with the ip, but something like below:

http.host; is_ip;

Related issues 1 (1 open0 closed)

Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions

JW Updated by Jason Williams about 6 years ago Actions
Copy link
 #1

I typo'd the pcre from memory, but you know what i mean...

pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/W";

JL Updated by Jeff Lucovsky over 5 years ago Actions
Copy link
 #2

  • Related to Task #4097: Suricon 2020 brainstorm added

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
 #3

  • Subject changed from Keyword for determining if the http_host is an ip address to rules: Keyword for determining if the http_host is an ip address

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #4

A simple "is_ip" should be fairly simple. I wonder though if it should go a bit wider: like if there is a notation like [1.2.3.4] or it includes a port like 1.2.3.4:666, or a list of IP's that are sometimes seen in XFF headers.

BM Updated by Brandon Murphy about 2 years ago Actions
Copy link
 #5

Victor Julien wrote in #note-4:

A simple "is_ip" should be fairly simple. I wonder though if it should go a bit wider:

going wider would be great, but also, taking a step forward to remove this PCRE from rules (includes some that are dedicated for the entire purpose of detecting an IP in the http.host header) would be amazing.

A good start for a "wider" approach might be to allow the selection of what type of IP it is?

Taken directly from Rust's IpAddr - https://doc.rust-lang.org/std/net/enum.IpAddr.html#method.is_global
is_ip:is_global;
is_ip:!is_global;
is_ip:is_ipv4;
is_ip:is_ipv6;
is_ip; (either ipv4 or ipv6)

etc.

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #6

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link

Also available in: PDF Atom