Feature #3494
open
rules: Keyword for determining if the http_host is an ip address
Added by Jason Williams almost 5 years ago.
Updated 5 months ago.
Description
In the ET ruleset in order to express the fact that http communications are going to an IP address rather than a hostname we have to do pcre.
Some variation of this is all over the place, often not properly using the http_host buffer:
pcre:"/^?:\d{1,3}\.){3}.\d{1,3}(?:\x3a\d{1,5})?$/W";
If it wouldn't be too taxing, it would be very useful to have a simple statement to express that the hostname in the http_header is an ip address. I don't know that a transform is the right place for it as we're not looking to do anything with the ip, but something like below:
http.host; is_ip;
Related issues
1 (1 open — 0 closed)
I typo'd the pcre from memory, but you know what i mean...
pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/W";
- Related to Task #4097: Suricon 2020 brainstorm added
- Subject changed from Keyword for determining if the http_host is an ip address to rules: Keyword for determining if the http_host is an ip address
A simple "is_ip" should be fairly simple. I wonder though if it should go a bit wider: like if there is a notation like [1.2.3.4]
or it includes a port like 1.2.3.4:666
, or a list of IP's that are sometimes seen in XFF headers.
Victor Julien wrote in #note-4:
A simple "is_ip" should be fairly simple. I wonder though if it should go a bit wider:
going wider would be great, but also, taking a step forward to remove this PCRE from rules (includes some that are dedicated for the entire purpose of detecting an IP in the http.host header) would be amazing.
A good start for a "wider" approach might be to allow the selection of what type of IP it is?
Taken directly from Rust's IpAddr - https://doc.rust-lang.org/std/net/enum.IpAddr.html#method.is_global
is_ip:is_global;
is_ip:!is_global;
is_ip:is_ipv4;
is_ip:is_ipv6;
is_ip; (either ipv4 or ipv6)
etc.
- Assignee set to OISF Dev
- Target version set to TBD
Also available in: Atom
PDF