Feature #6831
opensupport extraction of bytes of non-numeric values
Description
Use Case:
Consider the following HTTP request. I would like to write detection logic that ensures the 32 byte string that occurs in the URI is also found within the Cookie Value.
GET /example/path?foo=Pn5tRZrj12eSWFx4qL7cAeyzvKl90O6G HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://example.com Cookie: foo=Pn5tRZrj12eSWFx4qL7cAeyzvKl90O6G
reference: https://forum.suricata.io/t/byte-extract-byte-test-string-limits/4511/3
Current and Attempted Methods:
Currently the only way to accomplish this detection logic (with PCRE capture groups) has many limitations/considerations
1) within a single buffer (http.start works in this example)
- this won't work with HTTP/2 traffic
2) via capture groups within PCRE. This can be pretty costly.
I attempted to use the byte_extract/byte_test, which did work, but was limited to 20 byte as noted within the discourse convo. the keyword performance of the byte_extract/byte_test combo was about half as many ticks as using the PCRE capture groups.
Proposed Solution:
I won't bother with suggesting how this should be solved, but more details of the use case are required please let me know.
P.S. - I'm not sure what to "call" this request, so feel free to change the subject to more accurately reflect whatever this is.
Updated by Jeff Lucovsky about 2 months ago
@Brandon Murphy Can you add the rule demonstrating the use of pcre?
Did you try the pcrexform transform?
Updated by Brandon Murphy about 2 months ago
Jeff Lucovsky wrote in #note-3:
@Brandon Murphy Can you add the rule demonstrating the use of pcre?
you bet! Something like this currently "does the trick", though as noted
http.start; pcre:"/^POST[^\r\n]+\?foo=(?P<hash>[A-F0-9]{32})(?:[^\r\n]*\r\n)+Cookie\x3a\x20foo=(?P=hash)/";
Did you try the pcrexform transform?
I'm not sure it'd solve the issue given the need to enforce that the content exist in two different buffers. I guess i could use it to transform each buffer to the be same, but i'd still be left with the need to extract the value and compare.
Updated by Jeff Lucovsky about 2 months ago
For completeness, this is what was presented in the discourse forum:
http.uri; content:"&foo="; byte_extract:32,0,TESTrelative,string; http.cookie; content:"foo="; startswith; byte_test:32,=,TEST,0,relative,string;
Updated by Victor Julien about 2 months ago
Jeff Lucovsky wrote in #note-5:
For completeness, this is what was presented in the discourse forum:
[...]
I like the idea of using regular byte_extract and byte_test. The "string" option in the example makes no sense to me. It should probably be called something else, like "bytes" or "slice" or "raw" or similar, to indicate that we won't try to interpret the bytes as an integer but instead will do a raw byte slice compare (a memcmp essentially).