Feature #7951
closed(Feature Request) Ability to reference content matches across buffers.
Description
Recently we found a malware sample that uses the same http.uri within the referer. Here is an example of the http request:
GET /2e2f5d01e14520f5 HTTP/1.1 Referer: hxxps://malware[.]com/2e2f5d01e14520f5 Host: malware.com Connection: Keep-Alive
As far as I can tell the only way to detect this is by using a buffer-less pcre or making use of byte_ keywords.
Here is an example of the pcre I used to detect this traffic.
/^GET\x20(?P<C2URI>\x2f[a-z0-9]{16})[\s\S]+Referer\x3a\x20https?\x3a\x2f\x2f[a-zA-Z0-9]+\x2e[a-zA-Z0-9]+(?P=C2URI)[\r\n]/
There are two possible solutions that I can think of:
1. Implement a http.request buffer that includes the request line and all of the http headers.
2. Allow cross buffer matching and essentially store buffer content matches in a variable. i.e. for this example you could do something like this and perform content match of the value of http.uri;
... http.uri; pcre:"/^\x2f[a-z0-9]{16}$/"; http.referer; content:http.uri; endswith
Updated by Victor Julien about 1 month ago
Sounds like http.start would be helpful? https://docs.suricata.io/en/suricata-8.0.1/rules/http-keywords.html#http-start
Updated by Isaac Shaughnessy about 1 month ago
Hey @Victor Julien
Thanks for the quick response! I overlooked this buffer in the docs. Apologies for the noise, http.start allows me to do what I need.
Cheers,
Isaac
Updated by Victor Julien about 1 month ago
Despite http.start helping this particular case, I think it would be good to support this use case in a more general way. Byte_extract is currently somewhat limited.