Project

General

Profile

Actions

Bug #825

closed

http keywords not matching

Added by Laszlo Madarassy over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)

But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)

The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?

Actions #1

Updated by Anoop Saldanha over 11 years ago

Laszlo Madarassy wrote:

Hi,

I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)

But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)

Can you share a pcap(privately if you want) for testing?

The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?

You can set a flowbit on the request rule and check if the flowbit is set on the response rule.

Actions #2

Updated by Laszlo Madarassy over 11 years ago

Hi,

Here is a capture file:
http://mik.bme.hu/~lmadarassy/suricata/http.cap

I want to match packets sent to/from 176.31.224.96:2710

Can you give me an easy example for this flowbit?

Thanks,
Laszlo

Anoop Saldanha wrote:

Laszlo Madarassy wrote:

Hi,

I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)

But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)

Can you share a pcap(privately if you want) for testing?

The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?

You can set a flowbit on the request rule and check if the flowbit is set on the response rule.

Actions #3

Updated by Victor Julien over 11 years ago

With your rules (I've given them unique sids):

alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:1;)
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:2;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:3;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:4;)

I get alerts on all 4:

06/17/2013-14:16:49.672505  [**] [1:4:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
06/17/2013-14:16:49.672505  [**] [1:3:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
06/17/2013-14:16:49.672505  [**] [1:2:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
06/17/2013-14:16:49.672505  [**] [1:1:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710

I started suri as follows:

suricata -c suricata.yaml -r http.cap -S local.rules

What is interesting though, is that only one http session is logged, while there are several in the file. @Anoop, can you check this?

Actions #4

Updated by Anoop Saldanha over 11 years ago

  • Assignee set to Anoop Saldanha

@Victor, sure

Actions #5

Updated by Anoop Saldanha over 11 years ago

Looks right. Other than 1 flow, rest of the flows have missing handshakes.

Actions #6

Updated by Anoop Saldanha over 11 years ago

  • Assignee deleted (Anoop Saldanha)

@Laszlo

alert tcp ..... (content:"one"; http_uri; flowbits:set,request_seen; sid:1;)
alert tcp ..... (content:"two"; http_server_body; flowbits:isset,request_seen; sid:2;)

If you don't want the first sig to alert you can add a flowbits:noalert;

Actions #7

Updated by Victor Julien over 11 years ago

  • Status changed from New to Closed

@anoop: ack, missed that. Sorry for the noise.

Closing the ticket as all seems well.

Actions

Also available in: Atom PDF