MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

quick fix sticky buffers 

According to documention (https://suricata.readthedocs.io/en/suricata-6.0.3/rules/http-keywords.html#http-keywords) sticky buffers should be before content, http.header and http.uri isn't marked as sticky buffers, but rules are wrongly generated and reported to logs. Tested on stable Suricata v6.0.1+
pull/7622/head
lk-dll 2021-07-29 18:19:58 +02:00 committed by Alexandre Dulaunoy
parent 7748598750
commit 1a8235d9cf
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/Lib/Export/NidsSuricataExport.php
View File

@ -35,7 +35,7 @@ class NidsSuricataExport extends NidsExport
$sid++;
// also do http requests
// warning: only suricata compatible
$content = 'flow:to_server,established; content: "Host|3a| ' . $attribute['value'] . '"; fast_pattern; nocase; http.header; pcre: "/(^|[^A-Za-z0-9-\.])' . preg_quote($attribute['value']) . '[^A-Za-z0-9-\.]/Hi";';
$content = 'flow:to_server,established; http.header; content: "Host|3a| ' . $attribute['value'] . '"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])' . preg_quote($attribute['value']) . '[^A-Za-z0-9-\.]/Hi";';
$this->rules[] = sprintf(
$ruleFormat,
($overruled) ? '#OVERRULED BY WHITELIST# ' : '',
@ -76,7 +76,7 @@ class NidsSuricataExport extends NidsExport
$sid++;
// also do http requests,
// warning: only suricata compatible
$content = 'flow:to_server,established; content: "Host|3a|"; nocase; http.header; content:"' . $attribute['value'] . '"; fast_pattern; nocase; http.header; pcre: "/(^|[^A-Za-z0-9-])' . preg_quote($attribute['value']) . '[^A-Za-z0-9-\.]/Hi";';
$content = 'flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"' . $attribute['value'] . '"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])' . preg_quote($attribute['value']) . '[^A-Za-z0-9-\.]/Hi";';
$this->rules[] = sprintf(
$ruleFormat,
($overruled) ? '#OVERRULED BY WHITELIST# ' : '',
@ -121,9 +121,9 @@ class NidsSuricataExport extends NidsExport
$tag = 'tag:session,600,seconds;';
if (!array_key_exists('path', $data)) {
$data['path'] = NidsExport::replaceIllegalChars($data['host']);
$content = 'flow:to_server,established; content:"' . $data['host'] . '"; nocase; http.header;';
$content = 'flow:to_server,established; http.header; content:"' . $data['host'] . '"; nocase;';
} else {
$content = 'flow:to_server,established; content:"' . $data['host'] . '"; fast_pattern; nocase; http.header; content:"' . $data['path'] . '"; nocase; http.uri;';
$content = 'flow:to_server,established; http.header; content:"' . $data['host'] . '"; fast_pattern; nocase; http.uri; content:"' . $data['path'] . '"; nocase;';
}
break;
@ -182,7 +182,7 @@ class NidsSuricataExport extends NidsExport
$suricata_dst_port = 'any';
$url = NidsExport::replaceIllegalChars($attribute['value']); // substitute chars not allowed in rule
$content = 'flow:to_server,established; content:"' . $url . '"; fast_pattern; nocase; http.uri;';
$content = 'flow:to_server,established; http.uri; content:"' . $url . '"; fast_pattern; nocase;';
$tag = 'tag:session,600,seconds;';
break;