MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [suricata] fixed an invalid validation of https hostnames that blocked the attributes from being included in the exports

pull/5706/head
iglocska 2020-03-19 09:16:10 +01:00
parent fa0eb43120
commit c8a111447c
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 6 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
app/Lib/Export/NidsSuricataExport.php
View File

@ -109,7 +109,6 @@ class NidsSuricataExport extends NidsExport
$data['host'] = '';
}
}
switch ($scheme) {
case "http":
$data['host'] = NidsExport::replaceIllegalChars($data['host']);
@ -126,26 +125,18 @@ class NidsSuricataExport extends NidsExport
} else {
$content = 'flow:to_server,established; content:"' . $data['host'] . '"; fast_pattern; nocase; http_header; content:"' . $data['path'] . '"; nocase; http_uri;';
}
break;
case "https":
$data['host'] = NidsExport::replaceIllegalChars($data['host']);
$tag = 'tag:session,600,seconds;';
# IP: classic IP rule for HTTPS
if (filter_var($data['host'], FILTER_VALIDATE_IP)) {
$suricata_protocol = 'tcp';
$suricata_src_ip = '$HOME_NET';
$suricata_src_port = 'any';
$suricata_dst_ip = $data['host'];
$suricata_dst_port = NidsExport::getProtocolPort($scheme, $data['port']);
$content = 'flow:to_server; app-layer-protocol:tls;';
}
# Domain: rule on https certificate subject
else {
$createRule = false;
}
$suricata_protocol = 'tcp';
$suricata_src_ip = '$HOME_NET';
$suricata_src_port = 'any';
$suricata_dst_ip = $data['host'];
$suricata_dst_port = NidsExport::getProtocolPort($scheme, $data['port']);
$content = 'flow:to_server; app-layer-protocol:tls;';
break;
case "ssh":
@ -196,7 +187,6 @@ class NidsSuricataExport extends NidsExport
break;
}
if ($createRule) {
$attribute['value'] = NidsExport::replaceIllegalChars($attribute['value']); // substitute chars not allowed in rule
$this->rules[] = sprintf(