There is a cursor concept in suricata, i need to implement the notion of order of matches, i cannot just say match pattern1 and pattern2 and not pattern3 all in discord, i need to put an order.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Outdated Firefox on Windows"; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| "; content:"Firefox/3."; distance:0; content:!"Firefox/3.6.13"; distance:-10; sid:9000000; rev:1;)
So i came with theses two solutions:
This one is more compact:
detection:
http.user_agent: "User-Agent|3A| Mozilla/5.0 |28|Windows|3B|"
http.user_agent|dist0: "Firefox/3."
http.user_agent|dist-10|not: "Firefox/3.6.13"
This one is bigger but more understandable.
detection:
- ttl: 10
- http.user_agent: "User-Agent|3A| Mozilla/5.0 |28|Windows|3B|"
- http.user_agent: "Firefox/3."
dist: 0
- http.user_agent|not: "Firefox/3.6.13"
dist: -10
Finally, this one is more compact but still clear
I assume there is always an AND operator playing between matches, i'm maybe mistaking
detection:
ttl: 10
http.user_agent:
- content: "User-Agent|3A| Mozilla/5.0 |28|Windows|3B|"
- content: "Firefox/3."
dist: 0
- content|not: "Firefox/3.6.13"
dist: -10
this one is minimalist but less clear
detection:
http.user_agent:
- "User-Agent|3A| Mozilla/5.0 |28|Windows|3B|"
- "Firefox/3.":
dist: 0
- "!Firefox/3.6.13":
dist: -10
We have the same issue than in sigma, we need targeted logs to test rules. I like what hayabusa is cooking, maybe we can do the same
Something like :
test:
http.user_agent: "User-Agent (Mozilla/5.0 ;Windows))"
which can be then played to confirm rule is working.
I just saw that flowbits serve to make a rule match when a previous packet match inside a flow (a flow is a group of packets matched by same protocl client port/ip and server port/ip)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Possible Vulnerable Server Response"; flow:established; dsize:12; content:"RFB 003.00"; depth:11; flowbits:noalert; flowbits:set,BSposs.vuln.vnc.svr; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; classtype:misc-activity; sid:2002912; rev:7; metadata:created_at 2010_07_30, updated_at 2019_07_26;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Client response"; flowbits:isset,BSposs.vuln.vnc.svr; flow:established; dsize:12; content:"RFB 003.0"; depth:9; flowbits:noalert; flowbits:set,BSis.vnc.setup; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:2002913; rev:7; metadata:created_at 2010_07_30, updated_at 2019_07_26;)
Our format has to take this into account in some way, like a correlation rule in sigma.
CLasstype is used for setting priority to alerts, which is exactly what the sigma level thing is made for, so I think about setting classtype as level