1

I have a doubt with a Suricata custom rule.

If I do: alert http any any -> any 80 (msg:"blabla"; content:"abc"; http_uri; sid:1000000;) I can get requests to http://x.x.x.x/abc uri in fast.log file

But if I do: alert http any any -> any 80 (msg:"blabla"; content:".."; http_uri; sid:1000000;) I cannot get request to http://x.x.x.x/.. uri

Why?? I can't understand and I'm going desperate.

PD: I've tried to write content:"|2e2e|" (hexadecimal equivalent to ".") but with no luck. In fact, looking at stock suricata.rules file expressions like ".." (or "../") appear without any special codification.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Osqui
  • 113
  • 4

1 Answers1

2

Seems you have found a bug in suricata!

For example:

rule detecting ".." does not fire on ".." in http_uri:

alert http any any -> any any (msg:"ping"; content:"|2e 2e|"; http_uri; sid:100;)
T 192.168.4.6:34160 -> 45.33.32.156:80 [AP] #1735
  GET /.. HTTP/1.1..Accept-Encoding: identity..Host: scanme.nmap.org..User-Agent: Python-urllib/3.6..Connec
  tion: close....   

T 192.168.4.6:45892 -> 93.184.216.34:80 [AP] #750
  GET /.. HTTP/1.1..Accept-Encoding: identity..Host: example.com..User-Agent: Python-urllib/3.6..Connection
  : close....

yet rule using http_raw_uri does fire:

alert http any any -> any any (msg:"ping"; content:"|2e 2e|"; http_raw_uri; sid:101;)
03/19/2019-16:19:48.570661  [**] [1:101:0] ping [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.4.6:45932 -> 93.184.216.34:80
03/19/2019-16:19:57.027510  [**] [1:101:0] ping [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.4.6:34160 -> 45.33.32.156:80

works as expected in snort:

alert tcp any any -> any $HTTP_PORTS (msg:"ping"; content:"|2e 2e|"; http_uri; sid:100;)
03/19-16:19:49.080887  [**] [1:100:0] ping [**] [Priority: 0] {TCP} 192.168.4.6:45936 -> 93.184.216.34:80
03/19-16:19:56.870987  [**] [1:100:0] ping [**] [Priority: 0] {TCP} 192.168.4.6:34160 -> 45.33.32.156:80

and strangely rule detecting ".." does fire on "...":

alert http any any -> any any (msg:"ping"; content:"|2e 2e|"; http_uri; sid:100;)
03/19/2019-16:08:14.678962  [**] [1:100:0] ping [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.4.6:60804 -> 45.33.32.156:80
03/19/2019-16:08:15.860135  [**] [1:100:0] ping [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.4.6:60810 -> 45.33.32.156:80

T 192.168.4.6:60804 -> 45.33.32.156:80 [AP] #29
  GET /... HTTP/1.1..Host: scanme.nmap.org..User-Agent: curl/7.58.0..Accept: */*....                       
T 192.168.4.6:60810 -> 45.33.32.156:80 [AP] #35
  GET /... HTTP/1.1..Host: scanme.nmap.org..User-Agent: curl/7.58.0..Accept: */*....
Travis
  • 36
  • 2