I tried to add a simple signature to Suricata, let’s call SIG A.
If there is TCP session that side 1 send “POST admin.php” and side 2 reply “Hi friend” I want that will be signature.
How to do that please?
By the way what is the source of all signatures that used in Suricata? Proofpoint Emerging Threats Rules ?
Hi. You define the signature sources yourself.
Suricata might, depending on your installation method, ship with some rules preconfigured.
suricata-update can liste some public and commercial rule sources.
https://suricata-update.readthedocs.io/en/latest/index.html
Here is one simple take on how you could write your signature.
alert ip any any -> any any (msg:"TCP side 1"; content:"POST admin.php"; flowbit:set, placeholdername; sid:1;)
alert ip any any -> any any (msg:"TCP side 2"; content:"Hi friend"; flowbit:isset, placeholdername; sid:2;)
https://suricata.readthedocs.io/en/suricata-6.0.1/rules/flow-keywords.html#flowbits
@syoc I don’t sure if you understand me.
Side 1 and side 2 it just an alias, why did you write TCP side 1? Is that really the syntaxes?
I mean for example that client send TCP for server with payload that contains POST admin.pho and server reply TCP payload that contains Hi friend
Woops. I had a feeling writing the comment that something was off, and indeed there were multiple typos.
I edited the comment to include the mgs keyword before "TCP side 1". That keyword just specifies and arbitrary message that will be shown when the rule triggers.
The rules above should trigger when one package in a session contains “POST admin.php” and a subsequent message contains “Hi friend”.
The rules can be modified to be TCP only by swapping alert ip with alert tcp. You can also limit one rule to clients and one rule to servers by the “flow” keyword. You can also match specific HTTP fields using the http keywords if that is what you want.
@syoc How do you see thatsid 2 related to side?
That looks like 2 different signature.
How do you set a signature name to that(that will present into Suracata GUI?
Indeed it is two different signatures. One for each “message”.
They relate to each other through the flowbit keyword. Documentation was linked earlier.
The signature name is set using the msg: keyword
My interpetation of your question: “Can suricata ‘show’/alert/log two different signatures on one pcap file?”. Let me know if I misunderstood.
Yes. All rules matching traffic patterns in the pcap will “trigger” and be logged, relevant packet metadata and some packet payload with the matching traffic pattern will also be logged for each rule.
I would recommend just writing some rules and trying it out.