Attempting suricata-update for type to parser for Suricata for http and dns

jonny5 · April 5, 2025, 3:18am

Here are my directional and tcp/udp/ip modify rule changing them to ‘alert http …’, please let me know what you think.

There was some testing, and verification of continued success, but I have not developed out a unit test scenario for this, and would be very interested if someone already had one of those environments setup for HTTP rule testing to see if this makes usable or enhances some of Snort’s and Suricata’s area specific and otherwise aged rules.

To use this you would have to be using ‘suricata-update’ and have a ‘modify.conf’ file containing some of but not limited to the following:
modify.conf:

# Resolving any http directional rules to focus on HOME_NET and EXTERNAL_NET, non-Port 80 Rules to any except for 443 rules
# Server to Client HTTP
re:. " http \\$HOME_NET [^443] -> \\$EXTERNAL_NET any \\(msg" " http $HOME_NET any -> $EXTERNAL_NET any (msg"
re:. " http \\$EXTERNAL_NET [^443] -> any any \\(msg" " http $EXTERNAL_NET any -> $HOME_NET any (msg"
# Client to Server HTTP
re:. " http any any -> \\$HOME_NET [^443] \\(msg" " http $EXTERNAL_NET any -> $HOME_NET any (msg"
re:. " http \\$EXTERNAL_NET any -> any [^443] \\(msg" " http $EXTERNAL_NET any -> $HOME_NET any (msg"
re:. " http \\$HOME_NET any -> \\$EXTERNAL_NET [^443] \\(msg" " http $HOME_NET any -> $EXTERNAL_NET any (msg"

# TCP/UDP/IP to HTTP Section
# Convert alert rules to use Suricata's HTTP libraries - 'http.method'
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) \\(msg(.*)http.method(.*)" "alert http \\2 any (msg\\4http.method\\5"
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) ->(.*)http.method(.*)" "alert http \\2 any ->\\4http.method\\5"
# Convert alert rules to use Suricata's HTTP libraries - 'service http'
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) \\(msg(.*)service http(.*)" "alert http \\2 any (msg\\4service http\\5"
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) ->(.*)service http(.*)" "alert http \\2 any ->\\4service http\\5"
# Convert alert rules to use Suricata's HTTP libraries - 'HTTP request'
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) \\(msg(.*)HTTP request(.*)" "alert http \\2 any (msg\\4HTTP request\\5"
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) ->(.*)HTTP request(.*)" "alert http \\2 any ->\\4HTTP request\\5"
# Convert alert rules to use Suricata's HTTP libraries - 'HTTP response'
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) \\(msg(.*)HTTP response(.*)" "alert http \\2 any (msg\\4HTTP response\\5"
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) ->(.*)HTTP response(.*)" "alert http \\2 any ->\\4HTTP response\\5"
# Convert alert rules to use Suricata's HTTP libraries - '$HTTP_SERVERS'
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) \\(msg(.*)\\$HTTP_SERVERS(.*)" "alert http \\2 any (msg\\4\\$HTTP_SERVERS\\5"
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) ->(.*)\\$HTTP_SERVERS(.*)" "alert http \\2 any ->\\4\\$HTTP_SERVERS\\5"
# Convert alert rules to use Suricata's HTTP libraries - 'HTTP URI'
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) \\(msg(.*)HTTP URI(.*)" "alert http \\2 any (msg\\4HTTP URI\\5"
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) ->(.*)HTTP URI(.*)" "alert http \\2 any ->\\4HTTP URI\\5"
# Convert alert rules to use Suricata's HTTP libraries - 'HTTP Host'
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) \\(msg(.*)HTTP Host(.*)" "alert http \\2 any (msg\\4HTTP Host\\5"
re:. "alert (tcp|udp|ip) (.*) \\$(HTTPS_PORTS|HTTP_PORTS) ->(.*)HTTP Host(.*)" "alert http \\2 any ->\\4HTTP Host\\5"

# TCP/UDP/IP to DNS Section
# Convert alert rules to use Suricata's DNS libraries - 'dns.query'
re:. "alert (tcp|udp|ip) (.*) (\\$DNS_PORTS|53) \\(msg(.*)dns.query(.*)" "alert dns \\2 any (msg\\4dns.query\\5"
re:. "alert (tcp|udp|ip) (.*) (\\$DNS_PORTS|53) ->(.*)dns.query(.*)" "alert dns \\2 any ->\\4dns.query\\5"
# Convert alert rules to use Suricata's DNS libraries - 'dns.response'
re:. "alert (tcp|udp|ip) (.*) (\\$DNS_PORTS|53) \\(msg(.*)dns.response(.*)" "alert dns \\2 any (msg\\4dns.response\\5"
re:. "alert (tcp|udp|ip) (.*) (\\$DNS_PORTS|53) ->(.*)dns.response(.*)" "alert dns \\2 any ->\\4dns.response\\5"
# Convert alert rules to use Suricata's DNS libraries - 'dns.querytype'
re:. "alert (tcp|udp|ip) (.*) (\\$DNS_PORTS|53) \\(msg(.*)dns.querytype(.*)" "alert dns \\2 any (msg\\4dns.querytype\\5"
re:. "alert (tcp|udp|ip) (.*) (\\$DNS_PORTS|53) ->(.*)dns.querytype(.*)" "alert dns \\2 any ->\\4dns.querytype\\5"

Topic		Replies	Views
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	671	February 19, 2021
Modify.conf possibly not working, probably a newbie error?	7	827	January 26, 2023
Snort Rules in Suricata 6.x in Offline Mode Help	5	489	August 17, 2023
Suricata-update modify.conf Rules	4	1770	September 11, 2020
Rule using http does not matching get request Rules	2	1210	January 18, 2022

Attempting suricata-update for type to parser for Suricata for http and dns

Related topics