is it possible to combine http/smtp/smb keywords with the filestore ones?
I tried rules like the following without success:
alert http any any → any any (msg:“ignore based on uri”; http.uri; pcre:!“/.*msftncsi.com/”; fileext:“txt”; filestore; classtype:bad-unknown; sid:1; rev:1;)
alert http any any → any any (msg:“grab based on uri”; http.uri; pcre:“/.*msftncsi.com/”; fileext:“txt”; filestore; classtype:bad-unknown; sid:2; rev:1;)
alert http any any → any any (msg:“ignore based on hostname”; http.host; content:!“www.msftncsi.com”; fileext:“txt”; filestore; classtype:bad-unknown; sid:3; rev:1;)
alert http any any → any any (msg:“grab based on hostname”; http.host; content:“www.msftncsi.com”; fileext:“txt”; filestore; classtype:bad-unknown; sid:4; rev:1;)
Without the http. part the following rule works fine:
alert http any any → any any (msg:“grab all txt”; fileext:“txt”; filestore; classtype:bad-unknown; sid:5; rev:1;)
The pcap contains the windows msftncsi.com/ncsi.txt. I just picked this one for testing.
The pcap contains malware so I don’t want to upload it here but you download it from: hxxps://www.malware-traffic-analysis.net/2015/02/15/index.html
The test rules are the following:
alert http any any → any any (msg:“ignore based on uri”; http.uri; pcre:!“/.*msftncsi.com/”; fileext:“txt”; filestore; classtype:bad-unknown; sid:1; rev:1;)
alert http any any → any any (msg:“grab based on uri”; http.uri; pcre:“/.*msftncsi.com/”; fileext:“txt”; filestore; classtype:bad-unknown; sid:2; rev:1;)
alert http any any → any any (msg:“ignore based on uri”; http.host; content:!“www.msftncsi.com”; fileext:“txt”; filestore; classtype:bad-unknown; sid:3; rev:1;)
alert http any any → any any (msg:“grab based on uri”; http.host; content:“www.msftncsi.com”; fileext:“txt”; filestore; classtype:bad-unknown; sid:4; rev:1;)
alert http any any → any any (msg:“grab all txt”; fileext:“txt”; filestore; classtype:bad-unknown; sid:5; rev:1;)
I expect rules number 2,4 and 5 to hit but only 5 gets a trigger.
Is the combination of http/smtp/smb + filestore invalid or am I missing something else?
alert http any any → any any (msg:“detect uri hostname”; http.host; content:“www.msftncsi.com”; classtype:bad-unknown; sid:1; rev:1;)
alert http any any → any any (msg:“grab based on uri”; http.host; content:“www.msftncsi.com”; fileext:“txt”; filestore; classtype:bad-unknown; sid:2; rev:1;)
alert http any any → any any (msg:“grab all txt”; fileext:“txt”; filestore; classtype:bad-unknown; sid:3; rev:1;)
I changed the rules file to test the http parameter without the file keywords and expect 1,2 and 3 to hit but only 1 and 3 are getting a trigger.
This is just a guess, but I wonder if this has to do with the the direction of flow as it relates to the http.host keyword being a “request” keyword, where as in this case the filestore will be grabbing the file from the response traffic.
alert http any any → any any (msg:"msftnsci - hostname (flowbit set)"; flowbits:set,msftnsci; http.host; content:"www.msftncsi.com"; classtype:bad-unknown; sid:1; rev:1;)
alert http any any → any any (msg:"txt from msftnsci (flowbit isset)"; flowbits:isset:msftnsci; fileext:"txt"; filestore; classtype:bad-unknown; sid:2; rev:1;)
alert http any any → any any (msg:"grab all txt"; fileext:"txt"; filestore; classtype:bad-unknown; sid:3; rev:1;)
thanks a lot for this tip. There was a little typo in the second rule “flowbits:isset:msftnsci;” → “flowbits:isset,msftnsci;” but now it works.
I thought that the combination of http + file keywords automatically implies request/response tracking but this doesn’t seem to bee the case.
Since the following rule cannot work, suricata should throw an error message which currently isn’t the case.
alert http any any → any any (msg:“grab based on uri”; http.host; content:“www.msftncsi.com”; fileext:“txt”; filestore; classtype:bad-unknown; sid:2; rev:1;)
I suspect it would have thrown a warning/error if the “flow” option was included in the rule. Keep in mind, that the filestore could also work on POST data which is being uploaded to a server. Without the “flow” keyword, suricata doesn’t know if it should be looking at response or request traffic.
Yes, with the last rule here you should have a warning like so in the rules analysis log :
/opt/suritest/bin/suricata -S test.rules --engine-analysis -l logs/ -T
cat logs/rules_analysis.txt
-------------------------------------------------------------------
Date: 9/5/2023 -- 22:09:17
-------------------------------------------------------------------
== Sid: 2 ==
alert http any any -> any any (msg:"grab based on uri"; http.host; content:"www.msftncsi.com"; fileext:"txt"; filestore; classtype:bad-unknown; sid:2; rev:1;)
Rule matches on http host buffer.
App layer protocol is http_any.
Rule contains 0 content options, 1 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "www.msftncsi.com" on "http host (http_host)" buffer.
Warning: TCP rule without a flow or flags option.
-Consider adding flow or flags to improve performance of this rule.
Wonder if (just for test) it would filestore files with txt extension if you remove the fileext:txt match from the rule ?
(prob best to try out on pcap first )