Get URL from HTTP packet

Hi,I am trying to get a URL from an HTTP packet. But,I don’t know how to correct the bug, please let me know.

6/1/2023 -- 16:15:47 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer 6/1/2023 -- 16:15:47 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"HTTP URL detected"; flow:to_client,established; content:"GET"; http_method; content:!"/"; http_uri; pcre:"/^[a-zA-Z0-9\.\/\?\&\=\_\~\#\:]+$/R"; sid:1; rev:1;)" from file /var/lib/suricata/rules/url.rules at line 4

Hello Halock!

It looks like you’re using Suricata 4 style content modifier keywords. When using these, you must set the correct PCRE modifier to tel the PCRE which buffer to use. In this case the U modifier.

alert http any any -> any any (msg:"HTTP URL detected"; flow:to_client,established; content:"GET"; http_method; content:!"/"; http_uri; pcre:"/^[a-zA-Z0-9\.\/\?\&\=\_\~\#\:]+$/UR"; sid:1; rev:1;)

However, it is much easier and current rule language to use the Suricata 5+ style “sticky buffers”. An example is as follows:

alert http any any -> any any (msg:"HTTP URL detected"; flow:to_client,established; http.method; content:"GET"; http.uri; content:!"/";  pcre:"/^[a-zA-Z0-9\.\/\?\&\=\_\~\#\:]+$/R"; sid:1; rev:1;)

START EDIT – Added this section after double checking the rule

However, this is one more error here. As the content of the rule are looking for an HTTP Request the flow direction to_client doesn’t work. You have to use to_server as the request will be going from the client, to the server.

alert http any any -> any any (msg:"HTTP URL detected"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"/";  pcre:"/^[a-zA-Z0-9\.\/\?\&\=\_\~\#\:]+$/R"; sid:1; rev:1;)

** END EDIT***

Outside of your question, I’m not too sure what your intention is with this PCRE, but this content negationhttp.uri; content:!"/"; is likely not what you want, as most URLs start with a /. Though, maybe that’s exactly what you want??

1 Like

Thank you for your response and action.
I thought I could use “pcre” to get the URL with a regular expression