Need help with HTTP Signatures

Suricata 6.0.1
OS: Ubuntu

Hello folks,
I was testing some signatures, and wanted to create a signature where I block uploading of anything via HTTP but allow download/ browsing

I was able to block downloading by creating this
msg:“Block content”; flow:to_client,established; content:“Content-Type: application/”; http_header;

And for uploading I used this signature
msg:“Blocked File Upload”; flow:to_server,established; content:“POST”; http_method;

msg:“Blocked File Upload”; flow:to_server,established; content:“POST”; http_method; content:“Content-Disposition:”; http_header;

But its I think its getting bypassed and I can still upload files to the server
Any leads or guidance regarding this?

Thank you

Hi,

If possible could you post the full rule contents that you are using? It makes it easier to determine if there are any unintentional errors in syntax and such. Thanks!

JT

Thank you for the reply. these are the rules

drop tcp any any → any any ( msg:“Block Content”; flow:to_client,established; content:“Content-Type: application/”; http_header; classtype: policy-violation; sid:1200006; rev:1;metadata: signature_severity Minor;)

drop tcp any any → any any ( msg:“Blocked File Upload”; flow:to_server,established; content:“POST”; http_method; classtype: policy-violation; sid:1200004; rev:1;metadata: signature_severity Minor;)

drop tcp any any → any any ( msg:“Blocked File Upload 2”; flow:to_server,established; content:“POST”; http_method; content:“Content-Disposition:”; http_header; classtype: policy-violation; sid:1200005; rev:1;metadata: signature_severity Minor;)

Thanks for the full signatures, they look good! I would offer some quick notes and updates around the signatures. I would suggest the following updates to use the full features Suricata has to offer from an application layer perspective (HTTP in this case) and keyword functionality.

drop http any any -> any any (msg:"Block Content"; flow:established,to_client; http.content_type; content:"application/"; startswith; fast_pattern; classtype:policy-violation; sid:1200006; rev:1; metadata:signature_severity Minor;)

drop http any any -> any any (msg:"Blocked File Upload"; flow:established,to_server; http.method; content:"POST"; classtype:policy-violation; sid:1200004; rev:1; metadata:signature_severity Minor;)

drop http any any -> any any (msg:"Blocked File Upload 2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Content-Disposition|0d 0a|"; classtype:policy-violation; sid:1200005; rev:1; metadata:signature_severity Minor;)

Ideally instead of any try and use $HOME_NET, $EXTERNAL_NET or any custom network variables to ensure these fire as expected.

reference: 8.1. Rules Format — Suricata 8.0.0-dev documentation

Also, you have a bit of overlap with signatures 1200004 and 1200005. With signature 1200004 there is only one content to be matched, the http method POST. This signature will fire before 1200005.

WIth regard to the question of why uploading may still be allowed, there is an order to signature actions, meaning some signature actions, e.g. alert, drop, pass are processed before other actions.

references: 8.1. Rules Format — Suricata 8.0.0-dev documentation

https://docs.suricata.io/en/latest/configuration/suricata-yaml.html#suricata-yaml-action-order

This may come into play where one signature is allowing traffic before the signature dropping the traffic is processed.

Hope that helps!

JT

Thank you so much for your help and guidance.

I created one more signature which worked for me.

Pasting here for anyone experimenting with same.

msg:“Blocked File Upload 3”; flow:to_server,established; content:“POST”; http_method; content:“multipart/form-data”; http_header;