Questions about suricata rules directions

Hi,

I got the error message

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 502021022 mixes keywords with conflicting directions

when I tested suricata rule down below,

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert http any any <> any any (msg:“Winstore connection”;content:“GET”;http_method;content:“blue.php?MNVal=”;http_uri;pcre:”/blue.php?MNVal=/U";content:"&FNVal=ConnInfo&DVal=";http_uri;pcre:"/&FNVal=ConnInfo&DVal=/U";content:“200”;http_stat_code;classtype:trojan-activity;sid:502021022;"

I found where the error happens from this page
Help modifying a signature from 4.18 to 5.03,

I knew the error happened cuz http_stat_code is a response key word and I fixed -> to <>, (one direction to bidirection), but still got the error msg, why was that happen?

You can’t mix client request keywords like http_method and http_uri with server response keywords like http_stat_code. Those are opposing directions which is why you are getting the error. If you remove content:“200”;http_stat_code; This signature will work.

alert http any any -> any any (msg:"Winstore connection"; content:"GET"; http_method; content:"blue.php?MNVal="; http_uri; pcre:"/blue.php?MNVal=/U"; content:"&FNVal=ConnInfo&DVal=";http_uri; pcre:"/&FNVal=ConnInfo&DVal=/U"; classtype:trojan-activity; sid:502021022;

1 Like

Thx Bryant,

But is there a way to keep the request and response key words in the same rule other than remove one of them?

No you would have to create two rules. One looking for the client requests and the other looking for the server response. You can link the two signatures by using flowbits. Let me know if you need help putting this together.

https://suricata.readthedocs.io/en/suricata-5.0.0-rc1/rules/flow-keywords.html?highlight=flowbits#flowbits

Thx again Bryant,

I read the docs and wrote new rules like this

alert http any any -> any any (msg:“Winstore connection”;content:“GET”;http_method;content:“blue.php?MNVal=”;http_uri;pcre:"/blue.php?MNVal=/U";content:"&FNVal=ConnInfo&DVal=";http_uri;pcre:"/&FNVal=ConnInfo&DVal=/U";flowbits:set,blue.php?MNVal=;flowbits:noalert;classtype:trojan-activity;sid:502021022;)

alert http any any -> any any (msg:“Winstore connection”;content:“200”;http_stat_code;flowbits:isset,blue.php?MNVal=;classtype:trojan-activity;sid:502021023;)

I think that should be working, but I still have another question. Since the format of flowbits is flowbits: set, name, can I write 2 names or more in flowbits?

Eg, there are 2 uri contents in my rule, blue.php?MNVal= and &FNVal=ConnInfo&DVal=, can I write flowbits: set, blue.php?MNVal=, &FNVal=ConnInfo&DVal= to ensure the second rule matches only if matching both 2 uri contents in the first rule?

This was a bit confusing. The flowbit will be set only if the entire rule matches. The variable name of the flowbit can be anything and is not related to the content matches. If your rule has two content matches and you use flowbits: set, myvar; then the flowbit myvar will only be set if the entire rule with both content matches trigger.

Thx syoc,

Do you mean that the variable name of flowbits can be considered as a “tag”, if two rules have the same “tag” in flowbits, then the entire rule matches? And the “tag” is not related to the content or the number of contents in any rules?

You are correct, the flowbit isn’t related to the content or the number of contents in the rule. It just sets the variable to either TRUE or FALSE when all of the signature matches. For flowbits, in the first signature, if all of the ‘content’ and ‘pcre’ matches the traffic then it will set the variable named in the flowbit. In the second signature, I’m not sure of the order but it will have to match the ‘content’ as well as the flowbit must be set in order for an alert to be generated.

Below is what it should look like. I like to unset my flowbits when there is a match but the flowbit will be cleared when the stream it matched on closes. If you ever need to match on different streams you would need to use xbits.

alert http any any → any any (msg:“Winstore connection”;content:“GET”;http_method;content:“blue.php?MNVal=”;http_uri;pcre:"/blue.php?MNVal=/U";content:"&FNVal=ConnInfo&DVal=";http_uri;pcre:"/&FNVal=ConnInfo&DVal=/U";flowbits:set,Winstore.Request;flowbits:noalert;classtype:trojan-activity;sid:502021022;)

alert http any any → any any (msg:“Winstore connection”;content:“200”;http_stat_code;flowbits:isset,Winstore.Request; flowbits:unset,Winstore.Request; classtype:trojan-activity;sid:502021023;)

Thx Bryant, you really do me a favor:)

1 Like