Hello Everyone,
My query is Can we restrict PCRE keyword to only match regex only in HTTP Header? If yes then please elaborate how…!!
Thanks in advance
Regards
Hello!
Using sticky buffers, once the buffer is defined, any pcres coming after the buffer definition will be applied to it. if you want to change the buffer, you define a different one.
for example:
http.header; pcre:"/^Host|3a 20|/"; http.user_agent; pcre:"/^Mozilla\//"
This logic will enforce that the http header buffer starts with Host: and then we define another buffer, http.user_agent and do another pcre that will apply only to the http.user_agent buffer.
Hopefully that helps!
1 Like
Hello,
Thank you for replying.
By using this logic only in the signature rule: http.header; pcre:“/.(example.com)./”;
Suricata will match the regex only in the Http Header???
The signature rule i am talking about is:
alert tcp any any → any 80 (msg:“Message Here”; flow:established,to_server; http.header; pcre:“/.(example.com)./”; sid:9050001; rev:1;)
yes. Though, i’d suggest using the http protocol instead of tcp, removing the destination port and not using PCRE for a static content. Because you’ve put to_server as a flow option, it’ll be looking at the HTTP request header. Use PCRE for complex pattern matching, not static content matching. And generally avoid using PCRE only rules, they perform poorly. You need to at least have one static content, that is generally unique to the traffic you want to alert on.
I would rewrite this rule as this
alert http any any -> any any (msg:"Message here"; flow:established,to_server; http.header; content:"example.com"; sid:9050001; rev:1;)
Always attempt to use the most specific buffer possible, so if you’re looking in the Host header or the Referer header, use buffers that are specific to that header. A list of them are available here. 8.13. HTTP Keywords — Suricata 7.0.3-dev documentation
http.header is a little bit confusing, it actually allows inspection of all of the HTTP Headers, not a single header. If you’re using Suricata 7 or above and you are targeting a specific header value which does not have a pre-defined buffer, you can target a single header name and value by using http.request_header and http.response_header.
alert http any any -> any any (msg:"Message here"; flow:established,to_server; http.request_header; content:"X-CSRF-TOKEN|3a 20|"; startswith; content:"example.com"; distance:0; sid:9050001; rev:1;)
This allows you to inspect each request header by itself, and not in combination with other headers. . Though if there is a specific buffer (http.host for example) it’d still be best to use that buffer.
1 Like
Thank you for your helpful suggestions!!
The reason why i am using pcre over content is that i have to use or operator for different different string i have to put in the content keyword. But unfortunatly it is not possible to add multiple strings with OR operator in content keyword. That’s why i am using pcre.
Regards
It might be more performant to use multiple signatures detecting the various values via a content keyword instead of using a PCRE without any static content.
1 Like
Okay Thanks…!!!