Feature #4089: rules: Flexible format transform - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #4089

open

rules: Flexible format transform

Added by Jeff Lucovsky about 4 years ago. Updated over 2 years ago.

Status:

Assigned

Priority:

Normal

Assignee:

Jeff Lucovsky

Target version:

8.0.0-beta1

Effort:

medium

Difficulty:

medium

Label:

Description

A transform that could combine existing sticky buffer values according to a format string in a transform would provide a power facility to shift rules based on specific hosts/path combinations into a dataset and hence, craft a rule like the following:

alert http any any -> any any (format("{}/{}", http.host, http.uri); dataset: isset, url-bl;)

The values for http.host and http.uri are combined into a string, eg., http://somehost/some/path/that/is/suspicious.

The format transform generates the string and then it's checked against a URL blacklist.

Related issues 1 (1 open — 0 closed)

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #4089

rules: Flexible format transform

Updated by Jeff Lucovsky about 4 years ago

Updated by Jeff Lucovsky almost 4 years ago

Updated by Victor Julien almost 4 years ago

Updated by Victor Julien over 2 years ago