Project

General

Profile

Feature #6831

Updated by Brandon Murphy 10 months ago

Use Case:  

 Consider the following HTTP request. I would like to write detection logic that ensures the 32 byte string that occurs in the URI is also found within the Cookie Value.  

 <pre> 
 GET /example/path?foo=Pn5tRZrj12eSWFx4qL7cAeyzvKl90O6G HTTP/1.1 
 Host: example.com 
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
 Accept-Language: en-US,en;q=0.5 
 Accept-Encoding: gzip, deflate 
 Connection: keep-alive 
 Referer: http://example.com 
 Cookie: foo=Pn5tRZrj12eSWFx4qL7cAeyzvKl90O6G 
 </pre> 

 reference: https://forum.suricata.io/t/byte-extract-byte-test-string-limits/4511/3 

 Current and Attempted Methods: 

 Currently the only way (with PCRE capture groups)to accomplish this detection logic has many limitations/considerations 
 1) within a single buffer (http.start works in this example)  
     - this won't work with HTTP/2 traffic 
 2) via capture groups within PCRE. This can be pretty costly.  

 I attempted to use the byte_extract/byte_test, which did work, but was limited to 20 byte as noted within the discourse convo.    the keyword performance of the byte_extract/byte_test combo was about half as many ticks as using the PCRE capture groups.  


 Proposed Solution: 
 I won't bother with suggesting how this should be solved, but more details of the use case are required please let me know.  


 P.S. - I'm not sure what to "call" this request, so feel free to change the subject to more accurately reflect whatever this is.  

Back