search

julioliraup / Antiphishing

Suricata rulesets for protect against phishing attack.
GNU General Public License v3.0
3 stars 1 forks source link

HTTP rule feedback #4

Closed zoomequipd closed 5 months ago

zoomequipd commented 5 months ago

Reference Rule:

alert http $HOME_NET any -> any any (msg:"AT related malicious URL (walletrccnnect[.]gitbook[.]io/us)"; flow:to_server,established; content:"GET /us"; http_uri; fast_pattern:only; content:"Host|3A| walletrccnnect.gitbook.io"; http_header; reference:url,phishstats.info; reference:url,github.com/julioliraup/Antiphishing; classtype:social-engineering; sid:6000026; rev:1; metadata: signature_severity Major;)

1) adjust the "flow" option orders as per the Suricata Community Style Guide

    Write flow state before direction
      Example: flow:established,to_server; not flow:to_server,established;

2) use http.uri sticky buffer instead of http_uri content modifier

    http.uri; content:"/us";

3) dont use http.header for host match, use http.host instead

    http.host; content:"walletrccnnect.gitbook.io";

4) consider using exact or non-exact host name matching

```
http.host; bsize:25; content:"walletrccnnect.gitbook.io";
```
```
http.host; dotprefix; content:".walletrccnnect.gitbook.io"; endswith;
```

5) don't include the method in http.uri. This is a major item here, it will cause all these rules to not alert. the Method is not part of the URI, but it's own buffer, http.method. But consider that phishing pages commonly use POST as well to send the creds to the server, so you might not include a method at all

    http.method; content:"GET"; http.uri; content:"/us";

6) consider using startswith on the URI or exact. 

    http.uri; content:"/us"; startswith;

7) drop :only modifier to the fast_pattern, it doesn't do anything for suricata. 8) if http.host is included in the rule, it'll probably make a better fast_pattern than the URI. at least in this reference rule that's the case. You might need to figure how a way to determine the best fast_pattern, or just let suricata do it.

Proposed format

alert http $HOME_NET any -> any any (msg:"AT related malicious URL (walletrccnnect .gitbook .io/us)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/us"; startswiith; fast_pattern; http.host; dotprefix; content:".walletrccnnect.gitbook.io"; endswith; reference:url,phishstats.info; reference:url,github.com/julioliraup/Antiphishing; classtype:social-engineering; sid:6000026; rev:1; metadata: signature_severity Major;)