五.Suricata识别http攻击流量

一.定义http攻击类型

编辑classification.config文件，为HTTP协议增加以下类别，并设定相应的priority

HTTP协议是明文传输，其流量特征存在于URL地址，POST请求正文，请求头或响应头，文件上传的情况(POST请求正文)

config classification: web-status-error, web服务器状态异常, 4
config classification: web-scan-attack, web页面扫描攻击, 2
config classification: web-sql-injection, SQL注入攻击, 1
config classification: web-xss-attack, XSS跨站攻击, 2
config classification: web-ssrf-attack, SSRF跨站攻击, 2
config classification: web-shell-attack, 站点木马植入, 1
config classification: web-file-upload, 文件上传异常, 1

 

二.URL地址栏异常

1.状态码异常

# 状态码异常
alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现404."; content:"404"; 
http_stat_code; classtype:web-status-error; sid:561001; rev:1;)

alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现403."; content:"404"; 
http_stat_code; classtype:web-status-error; sid:561002; rev:1;)

alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现500."; content:"404"; 
http_stat_code; classtype:web-status-error; sid:561003; rev:1;)

# 扫描攻击
alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现404."; content:"404"; 
http_stat_code; threshold:type threshold, track by_src, count 5, seconds 20; 
classtype:web-scan-attack; sid:561004; )

2.SQL注入攻击

# SQL注入攻击

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-union."; content:"select"; 
http_uri; nocase; classtype:web-sql-injection; sid:562001; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-ordey by."; content:"order by"; 
http_uri; nocase; classtype:web-sql-injection; sid:562002; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-database()."; content:"database()"; 
http_uri; nocase; classtype:web-sql-injection; sid:562003; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-version()."; content:"version()"; 
http_uri; nocase; classtype:web-sql-injection; sid:562004; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-user()."; content:"user()"; 
http_uri; nocase; classtype:web-sql-injection; sid:562005; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-updatexml(."; content:"updatexml("; 
http_uri; nocase; classtype:web-sql-injection; sid:562006; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-extract(."; content:"extract("; 
http_uri; nocase; classtype:web-sql-injection; sid:562007; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-and."; content:"|20|and|20|"; 
http_uri; nocase; classtype:web-sql-injection; sid:562008; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-or."; content:"|20|or|20|"; 
http_uri; nocase; classtype:web-sql-injection; sid:562009; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-| |."; content:"|7C 7C|"; 
http_uri; nocase; classtype:web-sql-injection; sid:562010; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-and."; content:"&&"; 
http_uri; nocase; classtype:web-sql-injection; sid:562011; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-#."; content:"|23|"; 
http_uri; nocase; classtype:web-sql-injection; sid:562012; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击---."; content:"--"; 
http_uri; nocase; classtype:web-sql-injection; sid:562013; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击---."; content:"--"; http_uri; 
pcre:"/\+*|\s*/i"; nocase; classtype:web-sql-injection; sid:562014; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击."; content:"="; http_uri; 
pcre:"/union|select|from|updatexml|extract|database\
(|user\(|version\(|information_schema|where|columns|--\
s+|--\++|\s+and\s+|\s+or\s+|\|\||&&/i"; 
classtype:web-sql-injection; sid:562015; rev:1;)

 3.XSS跨站脚本

alert http any any -> $HOME_NET 8443 (msg:"XSS攻击"; content:"<script"; 
http_uri; nocase; classtype:web-xss-attack; sid:563001; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"XSS攻击"; content:"</script"; 
http_uri; nocase; classtype:web-xss-attack; sid:563002; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"XSS攻击"; content:"javascript"; 
http_uri; nocase; classtype:web-xss-attack; sid:563003; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"XSS攻击"; content:"alert("; 
http_uri; nocase; classtype:web-xss-attack; sid:563004; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"XSS攻击"; content:"onload="; 
http_uri; nocase; classtype:web-xss-attack; sid:563005; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"XSS攻击"; content:"http|3A|//"; 
http_uri; nocase; classtype:web-xss-attack; sid:563005; rev:1;)

 4.SSRF攻击

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"=file|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564001; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"http|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564002; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"https|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564003; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"dict|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564004; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"gopher|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564005; rev:1;)

alert http any any -> $HOME_NET 8443 (msg:"SSRF攻击"; content:"phar|3A|"; 
http_uri; nocase; classtype:web-ssrf-attack; sid:564005; rev:1;)

5.木马脚本

alert http any any -> $HOME_NET 8443 (msg:"URL地址木马"; content:"<?"; 
http_uri; pcre:"/eval|assert|system\(|exec|$_POST|$_GET/i"; 
classtype:web-shell-attack; sid:545005; rev:1;)

 

三.POST请求和HTTP头部

整体上操作于GET请求一致，只是需要将http_uri换成http.request_body或http_client_body即可

# POST请求
alert http any any -> $HOME_NET 8443 (msg:"POST正文木马"; content:"="; 
http.request_body; pcre:"/eval|assert|system\(|exec|$_POST|$_GET/i"; 
content:"x-www-form-urlencoded"; classtype:web-shell-attack; sid:546001; rev:1;)

# http头部请求
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-HTTP头部."; 
content:"="; http.header; 
pcre:"/union|select|from|updatexml|extract|database\
(|user\(|version\(|information_schema|where|columns|--\
s+|--\++|\s+and\s+|\s+or\s+|\|\||&&/i"; 
classtype:web-sql-injection; sid:567015; rev:1;)