8.10. Transformations
Transformation keywords turn the data at a sticky buffer into something else. Some transformations support options for greater control over the transformation process
Example:
alert http any any -> any any (file_data; strip_whitespace; \
content:"window.navigate("; sid:1;)
This example will match on traffic even if there are one or more spaces between
the navigate and (.
The transforms can be chained. They are processed in the order in which they appear in a rule. Each transform's output acts as input for the next one.
Example:
alert http any any -> any any (http_request_line; compress_whitespace; to_sha256; \
content:"|54A9 7A8A B09C 1B81 3725 2214 51D3 F997 F015 9DD7 049E E5AD CED3 945A FC79 7401|"; sid:1;)
Note
not all sticky buffers support transformations yet
8.10.1. dotprefix
Takes the buffer, and prepends a . character to help facilitate concise domain checks. For example,
an input string of hello.google.com would be modified and become .hello.google.com. Additionally,
adding the dot allows google.com to match against content:".google.com"
Example:
alert dns any any -> any any (dns.query; dotprefix; \
content:".microsoft.com"; sid:1;)
This example will match on windows.update.microsoft.com and
maps.microsoft.com.au but not windows.update.fakemicrosoft.com.
This rule can be used to match on the domain only; example:
alert dns any any -> any any (dns.query; dotprefix; \
content:".microsoft.com"; endswith; sid:1;)
This example will match on windows.update.microsoft.com but not
windows.update.microsoft.com.au.
Finally, this rule can be used to match on the TLD only; example:
alert dns any any -> any any (dns.query; dotprefix; \
content:".co.uk"; endswith; sid:1;)
This example will match on maps.google.co.uk but not
maps.google.co.nl.
8.10.2. strip_whitespace
Strips all whitespace as considered by the isspace() call in C.
Example:
alert http any any -> any any (file_data; strip_whitespace; \
content:"window.navigate("; sid:1;)
8.10.3. compress_whitespace
Compresses all consecutive whitespace into a single space.
8.10.4. to_lowercase
Converts the buffer to lowercase and passes the value on.
This example alerts if http.uri contains this text has been converted to lowercase
Example:
alert http any any -> any any (http.uri; to_lowercase; \
content:"this text has been converted to lowercase"; sid:1;)
8.10.5. to_md5
Takes the buffer, calculates the MD5 hash and passes the raw hash value on.
Example:
alert http any any -> any any (http_request_line; to_md5; \
content:"|54 A9 7A 8A B0 9C 1B 81 37 25 22 14 51 D3 F9 97|"; sid:1;)
8.10.6. to_uppercase
Converts the buffer to uppercase and passes the value on.
This example alerts if http.uri contains THIS TEXT HAS BEEN CONVERTED TO LOWERCASE
Example:
alert http any any -> any any (http.uri; to_uppercase; \
content:"THIS TEXT HAS BEEN CONVERTED TO UPPERCASE"; sid:1;)
8.10.7. to_sha1
Takes the buffer, calculates the SHA-1 hash and passes the raw hash value on.
Example:
alert http any any -> any any (http_request_line; to_sha1; \
content:"|54A9 7A8A B09C 1B81 3725 2214 51D3 F997 F015 9DD7|"; sid:1;)
8.10.8. to_sha256
Takes the buffer, calculates the SHA-256 hash and passes the raw hash value on.
Example:
alert http any any -> any any (http_request_line; to_sha256; \
content:"|54A9 7A8A B09C 1B81 3725 2214 51D3 F997 F015 9DD7 049E E5AD CED3 945A FC79 7401|"; sid:1;)
8.10.9. pcrexform
Takes the buffer, applies the required regular expression, and outputs the first captured expression.
Note
this transform requires a mandatory option string containing a regular expression.
This example alerts if http.request_line contains /dropper.php
Example:
alert http any any -> any any (msg:"HTTP with pcrexform"; http.request_line; \
pcrexform:"[a-zA-Z]+\s+(.*)\s+HTTP"; content:"/dropper.php"; sid:1;)
8.10.10. url_decode
Decodes url-encoded data, ie replacing '+' with space and '%HH' with its value. This does not decode unicode '%uZZZZ' encoding
8.10.11. xor
Takes the buffer, applies xor decoding.
Note
this transform requires a mandatory option which is the hexadecimal encoded xor key.
This example alerts if http.uri contains password= xored with 4-bytes key 0d0ac8ff
Example:
alert http any any -> any any (msg:"HTTP with xor"; http.uri; \
xor:"0d0ac8ff"; content:"password="; sid:1;)
8.10.12. header_lowercase
This transform is meant for HTTP/1 HTTP/2 header names normalization. It lowercases the header names, while keeping untouched the header values.
The implementation uses a state machine :
- it lowercases until it finds :`
- it does not change until it finds a new line and switch back to first state
This example alerts for both HTTP/1 and HTTP/2 with a authorization header Example:
alert http any any -> any any (msg:"HTTP authorization"; http.header_names; \
header_lowercase; content:"authorization:"; sid:1;)
8.10.13. strip_pseudo_headers
This transform is meant for HTTP/1 HTTP/2 header names normalization. It strips HTTP2 pseudo-headers (names and values).
The implementation just strips every line beginning by :.
This example alerts for both HTTP/1 and HTTP/2 with only a user agent Example:
alert http any any -> any any (msg:"HTTP ua only"; http.header_names; \
bsize:16; content:"|0d 0a|User-Agent|0d 0a 0d 0a|"; nocase; sid:1;)