6.8. Transformations

Transformation keywords turn the data at a sticky buffer into something else.

Example:

alert http any any -> any any (file_data; strip_whitespace; \
    content:"window.navigate("; sid:1;)

This example will match on traffic even if there are one or more spaces between the navigate and (.

The transforms can be chained. They are processed in the order in which they appear in a rule. Each transforms output acts as input for the next one.

Example:

alert http any any -> any any (http_request_line; compress_whitespace; to_sha256; \
    content:"|54A9 7A8A B09C 1B81 3725 2214 51D3 F997 F015 9DD7 049E E5AD CED3 945A FC79 7401|"; sid:1;)

Note

not all sticky buffers support transformations yet

6.8.1. dotprefix

Takes the buffer, and prepends a . character to help facilitate concise domain checks. For example, an input string of hello.google.com would be modified and become .hello.google.com. Additionally, adding the dot allows google.com to match against content:".google.com"

Example:

alert dns any any -> any any (dns.query; dotprefix; \
    content:".microsoft.com"; sid:1;)

This example will match on windows.update.microsoft.com and maps.microsoft.com.au but not windows.update.fakemicrosoft.com.

This rule can be used to match on the domain only; example:

alert dns any any -> any any (dns.query; dotprefix; \
    content:".microsoft.com"; endswith; sid:1;)

This example will match on windows.update.microsoft.com but not windows.update.microsoft.com.au.

Finally, this rule can be used to match on the TLD only; example:

alert dns any any -> any any (dns.query; dotprefix; \
    content:".co.uk"; endswith; sid:1;)

This example will match on maps.google.co.uk but not maps.google.co.nl.

6.8.2. strip_whitespace

Strips all whitespace as considered by the isspace() call in C.

Example:

alert http any any -> any any (file_data; strip_whitespace; \
    content:"window.navigate("; sid:1;)

6.8.3. compress_whitespace

Compresses all consecutive whitespace into a single space.

6.8.4. to_md5

Takes the buffer, calculates the MD5 hash and passes the raw hash value on.

Example:

alert http any any -> any any (http_request_line; to_md5; \
    content:"|54 A9 7A 8A B0 9C 1B 81 37 25 22 14 51 D3 F9 97|"; sid:1;)

Note

depends on libnss being compiled into Suricata

6.8.5. to_sha1

Takes the buffer, calculates the SHA-1 hash and passes the raw hash value on.

Example:

alert http any any -> any any (http_request_line; to_sha1; \
    content:"|54A9 7A8A B09C 1B81 3725 2214 51D3 F997 F015 9DD7|"; sid:1;)

Note

depends on libnss being compiled into Suricata

6.8.6. to_sha256

Takes the buffer, calculates the SHA-256 hash and passes the raw hash value on.

Example:

alert http any any -> any any (http_request_line; to_sha256; \
    content:"|54A9 7A8A B09C 1B81 3725 2214 51D3 F997 F015 9DD7 049E E5AD CED3 945A FC79 7401|"; sid:1;)

Note

depends on libnss being compiled into Suricata