8.8. Transformations
Transformation keywords turn the data at a sticky buffer into something else. Some transformations support options for greater control over the transformation process
Example:
alert http any any -> any any (file_data; strip_whitespace; \
content:"window.navigate("; sid:1;)
This example will match on traffic even if there are one or more spaces between
the navigate
and (
.
The transforms can be chained. They are processed in the order in which they appear in a rule. Each transform's output acts as input for the next one.
Example:
alert http any any -> any any (http_request_line; compress_whitespace; to_sha256; \
content:"|54A9 7A8A B09C 1B81 3725 2214 51D3 F997 F015 9DD7 049E E5AD CED3 945A FC79 7401|"; sid:1;)
Note
not all sticky buffers support transformations yet
8.8.1. dotprefix
Takes the buffer, and prepends a .
character to help facilitate concise domain checks. For example,
an input string of hello.google.com
would be modified and become .hello.google.com
. Additionally,
adding the dot allows google.com
to match against content:".google.com"
Example:
alert dns any any -> any any (dns.query; dotprefix; \
content:".microsoft.com"; sid:1;)
This example will match on windows.update.microsoft.com
and
maps.microsoft.com.au
but not windows.update.fakemicrosoft.com
.
This rule can be used to match on the domain only; example:
alert dns any any -> any any (dns.query; dotprefix; \
content:".microsoft.com"; endswith; sid:1;)
This example will match on windows.update.microsoft.com
but not
windows.update.microsoft.com.au
.
Finally, this rule can be used to match on the TLD only; example:
alert dns any any -> any any (dns.query; dotprefix; \
content:".co.uk"; endswith; sid:1;)
This example will match on maps.google.co.uk
but not
maps.google.co.nl
.
8.8.2. strip_whitespace
Strips all whitespace as considered by the isspace()
call in C.
Example:
alert http any any -> any any (file_data; strip_whitespace; \
content:"window.navigate("; sid:1;)
8.8.3. compress_whitespace
Compresses all consecutive whitespace into a single space.
8.8.4. to_lowercase
Converts the buffer to lowercase and passes the value on.
This example alerts if http.uri
contains this text has been converted to lowercase
Example:
alert http any any -> any any (http.uri; to_lowercase; \
content:"this text has been converted to lowercase"; sid:1;)
8.8.5. to_md5
Takes the buffer, calculates the MD5 hash and passes the raw hash value on.
Example:
alert http any any -> any any (http_request_line; to_md5; \
content:"|54 A9 7A 8A B0 9C 1B 81 37 25 22 14 51 D3 F9 97|"; sid:1;)
8.8.6. to_uppercase
Converts the buffer to uppercase and passes the value on.
This example alerts if http.uri
contains THIS TEXT HAS BEEN CONVERTED TO LOWERCASE
Example:
alert http any any -> any any (http.uri; to_uppercase; \
content:"THIS TEXT HAS BEEN CONVERTED TO UPPERCASE"; sid:1;)
8.8.7. to_sha1
Takes the buffer, calculates the SHA-1 hash and passes the raw hash value on.
Example:
alert http any any -> any any (http_request_line; to_sha1; \
content:"|54A9 7A8A B09C 1B81 3725 2214 51D3 F997 F015 9DD7|"; sid:1;)
8.8.8. to_sha256
Takes the buffer, calculates the SHA-256 hash and passes the raw hash value on.
Example:
alert http any any -> any any (http_request_line; to_sha256; \
content:"|54A9 7A8A B09C 1B81 3725 2214 51D3 F997 F015 9DD7 049E E5AD CED3 945A FC79 7401|"; sid:1;)
8.8.9. pcrexform
Takes the buffer, applies the required regular expression, and outputs the first captured expression.
Note
this transform requires a mandatory option string containing a regular expression.
This example alerts if http.request_line
contains /dropper.php
Example:
alert http any any -> any any (msg:"HTTP with pcrexform"; http.request_line; \
pcrexform:"[a-zA-Z]+\s+(.*)\s+HTTP"; content:"/dropper.php"; sid:1;)
8.8.10. url_decode
Decodes url-encoded data, ie replacing '+' with space and '%HH' with its value. This does not decode unicode '%uZZZZ' encoding
8.8.11. xor
Takes the buffer, applies xor decoding.
Note
this transform requires a mandatory option which is the hexadecimal encoded xor key.
This example alerts if http.uri
contains password=
xored with 4-bytes key 0d0ac8ff
Example:
alert http any any -> any any (msg:"HTTP with xor"; http.uri; \
xor:"0d0ac8ff"; content:"password="; sid:1;)
8.8.12. header_lowercase
This transform is meant for HTTP/1 HTTP/2 header names normalization. It lowercases the header names, while keeping untouched the header values.
The implementation uses a state machine :
- it lowercases until it finds :`
- it does not change until it finds a new line and switch back to first state
This example alerts for both HTTP/1 and HTTP/2 with a authorization header Example:
alert http any any -> any any (msg:"HTTP authorization"; http.header_names; \
header_lowercase; content:"authorization:"; sid:1;)
8.8.13. strip_pseudo_headers
This transform is meant for HTTP/1 HTTP/2 header names normalization. It strips HTTP2 pseudo-headers (names and values).
The implementation just strips every line beginning by :
.
This example alerts for both HTTP/1 and HTTP/2 with only a user agent Example:
alert http any any -> any any (msg:"HTTP ua only"; http.header_names; \
bsize:16; content:"|0d 0a|User-Agent|0d 0a 0d 0a|"; nocase; sid:1;)