NimbostratusStream expression for TCP payload
So I have been trying to find the most efficient way to detect string patterns within HTTP payloads. I have found out the best way to tackle this (from what I know so far) is to use a stream profile within a HTTP_RESPONSE event and specify a reg expression. So for my test, I wanted to capture alpha numeric string between 13-16 characters long. I was specifically looking for the value AAAFFFggg12345 and was successful. I did return other values but thats beside the point I'm getting to. This is how I approached it a stream profile within a HTTP_RESPONSE event.
when HTTP_REQUEST {
STREAM::disable
if { [HTTP::header value "Host"] equals "winweb1.clearshark.net"} {
set host [HTTP::header value "Host"]
HTTP::header remove "Accept-Encoding"
}
}
when HTTP_RESPONSE {
if {[info exists host]} {
if {$host equals "winweb1.clearshark.net"} {
STREAM::expression {@[a-zA-Z0-9]{13,16}@}
STREAM::enable
}
} }
when STREAM_MATCHED {
log local0. "Stream matched [STREAM::match]"
}
Now...
I want to do the same exact thing, but not within an HTTP_RESPONSE event. Essentially I want to just look within a TCP payload and find the same string. I have tried the following but have had no success.
when CLIENT_ACCEPTED {
STREAM::disable
}
when SERVER_CONNECTED {
TCP::collect
if {[IP::client_addr] equals "172.16.211.103"} {
log local0. "Stream enabled"
STREAM::expression {@[a-zA-Z0-9]{13,16}@}
STREAM::enable
}
}
when STREAM_MATCHED {
log local0. "[IP::client_addr]:[TCP::local_port] : Matched : [STREAM::match]"
}
I am not seeing the string value AAAFFFggg12345 in my logs like I did when triggering within a HTTP_RESPONSE event.
I know this seems like a quirky use case but this is simply for a proof of concept for a client. If I can successfully make this happen, I'll branch off to other tests. But I need to make sure this works first before I move forward.
I appreciate any and all help!
