From 45a79501d9f9271dc89a2f8b667e18a77c6f0de6 Mon Sep 17 00:00:00 2001
From: aiooss-anssi <alexandre.iooss@ssi.gouv.fr>
Date: Fri, 6 Sep 2024 11:30:41 +0200
Subject: [PATCH] suricata/rules: add HTML magic

---
 suricata/rules/suricata.rules   | 1 +
 webapp/static/js/flowdisplay.js | 1 +
 2 files changed, 2 insertions(+)

diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
index b15ad87..4617108 100644
--- a/suricata/rules/suricata.rules
+++ b/suricata/rules/suricata.rules
@@ -65,6 +65,7 @@ alert ip any any -> any any (msg: "tag"; file.data; content: "Vgm|20|"; startswi
 alert ip any any -> any any (msg: "tag"; file.data; content: "wOF"; startswith; fast_pattern; filemagic: "Web Open Font"; metadata: tag WOFF, color primary; sid: 1016;)
 alert ip any any -> any any (msg: "tag"; file.data; content: "|7F|ELF|02 01 01 00 00 00 00 00 00 00 00 00|"; startswith; fast_pattern; filemagic: "ELF"; metadata: tag ELF, color primary; sid: 1017;)
 alert ip any any -> any any (msg: "tag"; file.data; content: "f0VMRgIBAQAAAAAAAAAAAA"; metadata: tag ELF B64, color primary; sid: 1018;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "<html"; depth: 64; nocase; fast_pattern; filemagic: "HTML document"; metadata: tag HTML, color primary; sid: 1019;)
 
 # Tag HTTP methods and status (sid 2001-3000)
 alert http any any -> any any (msg: "tag"; http.method; content: "POST"; startswith; metadata: tag POST, color info; sid: 2001;)
diff --git a/webapp/static/js/flowdisplay.js b/webapp/static/js/flowdisplay.js
index 7593530..c02f2c6 100644
--- a/webapp/static/js/flowdisplay.js
+++ b/webapp/static/js/flowdisplay.js
@@ -10,6 +10,7 @@ import Api from './api.js'
 // These should match defined magics in suricata.rules
 const MAGIC_EXT = {
   'GIF image': 'gif',
+  'HTML document': 'html',
   'JPEG image': 'jpg',
   'PDF document': 'pdf',
   'PNG image': 'png',