<div dir="ltr">yeessss<br>I've discovred the problem, reference in <b>suricata.yaml</b> file was wrong <br>you're right that was http log file, <br>because alert-debug file was <b>empty</b><br><br>so http.log just log all http traffic !!??<br>
<br>other thing, (I've copied snort rules)<br><b>we can use both rules in the same time ?</b> (emergine and snort rules)<br><br>I have a lot of messages/errors when I run Suricata !<br>like :<br><br style="font-family: trebuchet ms,sans-serif;">
<span style="font-family: trebuchet ms,sans-serif;"><span style="color: rgb(255, 0, 0);">[4389] 14/6/2010 -- 15:59:02 - </span>(detect.c:297) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - LOCK method"; flow:to_server,established; content:"LOCK"; fast_pattern; nocase; http_method; content:"encoding"; pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37910; reference:cve,2010-0388; classtype:attempted-user; sid:16427; rev:1;)" from file /etc/suricata/rules/web-misc.rules at line 555</span><br style="font-family: trebuchet ms,sans-serif;">
<span style="font-family: trebuchet ms,sans-serif;"><span style="color: rgb(255, 0, 0);">[4389] 14/6/2010 -- 15:59:02 -</span> (detect-fast-pattern.c:72) <Error> (DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value</span><br style="font-family: trebuchet ms,sans-serif;">
<span style="font-family: trebuchet ms,sans-serif;"><span style="color: rgb(255, 0, 0);">[4389] 14/6/2010 -- 15:59:02</span> - (detect.c:297) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only; metadata:service x11; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:6;)" from file /etc/suricata/rules/x11.rules at line 23</span><br style="font-family: trebuchet ms,sans-serif;">
<span style="font-family: trebuchet ms,sans-serif;"><span style="color: rgb(255, 0, 0);">[4389] 14/6/2010 -- 15:59:02</span> - (detect-fast-pattern.c:72) <Error> (DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value</span><br style="font-family: trebuchet ms,sans-serif;">
<span style="font-family: trebuchet ms,sans-serif;"><span style="color: rgb(255, 0, 0);">[4389] 14/6/2010 -- 15:59:02</span> - (detect.c:297) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service x11; reference:arachnids,395; classtype:unknown; sid:1226; rev:6;)" from file /etc/suricata/rules/x11.rules at line 24</span><br style="font-family: trebuchet ms,sans-serif;">
<span style="font-family: trebuchet ms,sans-serif;"><span style="color: rgb(255, 0, 0);">[4389] 14/6/2010 -- 15:59:02</span> - (detect.c:341) <Error> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from /etc/suricata/rules/x11.rules</span><br style="font-family: trebuchet ms,sans-serif;">
<span style="font-family: trebuchet ms,sans-serif;"><span style="color: rgb(255, 0, 0);">[4389] 14/6/2010 -- 15:59:03</span> - (detect.c:341) <Error> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from /etc/suricata/rules/emerging-web.rules</span><br>
<br><br><br>Thanks<br><br><div class="gmail_quote">2010/6/14 Will Metcalf <span dir="ltr"><<a href="mailto:william.metcalf@gmail.com">william.metcalf@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">> before changing the rule (without protocol)<br>
> we have this log :<br>
><br>
> 06/14/10-13:14:30.774567 <a href="http://www.facebook.com" target="_blank">www.facebook.com</a> [**] / [**] Mozilla/5.0 (X11; U;<br>
> Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid)<br>
> Firefox/3.6.3 [**] <a href="http://192.168.44.135:55433" target="_blank">192.168.44.135:55433</a> -> <a href="http://69.63.189.26:80" target="_blank">69.63.189.26:80</a><br>
<br>
</div>This looks like the http.log file correct? This will log all http<br>
traffic regardless of the traffic generating an alert.<br>
<div class="im"><br>
> but I think it's a false positive, or bug, because I noticed that it's not<br>
> alert of my rule, but it happens even when i enter to youtube<br>
<br>
</div>Hmmm Perhaps youtube content is served off of google servers. Take a<br>
look at the alert-debug.log file to look at what is being dropped. I'm<br>
guessing you will probably see Host: headers with google in there<br>
somewhere ;-).<br>
<div class="im"><br>
> the second test of the new rule : drop tcp any any -> any any (msg:"Facebook<br>
> forbidden"; content:"facebook";sid:1;)<br>
> didn't drop :<br>
<br>
</div>This rule works for me, drops, and prevents me from reaching facebook.<br>
Perhaps you have multiple rules loaded with the same sid? If this is<br>
the case try changing the sid on one of the rules to say "2".<br>
<br>
+================<br>
TIME: 06/14/10-14:28:48.290197<br>
ALERT CNT: 1<br>
ALERT MSG [00]: Facebook forbidden<br>
ALERT GID [00]: 1<br>
ALERT SID [00]: 1<br>
ALERT REV [00]: 0<br>
ALERT CLASS [00]: (null)<br>
ALERT PRIO [00]: 3<br>
SRC IP: 192.168.7.241<br>
DST IP: 66.220.147.11<br>
PROTO: 6<br>
SRC PORT: 47152<br>
DST PORT: 80<br>
TCP SEQ: 2271938637<br>
TCP ACK: 1997977476<br>
FLOW: to_server: TRUE, to_client FALSE<br>
PACKET LEN: 437<br>
PACKET:<br>
0000 45 00 01 B5 98 52 40 00 40 06 02 70 C0 A8 07 F1 E....R@. @..p....<br>
0010 42 DC 93 0B B8 30 00 50 87 6B 08 4D 77 16 B7 84 B....0.P .k.Mw...<br>
0020 80 18 00 2E 8E 99 00 00 01 01 08 0A 00 01 93 B3 ........ ........<br>
0030 36 DD 42 B4 47 45 54 20 2F 20 48 54 54 50 2F 31 6.B.GET / HTTP/1<br>
0040 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 66 61 .1..Host : www.fa<br>
0050 63 65 62 6F 6F 6B 2E 63 6F 6D 0D 0A 55 73 65 72 cebook.c om..User<br>
0060 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F -Agent: Mozilla/<br>
0070 35 2E 30 20 28 58 31 31 3B 20 55 3B 20 4C 69 6E 5.0 (X11 ; U; Lin<br>
0080 75 78 20 78 38 36 5F 36 34 3B 20 65 6E 2D 55 53 ux x86_6 4; en-US<br>
0090 3B 20 72 76 3A 31 2E 39 2E 32 2E 33 29 20 47 65 ; rv:1.9 .2.3) Ge<br>
00A0 63 6B 6F 2F 32 30 31 30 30 34 32 33 20 55 62 75 cko/2010 0423 Ubu<br>
00B0 6E 74 75 2F 31 30 2E 30 34 20 28 6C 75 63 69 64 ntu/10.0 4 (lucid<br>
00C0 29 20 46 69 72 65 66 6F 78 2F 33 2E 36 2E 33 0D ) Firefo x/<a href="http://3.6.3." target="_blank">3.6.3.</a><br>
00D0 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 .Accept: text/ht<br>
00E0 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 ml,appli cation/x<br>
00F0 68 74 6D 6C 2B 78 6D 6C 2C 61 70 70 6C 69 63 61 html+xml ,applica<br>
0100 74 69 6F 6E 2F 78 6D 6C 3B 71 3D 30 2E 39 2C 2A tion/xml ;q=0.9,*<br>
0110 2F 2A 3B 71 3D 30 2E 38 0D 0A 41 63 63 65 70 74 /*;q=0.8 ..Accept<br>
0120 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 -Languag e: en-us<br>
0130 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 ,en;q=0. 5..Accep<br>
0140 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 t-Encodi ng: gzip<br>
0150 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 74 ,deflate ..Accept<br>
0160 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 -Charset : ISO-88<br>
0170 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 59-1,utf -8;q=0.7<br>
0180 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 41 ,*;q=0.7 ..Keep-A<br>
0190 6C 69 76 65 3A 20 31 31 35 0D 0A 43 6F 6E 6E 65 live: 11 5..Conne<br>
01A0 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 ction: k eep-aliv<br>
01B0 65 0D 0A 0D 0A e....<br>
<br>
<br>
282,2 Bot<br>
</blockquote></div><br></div>