<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:56.7pt 42.5pt 56.7pt 85.05pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Brian,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Can you try scenario with distant server? I suppose that suricata is too late with RST.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Pavel<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Brian Hennigar [mailto:bhennigar@gmail.com] <br><b>Sent:</b> Thursday, April 02, 2015 1:03 PM<br><b>To:</b> Rovnov Pavel<br><b>Cc:</b> Victor Julien; oisf-users@lists.openinfosecfoundation.org<br><b>Subject:</b> Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>The client and server appear to be receiving the RST packets. There is one switch between my PC and the suricata server. 1Gb connection. There's almost no other traffic on the network so suricata has lots of resources available. I have a web interface that displays the events and it shows up almost instantly so I know that the event is triggering. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Apr 2, 2015 at 6:44 AM, Rovnov Pavel <<a href="mailto:provnov@solidex.by" target="_blank">provnov@solidex.by</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Brian,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>1)</span><span style='font-size:7.0pt;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Don’t you know if suricata sends RST to user, to server or both?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>2)</span><span style='font-size:7.0pt;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>How close to the user is your server? I think we have more chances to break communication if suricata is placed closer to RST target.</span><o:p></o:p></p><p><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Pavel</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Brian Hennigar [mailto:<a href="mailto:bhennigar@gmail.com" target="_blank">bhennigar@gmail.com</a>] <br><b>Sent:</b> Thursday, April 02, 2015 10:00 AM</span><o:p></o:p></p><div><div><p class=MsoNormal><br><b>To:</b> Rovnov Pavel<br><b>Cc:</b> Victor Julien; <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br><b>Subject:</b> Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode<o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi Pavel,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I'm very interested in what you're able to find out. I've been testing out-of-band rejects on and off for the past couple months and can't get satisfactory results. I'll be sure to post back if I find anything.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>HTTP/HTTPs and SSH have been the main communications I've been trying to break. There's obvious connection slow down in the browser for loading pages but they do eventually work. The browser is persistent! SSH fails a little easier but not reliably. Sometimes it'll fail within a few seconds of the connection and other times it's 5/10/30 minutes before it gets disconnected or not at all. I do see the suricata events being triggered.<o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Brian<o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Thu, Apr 2, 2015 at 3:46 AM, Rovnov Pavel <<a href="mailto:provnov@solidex.by" target="_blank">provnov@solidex.by</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hello Brian,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>1)</span><span style='font-size:7.0pt;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’m in planning phase at the moment. I didn’t come to testing yet. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>But as far as I understand reject must be fast enough to interrupt communication with valid sequence numbers for this mechanism to work. If it’s not so fast you can see that some data “leaks” to the protected asset (whatever you are protecting server or user).</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>2)</span><span style='font-size:7.0pt;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’m interested whether we can break communication that matches the rule and give a sort of message to the user? The scenario is a user browsing wrong web page (http or https) and sensor (suricata) out-of-band.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Pavel </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Brian Hennigar [mailto:<a href="mailto:bhennigar@gmail.com" target="_blank">bhennigar@gmail.com</a>] <br><b>Sent:</b> Thursday, April 02, 2015 5:52 AM<br><b>To:</b> Rovnov Pavel<br><b>Cc:</b> Victor Julien; <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a></span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><b>Subject:</b> Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode<o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Did you have any success with libnet for rejects? <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I've been trying to get it working and the results haven't been promising. Occasionally the connection will break on a reject rule but never fast enough. <o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Fri, Mar 27, 2015 at 11:21 AM, Rovnov Pavel <<a href="mailto:provnov@solidex.by" target="_blank">provnov@solidex.by</a>> wrote:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Victor,<br><br>Thanks a lot for information!<br><span style='color:#888888'><br>Pavel<br></span><br>-----Original Message-----<br>From: <a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org" target="_blank">oisf-users-bounces@lists.openinfosecfoundation.org</a><br>[mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org" target="_blank">oisf-users-bounces@lists.openinfosecfoundation.org</a>] On Behalf Of<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Victor Julien<br>Sent: Friday, March 27, 2015 1:50 PM<br>To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode<br><br>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>On 03/23/2015 08:09 PM, Rovnov Pavel wrote:<br>> Hello Coop, Anthony,<br>><br>> I don't control neither users nor web servers. So I can't instruct<br>> users to use proxy or run all web applications through reverse-proxy.<br>><br>> Inline mode is not acceptable in my scenario (let me say the guy who<br>> owns infrastructure doesn't allow me to be inline).<br>><br>> What I can is to use mirrored traffic to do my analysis. So the<br>> question remains the same:<br>><br>> 1) Can I use reject when out-of-band?<br><br>Yeah.<br><br>> 2) How can I specify interface to send rejects from? I can't use<br>> 2-way SPAN port on my switch.<br><br>Not sure here. I think you'd need another nic thats on your switch. We<br>use libnet, not sure how it selects the nic to use. Might use the nic<br>that has a valid route to the destination? Think you'll need to<br>experiment here.<br><br>Cheers,<br>Victor<br><br><br>><br>> Thanks!<br>><br>> -----Original Message----- From: Cooper F. Nelson<br>> [mailto:<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>] Sent: Monday, March 23, 2015 9:59 PM To:<br>> Rodgers, Anthony (DTMB); Rovnov Pavel;<br>> <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a> Subject: Re:<br>> [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode<br>><br>> +1 to using a web proxy. Squid is free.<br>><br>> You can even run suricata inline on a squid proxy and create a robust,<br><br>> next-generation proxy-firewall with Layer-7 intrusion<br>> detection/prevention.<br>><br>> -Coop<br>><br>> On 3/23/2015 9:17 AM, Rodgers, Anthony (DTMB) wrote:<br>>> Why not use a web proxy like squid for this?<br>><br>><br>><br>>> --<br>><br>>> Anthony Rodgers<br>><br>>> Security Analyst<br>><br>>> Michigan Security Operations Center (MiSOC)<br>><br>>> DTMB, Michigan Cyber Security<br>><br>><br>> _______________________________________________ Suricata IDS Users<br>> mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a> Site:<br>> <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>> <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a> List:<br>> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>><br>><br>Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>><br><br>- --<br>- ---------------------------------------------<br>Victor Julien<br><a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>- ---------------------------------------------<br><br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1<br><br>iQEcBAEBAgAGBQJVFTXIAAoJEMH0leOSaFa0mO8H/05kirfk52HYTIOwVmqFytqG<br>XseeP3BYaLPL6W/f9/+XCU+gqpZn+BbaBG3znot1pXKeEAuNrVzjrT228ASpbIsV<br>6ymTBuyOwgTXYvofW47sCEpRlcc5fukAqWYTxmmrLQJpfMMjUfq9v74IqJBeL0x2<br>Cu9VHICY9RxDyYUBYSakGX4DeVmTIYNdEYw5qe0jdw+2Ikv4v27ef1Sm5cpknKLG<br>AWGeflIEiQWWuMkRxw1HMMdbc3mmniA3tbzuktvp88o6vsKBlgoa45SsX0EvfjeL<br>rn5Q7q46ehOblJp+94pfHC20dbZUGmcO7Ax9VFGhDeeuxn1baPahuTcuoRsuyz4=<br>=YRJv<br>-----END PGP SIGNATURE-----<br>_______________________________________________<br>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br><a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>List:<br><a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>_______________________________________________<br>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>