
<div dir="ltr">Andreas,<div><br></div><div>Thanks, I actually found a good way to perform similar functionality to the iprepuation using LUA scripting and http-headers:</div><div><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting</a><br></div><div><br></div><div>As for the HTTPS, I was able to use "tls.subject" keyword. Still struggling to get that to work with LUA scripting, but it works when the tls.subject is referenced within the suricata rule itself.</div><div><br></div><div>Thanks again for your reply!</div><div><br></div><div>Regards,</div><div>Nasir</div><div><br><br><div class="gmail_quote"><div dir="ltr">On Sun, Jan 3, 2016 at 12:00 PM <<a href="mailto:oisf-users-request@lists.openinfosecfoundation.org">oisf-users-request@lists.openinfosecfoundation.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Oisf-users mailing list submissions to<br>

        <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>

<br>

To subscribe or unsubscribe via the World Wide Web, visit<br>

        <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

or, via email, send a message with subject or body 'help' to<br>

        <a href="mailto:oisf-users-request@lists.openinfosecfoundation.org" target="_blank">oisf-users-request@lists.openinfosecfoundation.org</a><br>

<br>

You can reach the person managing the list at<br>

        <a href="mailto:oisf-users-owner@lists.openinfosecfoundation.org" target="_blank">oisf-users-owner@lists.openinfosecfoundation.org</a><br>

<br>

When replying, please edit your Subject line so it is more specific<br>

than "Re: Contents of Oisf-users digest..."<br>

<br>

<br>

Today's Topics:<br>

<br>

   1. Re: Two Suricata Rule Questions (Andreas Herz)<br>

   2. SonicWall Global VPN Client Incompatible with Suricata<br>

      Follow-up (Leonard Jacobs)<br>

   3. Re: Rule Processing Order Issue (Özkan KIRIK)<br>

<br>

<br>

----------------------------------------------------------------------<br>

<br>

Message: 1<br>

Date: Sat, 2 Jan 2016 20:12:43 +0100<br>

From: Andreas Herz <<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>><br>

To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>

Subject: Re: [Oisf-users] Two Suricata Rule Questions<br>

Message-ID: <20160102191243.GC29003@kvmbude><br>

Content-Type: text/plain; charset=utf-8<br>

<br>

On 24/12/15 at 17:12, Nasir Bilal wrote:<br>

> I have a couple of questions about Suricata/Snort rules:<br>

> 1) Is there a way to reference a list of strings in a suricata rule,<br>

> similar to the ipreputation engine, and the way it references external text<br>

> files full of IP's? We're looking at using Suricata for URL filtering.<br>

<br>

Could you describe this a little more?<br>

But i guess if you want to have the same way iprep works, that's a<br>

feature request.<br>

<br>

> 2) Similar to the first question, is there a way to read specifically from<br>

> the SSL Server Certificate fields in the SSL/TLS handshake during HTTPS<br>

> session initiation? We'd like to perform URL filtering on HTTPS traffic<br>

> without SSL decrypt, and I know that many vendors do this by reading the<br>

> fields of the SSL server certificates.<br>

<br>

AFAIK that also depends on how the SSL/TLS is configured, with SNI you<br>

could already check the SNI for the URL.<br>

<br>

There are also TLS keywords:<br>

<br>

<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords</a><br>

<br>

--<br>

Andreas Herz<br>

<br>

<br>

------------------------------<br>

<br>

Message: 2<br>

Date: Sat, 2 Jan 2016 14:16:26 -0600<br>

From: Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com" target="_blank">ljacobs@netsecuris.com</a>><br>

To: Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>>,<br>

        <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>

Subject: [Oisf-users] SonicWall Global VPN Client Incompatible with<br>

        Suricata        Follow-up<br>

Message-ID: <<a href="mailto:66620115-11604@mail1.netsecuris.com" target="_blank">66620115-11604@mail1.netsecuris.com</a>><br>

Content-Type: text/plain; charset="utf-8"<br>

<br>

We tried running the latest version of SonicWALL's Global VPN Client with no signature rules running on Suricata and get the same results.  VPN Phase 1 ISAKMP requests do not complete.<br>

<br>

<br>

Any other ideas?  SonicWALL refuses to help.  It works fine with an way older version of VPN Client.<br>

<br>

<br>

<br>

Thanks.<br>

<br>

Leonard<br>

-------------- next part --------------<br>

An HTML attachment was scrubbed...<br>

URL: <<a href="http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160102/8292ae66/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160102/8292ae66/attachment-0001.html</a>><br>

<br>

------------------------------<br>

<br>

Message: 3<br>

Date: Sun, 3 Jan 2016 00:01:31 +0200<br>

From: Özkan KIRIK <<a href="mailto:ozkan.kirik@gmail.com" target="_blank">ozkan.kirik@gmail.com</a>><br>

To: Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>><br>

Cc: "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>"<br>

        <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br>

Subject: Re: [Oisf-users] Rule Processing Order Issue<br>

Message-ID:<br>

        <<a href="mailto:CAAcX-AGmQGODS%2BT5Poqmj1PNxeUNnnMVgNCtp4wUbUrE3CS6kA@mail.gmail.com" target="_blank">CAAcX-AGmQGODS+T5Poqmj1PNxeUNnnMVgNCtp4wUbUrE3CS6kA@mail.gmail.com</a>><br>

Content-Type: text/plain; charset="utf-8"<br>

<br>

Thank you Peter,<br>

<br>

But this configuration doesnt disable ordering. If drop action processed<br>

first, all packets to userGroup-25 will be dropped. If pass action<br>

processed first, drop rule for Others will not be processed. So i need to<br>

disable rule ordering.<br>

Is there a way for disabling rule ordering ?<br>

<br>

Thanks again.<br>

<br>

On Sat, Jan 2, 2016 at 5:36 PM, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> wrote:<br>

<br>

> On Sat, Jan 2, 2016 at 7:24 AM, Özkan KIRIK <<a href="mailto:ozkan.kirik@gmail.com" target="_blank">ozkan.kirik@gmail.com</a>> wrote:<br>

> > Hi,<br>

> ><br>

> > Happy new year to everbody,<br>

> ><br>

> > I have a trouble with suricata rule processing order. I'm trying to apply<br>

> > different policies to different users. My rules are as below. But<br>

> suriacata<br>

> > processes pass first, drop second. So that, the last rule "pass any.."<br>

> > allows to every body.<br>

> ><br>

> > Can suricata run my rules as I wrote without reordering ?<br>

><br>

> You also have some default ordering that can be further configured in<br>

> suricata.yaml -<br>

><br>

> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032</a><br>

><br>

><br>

> ><br>

> > Thanks<br>

> ><br>

> > # Ruleset for userGroup-25<br>

> > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";<br>

> > tls.subject:"<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>"; sid:3230002; rev:1;)<br>

> > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";<br>

> > tls.subject:"<a href="http://example.net" rel="noreferrer" target="_blank">example.net</a>"; sid:3230004; rev:1;)<br>

> > drop tcp any any -> $userGroup-25 any (msg:"Default Drop For<br>

> userGroup-25";<br>

> > sid:3230010; rev:1;)<br>

> ><br>

> > ...<br>

> > #Rules for other userGroups<br>

> > ...<br>

> ><br>

> > # Ruleset for Others<br>

> > drop tls any any -> any any (msg:"SSL Cert Denied";<br>

> > tls.subject:"<a href="http://example1.com" rel="noreferrer" target="_blank">example1.com</a>"; sid:3230007; rev:1;)<br>

> > pass tcp any any -> any any (msg:"Default Pass"; sid:3230010; rev:1;)<br>

> ><br>

> > _______________________________________________<br>

> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>

> > Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>

> <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>

> > List:<br>

> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

> > Suricata User Conference November 4 & 5 in Barcelona:<br>

> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>

><br>

><br>

><br>

> --<br>

> Regards,<br>

> Peter Manev<br>

><br>

-------------- next part --------------<br>

An HTML attachment was scrubbed...<br>

URL: <<a href="http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160103/44ff41aa/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160103/44ff41aa/attachment-0001.html</a>><br>

<br>

------------------------------<br>

<br>

Subject: Digest Footer<br>

<br>

_______________________________________________<br>

Oisf-users mailing list<br>

<a href="mailto:Oisf-users@lists.openinfosecfoundation.org" target="_blank">Oisf-users@lists.openinfosecfoundation.org</a><br>

<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

<br>

<br>

------------------------------<br>

<br>

End of Oisf-users Digest, Vol 74, Issue 2<br>

*****************************************<br>

</blockquote></div></div></div>