[Oisf-devel] Suricata multiplying alerts with NFQUEUE
Duarte Silva
duarte.silva at serializing.me
Thu Apr 9 15:40:25 UTC 2015
On Thursday 09 April 2015 17:17:03 Victor Julien wrote:
> On 04/09/2015 05:14 PM, Duarte Silva wrote:
> > Hi guys,
> >
> > I'm seeing multiple alerts for the same event in the log files when using
> > NFQUEUE. I have the following in the server to be protected:
> >
> > (No other filtering rules)
> > # iptables -t filter -A INPUT -j NFQUEUE --queue-balance 0:1
> > --queue-bypass
> > # iptables -t filter -A OUTPUT -j NFQUEUE --queue-balance 0:1
> > --queue-bypass
> >
> > (File to return to client)
> > # cat index.html
> > HTTP/1.1 OK
> >
> > uid=0(root) gid=0(root) groups=0(root)
> >
> > (Listen for connections)
> > #ncat -l 0.0.0.0 80 < index.html
> >
> > Then in the client I do:
> >
> > $ curl http://xxx.xxx.xxx.xxx
> > uid=0(root) gid=0(root) groups=0(root)
> >
> > This should trigger two alerts due to the following rules (ET free rule
> > set):
> >
> > - ET ATTACK_RESPONSE Output of id command from HTTP server
> > - GPL ATTACK_RESPONSE id check returned root
> >
> > But I'm receiving 4 alerts for each rule. When running Suricata against
> > the
> > packet dump I only get 2 alerts as expected (traffic captured is 10
> > packets in length).
> >
> > Kernel is 3.10.23 and I tested with Suricata latest from git, 2.1Beta3 and
> > 2.0.7 (same behavior in all).
> >
> > Am I doing something wrong?
>
> Wonder if you perhaps get alerts on retransmissions?
>
> If you enable alert-debug log you should get info on where suri found
> the alerts, could be packet vs stream as well?
Don't know how to answer your question :( This is what I get in alert-debug
log.
-------------- next part --------------
# cat alert-debug.log
+================
TIME: 04/09/2015-17:25:16.470334
PKT SRC: wire/pcap
SRC IP: xxx.xxx.xxx.xxx
DST IP: yyy.yyy.yyy.yyy
PROTO: 6
SRC PORT: 80
DST PORT: 59530
TCP SEQ: 4059074537
TCP ACK: 595569362
FLOW: to_server: FALSE, to_client: TRUE
FLOW Start TS: 04/09/2015-17:25:16.426983
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION: DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
PACKET LEN: 105
PACKET:
0000 45 00 00 69 5F 71 40 00 40 06 DC 8B yy yy yy yy E..i_q at . @...yyyy
0010 xx xx xx xx 00 50 E8 8A F1 F0 8F E9 23 7F AA D2 xxxx.P.. ....#...
0020 80 18 00 72 50 83 00 00 01 01 08 0A 00 19 D0 98 ...rP... ........
0030 01 32 65 E1 48 54 54 50 2F 31 2E 31 20 4F 4B 0A .2e.HTTP /1.1 OK.
0040 0A 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 .uid=0(r oot) gid
0050 3D 30 28 72 6F 6F 74 29 20 67 72 6F 75 70 73 3D =0(root) groups=
0060 30 28 72 6F 6F 74 29 20 0A 0(root) .
ALERT CNT: 2
ALERT MSG [00]: ET ATTACK_RESPONSE Output of id command from HTTP server
ALERT GID [00]: 1
ALERT SID [00]: 2019284
ALERT REV [00]: 3
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 2
ALERT FOUND IN [00]: STREAM
ALERT IN TX [00]: N/A
PAYLOAD LEN: 53
PAYLOAD:
0000 48 54 54 50 2F 31 2E 31 20 4F 4B 0A 0A 75 69 64 HTTP/1.1 OK..uid
0010 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D 30 28 72 =0(root) gid=0(r
0020 6F 6F 74 29 20 67 72 6F 75 70 73 3D 30 28 72 6F oot) gro ups=0(ro
0030 6F 74 29 20 0A ot) .
ALERT MSG [01]: GPL ATTACK_RESPONSE id check returned root
ALERT GID [01]: 1
ALERT SID [01]: 2100498
ALERT REV [01]: 7
ALERT CLASS [01]: Potentially Bad Traffic
ALERT PRIO [01]: 2
ALERT FOUND IN [01]: STREAM
ALERT IN TX [01]: N/A
PAYLOAD LEN: 53
PAYLOAD:
0000 48 54 54 50 2F 31 2E 31 20 4F 4B 0A 0A 75 69 64 HTTP/1.1 OK..uid
0010 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D 30 28 72 =0(root) gid=0(r
0020 6F 6F 74 29 20 67 72 6F 75 70 73 3D 30 28 72 6F oot) gro ups=0(ro
0030 6F 74 29 20 0A ot) .
+================
TIME: 04/09/2015-17:25:16.470857
PKT SRC: wire/pcap
SRC IP: xxx.xxx.xxx.xxx
DST IP: yyy.yyy.yyy.yyy
PROTO: 6
SRC PORT: 80
DST PORT: 59530
TCP SEQ: 4059074590
TCP ACK: 595569444
FLOW: to_server: FALSE, to_client: TRUE
FLOW Start TS: 04/09/2015-17:25:16.426983
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION: DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
PACKET LEN: 52
PACKET:
0000 45 00 00 34 5F 72 40 00 40 06 DC BF xx xx xx xx E..4_r at . @...xxxx
0010 yy yy yy yy 00 50 E8 8A F1 F0 90 1E 23 7F AB 24 yyyy.P.. ....#..$
0020 80 10 00 72 06 66 00 00 01 01 08 0A 00 19 D0 98 ...r.f.. ........
0030 01 32 65 E1 .2e.
ALERT CNT: 2
ALERT MSG [00]: ET ATTACK_RESPONSE Output of id command from HTTP server
ALERT GID [00]: 1
ALERT SID [00]: 2019284
ALERT REV [00]: 3
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 2
ALERT FOUND IN [00]: STREAM
ALERT IN TX [00]: N/A
ALERT MSG [01]: GPL ATTACK_RESPONSE id check returned root
ALERT GID [01]: 1
ALERT SID [01]: 2100498
ALERT REV [01]: 7
ALERT CLASS [01]: Potentially Bad Traffic
ALERT PRIO [01]: 2
ALERT FOUND IN [01]: STREAM
ALERT IN TX [01]: N/A
+================
TIME: 04/09/2015-17:25:16.470980
PKT SRC: wire/pcap
SRC IP: xxx.xxx.xxx.xxx
DST IP: yyy.yyy.yyy.yyy
PROTO: 6
SRC PORT: 80
DST PORT: 59530
TCP SEQ: 4059074590
TCP ACK: 595569444
FLOW: to_server: FALSE, to_client: TRUE
FLOW Start TS: 04/09/2015-17:25:16.426983
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION: DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
PACKET LEN: 52
PACKET:
0000 45 00 00 34 5F 73 40 00 40 06 DC BE xx xx xx xx E..4_s at . @...xxxx
0010 yy yy yy yy 00 50 E8 8A F1 F0 90 1E 23 7F AB 24 yyyy.P.. ....#..$
0020 80 11 00 72 06 65 00 00 01 01 08 0A 00 19 D0 98 ...r.e.. ........
0030 01 32 65 E1 .2e.
ALERT CNT: 2
ALERT MSG [00]: ET ATTACK_RESPONSE Output of id command from HTTP server
ALERT GID [00]: 1
ALERT SID [00]: 2019284
ALERT REV [00]: 3
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 2
ALERT FOUND IN [00]: STREAM
ALERT IN TX [00]: N/A
ALERT MSG [01]: GPL ATTACK_RESPONSE id check returned root
ALERT GID [01]: 1
ALERT SID [01]: 2100498
ALERT REV [01]: 7
ALERT CLASS [01]: Potentially Bad Traffic
ALERT PRIO [01]: 2
ALERT FOUND IN [01]: STREAM
ALERT IN TX [01]: N/A
+================
TIME: 04/09/2015-17:25:16.514034
PKT SRC: wire/pcap
SRC IP: xxx.xxx.xxx.xxx
DST IP: yyy.yyy.yyy.yyy
PROTO: 6
SRC PORT: 80
DST PORT: 59530
TCP SEQ: 4059074591
TCP ACK: 595569445
FLOW: to_server: FALSE, to_client: TRUE
FLOW Start TS: 04/09/2015-17:25:16.426983
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION: DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
PACKET LEN: 52
PACKET:
0000 45 00 00 34 5F 74 40 00 40 06 DC BD xx xx xx xx E..4_t at . @...xxxx
0010 yy yy yy yy 00 50 E8 8A F1 F0 90 1F 23 7F AB 25 yyyy.P.. ....#..%
0020 80 10 00 72 06 2C 00 00 01 01 08 0A 00 19 D0 A3 ...r.,.. ........
0030 01 32 66 0E .2f.
ALERT CNT: 2
ALERT MSG [00]: ET ATTACK_RESPONSE Output of id command from HTTP server
ALERT GID [00]: 1
ALERT SID [00]: 2019284
ALERT REV [00]: 3
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 2
ALERT FOUND IN [00]: STREAM
ALERT IN TX [00]: N/A
STREAM DATA LEN: 53
STREAM DATA:
0000 48 54 54 50 2F 31 2E 31 20 4F 4B 0A 0A 75 69 64 HTTP/1.1 OK..uid
0010 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D 30 28 72 =0(root) gid=0(r
0020 6F 6F 74 29 20 67 72 6F 75 70 73 3D 30 28 72 6F oot) gro ups=0(ro
0030 6F 74 29 20 0A ot) .
ALERT MSG [01]: GPL ATTACK_RESPONSE id check returned root
ALERT GID [01]: 1
ALERT SID [01]: 2100498
ALERT REV [01]: 7
ALERT CLASS [01]: Potentially Bad Traffic
ALERT PRIO [01]: 2
ALERT FOUND IN [01]: STREAM
ALERT IN TX [01]: N/A
STREAM DATA LEN: 53
STREAM DATA:
0000 48 54 54 50 2F 31 2E 31 20 4F 4B 0A 0A 75 69 64 HTTP/1.1 OK..uid
0010 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D 30 28 72 =0(root) gid=0(r
0020 6F 6F 74 29 20 67 72 6F 75 70 73 3D 30 28 72 6F oot) gro ups=0(ro
0030 6F 74 29 20 0A ot) .
+================
TIME: 04/09/2015-17:25:32.197650
PKT SRC: stream (engine shutdown)
SRC IP: xxx.xxx.xxx.xxx
DST IP: yyy.yyy.yyy.yyy
PROTO: 6
SRC PORT: 80
DST PORT: 59530
TCP SEQ: 4059074591
TCP ACK: 595569444
FLOW: to_server: FALSE, to_client: TRUE
FLOW Start TS: 04/09/2015-17:25:16.426983
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION: DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
PACKET LEN: 40
PACKET:
0000 45 00 00 28 00 00 00 00 40 06 7C 3E xx xx xx xx E..(.... @.|>xxxx
0010 yy yy yy yy 00 50 E8 8A F1 F0 90 1F 23 7F AB 24 yyyy.P.. ....#..$
0020 50 10 0A 00 6D B3 00 00 P...m...
ALERT CNT: 2
ALERT MSG [00]: ET ATTACK_RESPONSE Output of id command from HTTP server
ALERT GID [00]: 1
ALERT SID [00]: 2019284
ALERT REV [00]: 3
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 2
ALERT FOUND IN [00]: STREAM
ALERT IN TX [00]: N/A
STREAM DATA LEN: 53
STREAM DATA:
0000 48 54 54 50 2F 31 2E 31 20 4F 4B 0A 0A 75 69 64 HTTP/1.1 OK..uid
0010 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D 30 28 72 =0(root) gid=0(r
0020 6F 6F 74 29 20 67 72 6F 75 70 73 3D 30 28 72 6F oot) gro ups=0(ro
0030 6F 74 29 20 0A ot) .
ALERT MSG [01]: GPL ATTACK_RESPONSE id check returned root
ALERT GID [01]: 1
ALERT SID [01]: 2100498
ALERT REV [01]: 7
ALERT CLASS [01]: Potentially Bad Traffic
ALERT PRIO [01]: 2
ALERT FOUND IN [01]: STREAM
ALERT IN TX [01]: N/A
STREAM DATA LEN: 53
STREAM DATA:
0000 48 54 54 50 2F 31 2E 31 20 4F 4B 0A 0A 75 69 64 HTTP/1.1 OK..uid
0010 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D 30 28 72 =0(root) gid=0(r
0020 6F 6F 74 29 20 67 72 6F 75 70 73 3D 30 28 72 6F oot) gro ups=0(ro
0030 6F 74 29 20 0A ot) .
More information about the Oisf-devel
mailing list