[Oisf-users] Suricata - test rule ignored/not dropping.

Shant Kassardjian shant at skylab.ca
Sun Aug 1 18:24:32 UTC 2010 

Hi will,
Here are all of my config:
[IPFW script]#!/bin/sh
ipfw -q -f flushipfw -q zeroipfw -q resetlog
ipfw add 010 divert 8000 ip from any to any via em0
[Kernel compiled with]options         DUMMYNEToptions         IPDIVERToptions         IPFIREWALLoptions         LIBALIASoptions         IPFIREWALL_NAToptions         IPFIREWALL_FORWARDoptions         IPFIREWALL_VERBOSEoptions         IPFIREWALL_VERBOSE_LIMIT=5options         IPFIREWALL_DEFAULT_TO_ACCEPT
[Sysctl]net.link.bridge.ipfw=1net.inet.ip.fw.one_pass=0net.bpf.zerocopy_enable=1
[My Suricata yaml config]core# cat suricata.old                                                                                               /usr/local/etc/suricata%YAML 1.1---
max-pending-packets: 50
action-order:  - pass  - drop  - reject  - alert

default-log-dir: /var/log/
outputs:  - fast:      enabled: yes      filename: fast.log
  - http-log:      enabled: no      filename: http.log


defrag:  max-frags: 65535  prealloc: yes  timeout: 60
# threshold-file: /etc/suricata/threshold.config
# The detection engine builds internal groups of signatures. The engine# allow us to specify the profile to use for them, to manage memory on an# efficient way keeping a good performance. For the profile keyword you#Â can use the words "low", "medium", "high" or "custom". If you use custom# make sure to define the values at "- custom-values" as your convenience.# Usually you would prefer medium/high/lowdetect-engine:  - profile: high  - custom-values:      toclient_src_groups: 2      toclient_dst_groups: 2      toclient_sp_groups: 2      toclient_dp_groups: 3      toserver_src_groups: 2      toserver_dst_groups: 4      toserver_sp_groups: 2      toserver_dp_groups: 25
threading:  set_cpu_affinity: no  detect_thread_ratio: 1.5
# Select the multi pattern algorithm you want to run for scan/search the# in the engine. The supported algorithms are b2g, b3g and wumanber.#mpm-algo: b2g
pattern-matcher:  - b2g:      scan_algo: B2gScanBNDMq      search_algo: B2gSearchBNDMq      hash_size: low      bf_size: medium#  - b3g:#      scan_algo: B3gScanBNDMq#      search_algo: B3gSearchBNDMq#      hash_size: low#      bf_size: medium#  - wumanber:#      hash_size: low#      bf_size: medium
flow:  memcap: 33554432  hash_size: 65536  prealloc: 10000  emergency_recovery: 30  prune_flows: 5
flow-timeouts:
  default:    new: 30    established: 300    closed: 0    emergency_new: 10    emergency_established: 100    emergency_closed: 0  tcp:    new: 60    established: 3600    closed: 120    emergency_new: 10    emergency_established: 300    emergency_closed: 20  udp:    new: 30    established: 300    emergency_new: 10    emergency_established: 100  icmp:    new: 30    established: 300    emergency_new: 10    emergency_established: 100
stream:   memcap: 33554432            # 32mb tcp session memcap   max_sessions: 262144        # 256k concurrent sessions   prealloc_sessions: 32768    # 32k sessions prealloc'd   midstream: false            # don't allow midstream session pickups   async_oneside: false        # don't enable async stream handling   reassembly:     memcap: 67108864          # 64mb tcp reassembly memcap     depth: 1048576            # 1 MB reassembly depth
logging:  default-log-level: info  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "  default-output-filter:
  outputs:  - console:      enabled: no  - file:      enabled: yes      filename: /var/log/suricata.log  - syslog:      enabled: no      facility: local5      format: "[%i] <%d> -- "
ipfw:
  ipfw-reinjection-rule-number: 011
default-rule-path: /usr/local/etc/suricata/rules/rule-files:# - attack-responses.rules# - backdoor.rules# - bad-traffic.rules# - chat.rules# - ddos.rules# - deleted.rules# - dns.rules# - dos.rules# - experimental.rules# - exploit.rules# - finger.rules# - ftp.rules# - icmp-info.rules# - icmp.rules# - imap.rules# - info.rules  - local.rules# - misc.rules# - multimedia.rules# - mysql.rules# - netbios.rules# - nntp.rules# - oracle.rules# - other-ids.rules# - p2p.rules# - policy.rules# - pop2.rules# - pop3.rules# - porn.rules# - rpc.rules# - rservices.rules# - scada.rules# - scan.rules# - shellcode.rules# - smtp.rules# - snmp.rules# - specific-threats.rules# - spyware-put.rules# - sql.rules# - telnet.rules# - tftp.rules# - virus.rules# - voip.rules# - web-activex.rules# - web-attacks.rules# - web-cgi.rules# - web-client.rules# - web-coldfusion.rules# - web-frontpage.rules# - web-iis.rules# - web-misc.rules# - web-php.rules# - x11.rules# - emerging-attack_response.rules# - emerging-dos.rules# - emerging-exploit.rules# - emerging-game.rules# - emerging-inappropriate.rules# - emerging-malware.rules# - emerging-p2p.rules# - emerging-policy.rules# - emerging-scan.rules# - emerging-virus.rules# - emerging-voip.rules# - emerging-web.rules# - emerging-web_client.rules# - emerging-web_server.rules# - emerging-web_specific_apps.rules# - emerging-user_agents.rules# - emerging-current_events.rules
classification-file: /usr/local/etc/suricata/classification.config
vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"    EXTERNAL_NET: any    HTTP_SERVERS: "$HOME_NET"    SMTP_SERVERS: "$HOME_NET"    SQL_SERVERS: "$HOME_NET"    DNS_SERVERS: "$HOME_NET"    TELNET_SERVERS: "$HOME_NET"    AIM_SERVERS: any
  port-groups:    HTTP_PORTS: "80"    SHELLCODE_PORTS: "!80"    ORACLE_PORTS: 1521    SSH_PORTS: 22
# Host specific policies for defragmentation and TCP stream# reassembly.  The host OS lookup is done using a radix tree, just# like a routing table so the most specific entry matches.host-os-policy:  # Make the default policy windows.  windows: [0.0.0.0/0]  bsd: []  bsd_right: []  old_linux: []  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]  old_solaris: []  solaris: ["::1"]  hpux10: []  hpux11: []  irix: []  macos: []  vista: []  windows2k3: []
############################################################################ Configure libhtp.### default-config:  Used when no server-config matches#   personality:   List of personalities used by default## server-config:   List of server configurations to use if address matches#   address:       List of ip addresses or networks for this block#   personalitiy:  List of personalities used by this block## Currently Available Personalities:#   Minimal#   Generic#   IDS (default)#   IIS_4_0#   IIS_5_0#   IIS_5_1#   IIS_6_0#   IIS_7_0#   IIS_7_5#   Apache#   Apache_2_2###########################################################################libhtp:
   default-config:     personality: IDS
   server-config:
     - apache:         address: [192.168.1.0/24, 127.0.0.0/8, "::1"]         personality: Apache_2_2
     - iis7:         address:           - 192.168.0.0/24           - 192.168.10.0/24         personality: IIS_7_0
profiling:
  rules:
    enabled: yes
    # Sort options: ticks, avgticks, checks, matches    sort: avgticks
    # Limit the number of items printed at exit.    limit: 100

[Console Error while visiting www.engadget.com][100186] 1/8/2010 -- 14:12:55 - (suricata.c:403) <Info> (main) -- This is Suricata version 1.0.1[100186] 1/8/2010 -- 14:12:55 - (util-cpu.c:167) <Info> (UtilCpuPrintSummary) -- CPUs Summary:[100186] 1/8/2010 -- 14:12:55 - (util-cpu.c:169) <Info> (UtilCpuPrintSummary) -- CPUs online: 2[100186] 1/8/2010 -- 14:12:55 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs configured 2Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertFastLog" registered.[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertDebugLog" registered.[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertUnifiedLog" registered.[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertUnifiedAlert" registered.[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "Unified2Alert" registered.[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "LogHttpLog" registered.[100186] 1/8/2010 -- 14:12:56 - (suricata.c:997) <Info> (main) -- preallocated 50 packets. Total memory 4016400[100186] 1/8/2010 -- 14:12:56 - (flow.c:746) <Info> (FlowInitConfig) -- initializing flow engine...[100186] 1/8/2010 -- 14:12:56 - (flow.c:833) <Info> (FlowInitConfig) -- allocated 1048576 bytes of memory for the flow hash... 65536 buckets of size 16[100186] 1/8/2010 -- 14:12:56 - (flow.c:852) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 248[100186] 1/8/2010 -- 14:12:56 - (flow.c:854) <Info> (FlowInitConfig) -- flow memory usage: 3528576 bytes, maximum: 33554432[100186] 1/8/2010 -- 14:12:56 - (detect.c:387) <Info> (SigLoadSignatures) -- 1 rule files processed. 7 rules succesfully loaded, 0 rules failed[100186] 1/8/2010 -- 14:12:56 - (detect-engine-sigorder.c:829) <Info> (SCSigOrderSignatures) -- ordering signatures in memorySCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 8[100186] 1/8/2010 -- 14:12:56 - (detect-engine-sigorder.c:870) <Info> (SCSigOrderSignatures) -- total signatures reordered by the sigordering module: 8[100186] 1/8/2010 -- 14:12:56 - (detect.c:1480) <Info> (SigAddressPrepareStage1) -- 8 signatures processed. 0 are IP-only rules, 5 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only[100186] 1/8/2010 -- 14:12:56 - (detect.c:1483) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... done[100186] 1/8/2010 -- 14:12:56 - (detect.c:1968) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address lists...[100186] 1/8/2010 -- 14:12:56 - (detect.c:2037) <Info> (SigAddressPrepareStage2) -- 8 total signatures:[100186] 1/8/2010 -- 14:12:56 - (detect.c:2058) <Info> (SigAddressPrepareStage2) -- TCP Source address blocks:     any:    1, ipv4:    9, ipv6:    1.[100186] 1/8/2010 -- 14:12:56 - (detect.c:2078) <Info> (SigAddressPrepareStage2) -- UDP Source address blocks:     any:    2, ipv4:   14, ipv6:    2.[100186] 1/8/2010 -- 14:12:56 - (detect.c:2098) <Info> (SigAddressPrepareStage2) -- ICMP Source address blocks:    any:    2, ipv4:    2, ipv6:    2.[100186] 1/8/2010 -- 14:12:56 - (detect.c:2102) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... done[100186] 1/8/2010 -- 14:12:56 - (detect.c:2681) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists...[100186] 1/8/2010 -- 14:12:56 - (detect.c:2764) <Info> (SigAddressPrepareStage3) -- MPM memory 290983 (dynamic 290343, ctxs 640, avg per ctx 15281)[100186] 1/8/2010 -- 14:12:56 - (detect.c:2766) <Info> (SigAddressPrepareStage3) -- max sig id 8, array size 2[100186] 1/8/2010 -- 14:12:56 - (detect.c:2767) <Info> (SigAddressPrepareStage3) -- signature group heads: unique 15, copies 94.[100186] 1/8/2010 -- 14:12:56 - (detect.c:2769) <Info> (SigAddressPrepareStage3) -- MPM instances: 19 unique, copies 11 (none 0).[100186] 1/8/2010 -- 14:12:56 - (detect.c:2771) <Info> (SigAddressPrepareStage3) -- MPM (URI) instances: 1 unique, copies 14 (none 0).[100186] 1/8/2010 -- 14:12:56 - (detect.c:2772) <Info> (SigAddressPrepareStage3) -- MPM max patcnt 3, avg 0[100186] 1/8/2010 -- 14:12:56 - (detect.c:2775) <Info> (SigAddressPrepareStage3) -- port maxgroups: 40, avg 21, tot 525[100186] 1/8/2010 -- 14:12:56 - (detect.c:2776) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... done[100186] 1/8/2010 -- 14:12:56 - (util-profiling.c:311) <Info> (SCProfilingInitRuleCounters) -- Registered 8 rule profiling counters.
[100186] 1/8/2010 -- 14:12:56 - (util-threshold-config.c:104) <Error> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "threshold.config": No such file or directory[100186] 1/8/2010 -- 14:12:56 - (alert-fastlog.c:333) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log[100125] 1/8/2010 -- 14:12:56 - (source-ipfw.c:302) <Info> (ReceiveIPFWThreadInit) -- Using IPFW divert port 8000[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:365) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:387) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:394) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:402) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:411) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:420) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576[100186] 1/8/2010 -- 14:12:56 - (tm-threads.c:1429) <Info> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 3 management threads initialized, engine started.[100154] 1/8/2010 -- 14:14:27 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 64.12.173.101, src port 49459 and dst port 80[100154] 1/8/2010 -- 14:15:52 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 64.12.173.101, src port 49491 and dst port 80


From: william.metcalf at gmail.com
Date: Sun, 1 Aug 2010 08:54:24 -0500
To: shant at skylab.ca
CC: oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.

Can you show us your ipfw rules?
Regards,
Will

Sent from my iPhone
On Aug 1, 2010, at 12:30 AM, Shant Kassardjian <shant at skylab.ca> wrote:

Let's wait and see what the dev team has to say, it looks like a bug to me.
It's great to see I'm not the only one with this problem.
Sent from my iPad
On 2010-07-31, at 6:07 PM, "Anas.B" <a.bouhsaina at gmail.com> wrote:

No reply ? any suggestions !!!

A...

2010/7/29 Anas.B <a.bouhsaina at gmail.com>

I had this in the CLI,

[2115] 29/7/2010 -- 09:37:06 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request


[2115] 29/7/2010 -- 09:37:06 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.20.80.100, destination IP address 66.249.92.104, src port 1425 and dst port 80



is it a bug !!?



_______________________________________________
Oisf-users mailing list
Oisf-users at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
_______________________________________________
Oisf-users mailing list
Oisf-users at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

_______________________________________________
Oisf-users mailing list
Oisf-users at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100801/546611f3/attachment-0002.html>

More information about the Oisf-users mailing list