[Oisf-users] simple question for bridging IPS (inline)

Anas.B a.bouhsaina at gmail.com
Mon Jul 26 09:36:13 UTC 2010 

I'm trying to do the same thing to test Suricata,

Bridging is successful since I have net connection in my host

---Net-Router(172.20.81.1)------<- Bridge (suricata in computer with 2
cards) ->------ my host (172.20.81.101)

But when i tried this rule :

drop tcp 172.20.81.101 any -> any any (content:"facebook"; msg:"Attention,
Facebook !!!"; sid:1000002; rev:1;)
or :
drop tcp any any -> any any (content:"facebook"; msg:"Attention, Facebook
!!!"; sid:1000002; rev:1;)


I just have an alert, but I can enter to facebook.........!!!

07/26/10-08:28:07.517395  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1740 ->
72.14.235.104:80
07/26/10-08:28:08.206148  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1742 ->
72.14.235.100:80
07/26/10-08:28:08.380125  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1740 ->
72.14.235.104:80
07/26/10-08:28:09.079290  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1741 ->
67.18.23.65:80
07/26/10-08:28:09.544135  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1745 ->
87.248.218.92:80
07/26/10-08:28:09.639904  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1746 ->
68.87.64.116:80
07/26/10-08:28:09.653826  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1744 ->
67.18.23.65:80
07/26/10-08:28:09.830274  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1748 ->
4.71.209.15:80
07/26/10-08:28:10.008049  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1747 ->
209.85.227.100:80
07/26/10-08:28:10.300653  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1749 ->
68.87.78.149:80
07/26/10-08:28:11.977590  [**] [1:485:5] ICMP Destination Unreachable
Communication Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {1} 172.20.80.1:3 -> 172.20.80.100:13
07/26/10-08:28:17.931527  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1740 ->
72.14.235.104:80
07/26/10-08:28:21.189125  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1750 ->
66.220.146.11:80
07/26/10-08:28:38.168496  [**] [1:485:5] ICMP Destination Unreachable
Communication Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {1} 172.20.80.1:3 -> 172.20.80.100:13
07/26/10-08:28:42.299672  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1770 ->
72.14.235.104:80
07/26/10-08:28:44.941011  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1804 ->
72.14.235.104:80
07/26/10-08:28:47.559393  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1839 ->
72.14.235.104:80
07/26/10-08:28:49.628545  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1848 ->
72.14.235.104:80
07/26/10-08:28:51.678339  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1862 ->
66.220.146.11:80
07/26/10-08:28:52.378889  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1799 ->
72.14.235.104:80
07/26/10-08:28:54.486073  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1875 ->
196.12.213.56:80
07/26/10-08:28:56.420210  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1889 ->
87.98.130.52:80
07/26/10-08:29:04.413680  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1926 ->
72.14.235.104:80
07/26/10-08:29:08.820362  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1946 ->
72.14.235.100:80
07/26/10-08:29:09.216669  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1949 ->
72.14.235.104:80
07/26/10-08:29:12.252341  [**] [1:485:5] ICMP Destination Unreachable
Communication Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {1} 172.20.80.1:3 -> 172.20.80.100:13
07/26/10-08:29:13.124177  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1964 ->
72.14.235.104:80
07/26/10-08:29:13.709394  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1967 ->
66.220.146.11:80
07/26/10-08:29:13.997069  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1974 ->
196.12.213.56:80
07/26/10-08:29:14.158277  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1976 ->
196.12.213.56:80
07/26/10-08:29:14.191434  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1976 ->
196.12.213.56:80
07/26/10-08:29:14.206014  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1976 ->
196.12.213.56:80
07/26/10-08:29:15.576897  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1974 ->
196.12.213.56:80
07/26/10-08:29:21.263951  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:1997 ->
67.18.23.65:80
07/26/10-08:29:24.106282  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2027 ->
66.220.146.11:80
07/26/10-08:29:43.536743  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2048 ->
196.12.213.56:80
07/26/10-08:29:44.225171  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2048 ->
196.12.213.56:80
07/26/10-08:29:44.269318  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2048 ->
196.12.213.56:80
07/26/10-08:29:44.582251  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2048 ->
196.12.213.56:80
07/26/10-08:29:46.024928  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2049 ->
80.157.170.80:80
07/26/10-08:29:46.158738  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2048 ->
196.12.213.56:80
07/26/10-08:29:46.778466  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2050 ->
80.157.170.73:80
07/26/10-08:29:46.850379  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2050 ->
80.157.170.73:80
07/26/10-08:29:47.447351  [**] [1:485:5] ICMP Destination Unreachable
Communication Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {1} 172.20.80.1:3 -> 172.20.80.100:13
07/26/10-08:29:50.837632  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2054 ->
196.12.213.57:80
07/26/10-08:29:51.511817  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:51.578581  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:51.649844  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:51.973257  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:52.343481  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:53.313476  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:54.678733  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:55.056374  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:55.398719  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:29:55.733208  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:57.166266  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:57.293175  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:29:57.812568  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2058 ->
93.186.135.89:80
07/26/10-08:29:58.522060  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:29:58.589148  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:29:58.657140  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:29:59.509121  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:00.129142  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:00.194528  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:00.555942  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:00.646232  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2057 ->
93.186.135.89:80
07/26/10-08:30:00.874448  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2058 ->
93.186.135.89:80
07/26/10-08:30:01.396735  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:01.491180  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:01.560120  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:01.939659  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:02.238916  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:02.838980  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:04.038863  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:04.822896  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2075 ->
67.18.23.65:80
07/26/10-08:30:05.234740  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:05.995330  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2078 ->
72.14.235.104:80
07/26/10-08:30:06.429322  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2080 ->
208.80.152.2:80
07/26/10-08:30:06.438720  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:08.541125  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2077 ->
67.18.23.65:80
07/26/10-08:30:13.636323  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2061 ->
93.186.135.89:80
07/26/10-08:30:13.892064  [**] [1:1000002:1] Attention, Facebook !!! [**]
[Classification: (null)] [Priority: 3] {6} 172.20.80.100:2095 ->
67.18.23.65:80

to give more information, in the console i had this :

2430] 26/7/2010 -- 09:28:50 - (app-layer-htp.c:479) <Error>
(HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
HTTP server response: [1] [htp_response.c] [671] Unable to match response to
request
[2430] 26/7/2010 -- 09:28:50 - (app-layer-parser.c:931) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
"http" app layer protocol, using network protocol 6, source IP address
172.20.80.100, destination IP address 72.55.186.68, src port 1807 and dst
port 80
[2430] 26/7/2010 -- 09:29:02 - (app-layer-htp.c:479) <Error>
(HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
HTTP server response: [1] [htp_response.c] [671] Unable to match response to
request
[2430] 26/7/2010 -- 09:29:02 - (app-layer-parser.c:931) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
"http" app layer protocol, using network protocol 6, source IP address
172.20.80.100, destination IP address 72.55.186.68, src port 1805 and dst
port 80
[2430] 26/7/2010 -- 09:29:43 - (app-layer-htp.c:479) <Error>
(HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
HTTP server response: [1] [htp_response_generic.c] [101] Request field
invalid: colon missing
[2430] 26/7/2010 -- 09:29:43 - (app-layer-parser.c:931) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
"http" app layer protocol, using network protocol 6, source IP address
172.20.80.100, destination IP address 196.12.213.56, src port 2048 and dst
port 80
[2430] 26/7/2010 -- 09:30:30 - (app-layer-parser.c:931) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
"http" app layer protocol, using network protocol 6, source IP address
172.20.80.100, destination IP address 72.55.186.68, src port 1808 and dst
port 80
[2430] 26/7/2010 -- 09:32:23 - (app-layer-parser.c:931) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
"http" app layer protocol, using network protocol 6, source IP address
172.20.80.100, destination IP address 72.55.186.68, src port 1812 and dst
port 80

what do you think ?!!



2010/7/22 Will Metcalf <william.metcalf at gmail.com>

> You need to use NFQUEUE.  Actually if you just want to filter traffic
> moving across the bridge it all moves through the FORWARD chain.  The
> INPUT/OUTPUT chains will filter traffic in/out of the  local ip stack
> i.e. the management interface etc. So in summary, I think all you
> really need to start is....
>
> iptables -A FORWARD -j NFQUEUE --queue-num 0
>
> Regards,
>
> Will
>
> On Thu, Jul 22, 2010 at 11:28 AM, Morgan Cox <morgancoxuk at gmail.com>
> wrote:
> > Hi.
> >
> > I am setting up a bridging IPS .
> >
> > I have one simple question.
> >
> > I want to allow all traffic through the bridge - but get suricata to
> 'check'
> > traffic.
> >
> > Actually I have 2 questions:-
> >
> > 1 .  Do I need to use NFQUEUE or can I just use QUEUE for Iptables ?
> >
> > 2.
> >
> > Is this acceptable rules (for allowing all traffic)
> >
> > iptables -A FORWARD -j QUEUE
> > iptables -A INPUT -j QUEUE
> > iptables -A OUTPUT -j QUEUE
> >
> >
> > Or should I use
> >
> > iptables -A INPUT -j NFQUEUE --queue-num 0
> > iptables -A FORWARD -j NFQUEUE --queue-num 0
> > iptables -A OUTPUT -j NFQUEUE --queue-num 0
> >
> > cheers
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100726/979b5dd1/attachment-0002.html>

More information about the Oisf-users mailing list