[Oisf-users] Suricata - test rule ignored/not dropping.

Morgan Cox morgancoxuk at gmail.com
Mon Jul 26 14:08:03 UTC 2010


Hi.

I am quite familiar with running snort in inline mode.

I have setup bridging mode on Ubuntu Lucid  = eth0+eth1 = br0

, I have added emerging and VRS rules.

It is running ok - but ignoring my test (drop) rule

I want suricata to examine all traffic (including to the Suricata server)

I have used a startup script:-

/sbin/iptables -A INPUT -j NFQUEUE --queue-num 0
/sbin/iptables -A FORWARD -j NFQUEUE --queue-num 0
/sbin/iptables -A OUTPUT -j NFQUEUE --queue-num 0
sleep 1
/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -q 0 -D
--pidfile=/var/run/suricata.pid

For my test rule I just want it to drop all attempts to go to port 80 (for
the Bridge + the Suricata server)

Previously I have used


drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)

But it errors:-

[1296] 26/7/2010 -- 14:53:01 - (detect.c:301) <Error> (DetectLoadSigFile) --
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "drop tcp
any any -> any 80 (msg:"Snort_Inline is blocking the http link";) " from
file /etc/suricata/rules/emerging-malware.rules at line 1314

- somehow the syntax isn't working.



If I use:-

drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)

I get no errors (in the log) but can still access port 80 on the Suricate
server - i.e :-

http://ipaddressofsuricataserver.com:80

And I get nothing in the logs, no alert + no drop - so my test rule isn't
working.


Lastly I have tried (from the blog)

drop tcp any any -> any 80 (msg:"testing drop"; content:"*"; http_header;
sid:123321;)

This does trigger an 'alert' when I go to

http://ipaddressofsuricataserver.com:80

in fast.log :-

07/26/10-14:01:54.377706  [**] [1:123321:0] testing drop [**]
[Classification: (null)] [Priority: 3] {6} (clientIP):49769 -> (serverip):80

The issue is is that it is NOT blocking - I can still access it.

Can anyone suggest how to make it drop correctly ?

Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100726/ee9b7a66/attachment-0002.html>


More information about the Oisf-users mailing list