[Oisf-users] Suricata - test rule ignored/not dropping.
Morgan Cox
morgancoxuk at gmail.com
Mon Jul 26 14:08:03 UTC 2010
Hi.
I am quite familiar with running snort in inline mode.
I have setup bridging mode on Ubuntu Lucid = eth0+eth1 = br0
, I have added emerging and VRS rules.
It is running ok - but ignoring my test (drop) rule
I want suricata to examine all traffic (including to the Suricata server)
I have used a startup script:-
/sbin/iptables -A INPUT -j NFQUEUE --queue-num 0
/sbin/iptables -A FORWARD -j NFQUEUE --queue-num 0
/sbin/iptables -A OUTPUT -j NFQUEUE --queue-num 0
sleep 1
/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -q 0 -D
--pidfile=/var/run/suricata.pid
For my test rule I just want it to drop all attempts to go to port 80 (for
the Bridge + the Suricata server)
Previously I have used
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)
But it errors:-
[1296] 26/7/2010 -- 14:53:01 - (detect.c:301) <Error> (DetectLoadSigFile) --
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "drop tcp
any any -> any 80 (msg:"Snort_Inline is blocking the http link";) " from
file /etc/suricata/rules/emerging-malware.rules at line 1314
- somehow the syntax isn't working.
If I use:-
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)
I get no errors (in the log) but can still access port 80 on the Suricate
server - i.e :-
http://ipaddressofsuricataserver.com:80
And I get nothing in the logs, no alert + no drop - so my test rule isn't
working.
Lastly I have tried (from the blog)
drop tcp any any -> any 80 (msg:"testing drop"; content:"*"; http_header;
sid:123321;)
This does trigger an 'alert' when I go to
http://ipaddressofsuricataserver.com:80
in fast.log :-
07/26/10-14:01:54.377706 [**] [1:123321:0] testing drop [**]
[Classification: (null)] [Priority: 3] {6} (clientIP):49769 -> (serverip):80
The issue is is that it is NOT blocking - I can still access it.
Can anyone suggest how to make it drop correctly ?
Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100726/ee9b7a66/attachment-0002.html>
More information about the Oisf-users
mailing list