[Oisf-users] Suricata - test rule ignored/not dropping.

Will Metcalf william.metcalf at gmail.com
Mon Jul 26 14:24:21 UTC 2010 

You need to assign a Sid to your rule

Sent from my iPhone

On Jul 26, 2010, at 9:08 AM, Morgan Cox <morgancoxuk at gmail.com> wrote:

> Hi.
> 
> I am quite familiar with running snort in inline mode.
> 
> I have setup bridging mode on Ubuntu Lucid  = eth0+eth1 = br0
> 
> , I have added emerging and VRS rules.
> 
> It is running ok - but ignoring my test (drop) rule
> 
> I want suricata to examine all traffic (including to the Suricata server)
> 
> I have used a startup script:-
> 
> /sbin/iptables -A INPUT -j NFQUEUE --queue-num 0
> /sbin/iptables -A FORWARD -j NFQUEUE --queue-num 0
> /sbin/iptables -A OUTPUT -j NFQUEUE --queue-num 0
> sleep 1
> /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -q 0 -D --pidfile=/var/run/suricata.pid
> 
> For my test rule I just want it to drop all attempts to go to port 80 (for the Bridge + the Suricata server)
> 
> Previously I have used
> 
> 
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";)
> 
> But it errors:-
> 
> [1296] 26/7/2010 -- 14:53:01 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link";) " from file /etc/suricata/rules/emerging-malware.rules at line 1314
> 
> - somehow the syntax isn't working.
> 
> 
> 
> If I use:-
> 
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";)
> 
> I get no errors (in the log) but can still access port 80 on the Suricate server - i.e :- 
> 
> http://ipaddressofsuricataserver.com:80
> 
> And I get nothing in the logs, no alert + no drop - so my test rule isn't working.
> 
> 
> Lastly I have tried (from the blog)
> 
> drop tcp any any -> any 80 (msg:"testing drop"; content:"*"; http_header; sid:123321;)
> 
> This does trigger an 'alert' when I go to 
> 
> http://ipaddressofsuricataserver.com:80
> 
> in fast.log :-
> 
> 07/26/10-14:01:54.377706  [**] [1:123321:0] testing drop [**] [Classification: (null)] [Priority: 3] {6} (clientIP):49769 -> (serverip):80
> 
> The issue is is that it is NOT blocking - I can still access it.
> 
> Can anyone suggest how to make it drop correctly ?
> 
> Cheers
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100726/5cdf75cf/attachment-0002.html>

More information about the Oisf-users mailing list