[Oisf-users] Suricata - test rule ignored/not dropping.
Victor Julien
victor at inliniac.net
Tue Jul 27 08:43:18 UTC 2010
The dropping appears to work if a 'content:"/";' is added like this:
drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http
link"; sid:1; content:"/";)
It should work without it as well though, so opened a bug ticket for it:
https://redmine.openinfosecfoundation.org/issues/221
Thanks for the report Morgan!
Cheers,
Victor
Morgan Cox wrote:
> Hi.
>
> I am quite familiar with running snort in inline mode.
>
> I have setup bridging mode on Ubuntu Lucid = eth0+eth1 = br0
>
> , I have added emerging and VRS rules.
>
> It is running ok - but ignoring my test (drop) rule
>
> I want suricata to examine all traffic (including to the Suricata server)
>
> I have used a startup script:-
>
> /sbin/iptables -A INPUT -j NFQUEUE --queue-num 0
> /sbin/iptables -A FORWARD -j NFQUEUE --queue-num 0
> /sbin/iptables -A OUTPUT -j NFQUEUE --queue-num 0
> sleep 1
> /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -q 0 -D
> --pidfile=/var/run/suricata.pid
>
> For my test rule I just want it to drop all attempts to go to port 80
> (for the Bridge + the Suricata server)
>
> Previously I have used
>
>
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
> connection initiated";)
>
> But it errors:-
>
> [1296] 26/7/2010 -- 14:53:01 - (detect.c:301) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "drop tcp any any -> any 80 (msg:"Snort_Inline is
> blocking the http link";) " from file
> /etc/suricata/rules/emerging-malware.rules at line 1314
>
> - somehow the syntax isn't working.
>
>
>
> If I use:-
>
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
> connection initiated";)
>
> I get no errors (in the log) but can still access port 80 on the
> Suricate server - i.e :-
>
> http://ipaddressofsuricataserver.com:80
>
> And I get nothing in the logs, no alert + no drop - so my test rule
> isn't working.
>
>
> Lastly I have tried (from the blog)
>
> drop tcp any any -> any 80 (msg:"testing drop"; content:"*";
> http_header; sid:123321;)
>
> This does trigger an 'alert' when I go to
>
> http://ipaddressofsuricataserver.com:80
>
> in fast.log :-
>
> 07/26/10-14:01:54.377706 [**] [1:123321:0] testing drop [**]
> [Classification: (null)] [Priority: 3] {6} (clientIP):49769 -> (serverip):80
>
> The issue is is that it is NOT blocking - I can still access it.
>
> Can anyone suggest how to make it drop correctly ?
>
> Cheers
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list