[Oisf-users] Suricata - test rule ignored/not dropping.

Victor Julien victor at inliniac.net
Tue Jul 27 08:43:18 UTC 2010


The dropping appears to work if a 'content:"/";' is added like this:

drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http
link"; sid:1; content:"/";)

It should work without it as well though, so opened a bug ticket for it:

https://redmine.openinfosecfoundation.org/issues/221

Thanks for the report Morgan!

Cheers,
Victor

Morgan Cox wrote:
> Hi.
> 
> I am quite familiar with running snort in inline mode.
> 
> I have setup bridging mode on Ubuntu Lucid  = eth0+eth1 = br0
> 
> , I have added emerging and VRS rules.
> 
> It is running ok - but ignoring my test (drop) rule
> 
> I want suricata to examine all traffic (including to the Suricata server)
> 
> I have used a startup script:-
> 
> /sbin/iptables -A INPUT -j NFQUEUE --queue-num 0
> /sbin/iptables -A FORWARD -j NFQUEUE --queue-num 0
> /sbin/iptables -A OUTPUT -j NFQUEUE --queue-num 0
> sleep 1
> /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -q 0 -D
> --pidfile=/var/run/suricata.pid
> 
> For my test rule I just want it to drop all attempts to go to port 80
> (for the Bridge + the Suricata server)
> 
> Previously I have used
> 
> 
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
> connection initiated";)
> 
> But it errors:-
> 
> [1296] 26/7/2010 -- 14:53:01 - (detect.c:301) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "drop tcp any any -> any 80 (msg:"Snort_Inline is
> blocking the http link";) " from file
> /etc/suricata/rules/emerging-malware.rules at line 1314
> 
> - somehow the syntax isn't working.
> 
> 
> 
> If I use:-
> 
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
> connection initiated";)
> 
> I get no errors (in the log) but can still access port 80 on the
> Suricate server - i.e :-
> 
> http://ipaddressofsuricataserver.com:80
> 
> And I get nothing in the logs, no alert + no drop - so my test rule
> isn't working.
> 
> 
> Lastly I have tried (from the blog)
> 
> drop tcp any any -> any 80 (msg:"testing drop"; content:"*";
> http_header; sid:123321;)
> 
> This does trigger an 'alert' when I go to
> 
> http://ipaddressofsuricataserver.com:80
> 
> in fast.log :-
> 
> 07/26/10-14:01:54.377706  [**] [1:123321:0] testing drop [**]
> [Classification: (null)] [Priority: 3] {6} (clientIP):49769 -> (serverip):80
> 
> The issue is is that it is NOT blocking - I can still access it.
> 
> Can anyone suggest how to make it drop correctly ?
> 
> Cheers
> 
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list