[Oisf-users] Fwd: IPS

Anas.B a.bouhsaina at gmail.com
Mon Jun 14 15:44:17 UTC 2010 

yeessss
I've discovred the problem, reference in *suricata.yaml* file was wrong
you're right that was http log file,
because alert-debug file was *empty*

so http.log just log all http traffic !!??

other thing, (I've copied snort rules)
*we can use both rules in the same time ?* (emergine and snort rules)

I have a lot of messages/errors when I run Suricata !
like :

[4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
[ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
$EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Sun Java System
Web Server 7.0 WebDAV format string exploit attempt - LOCK method";
flow:to_server,established; content:"LOCK"; fast_pattern; nocase;
http_method; content:"encoding";
pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
reference:bugtraq,37910; reference:cve,2010-0388; classtype:attempted-user;
sid:16427; rev:1;)" from file /etc/suricata/rules/web-misc.rules at line 555
[4389] 14/6/2010 -- 15:59:02 - (detect-fast-pattern.c:72) <Error>
(DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value
[4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
[ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
$EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected";
flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only;
metadata:service x11; reference:arachnids,396; classtype:attempted-user;
sid:1225; rev:6;)" from file /etc/suricata/rules/x11.rules at line 23
[4389] 14/6/2010 -- 15:59:02 - (detect-fast-pattern.c:72) <Error>
(DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value
[4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
[ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
$EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established;
content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only;
metadata:service x11; reference:arachnids,395; classtype:unknown; sid:1226;
rev:6;)" from file /etc/suricata/rules/x11.rules at line 24
[4389] 14/6/2010 -- 15:59:02 - (detect.c:341) <Error> (SigLoadSignatures) --
[ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
/etc/suricata/rules/x11.rules
[4389] 14/6/2010 -- 15:59:03 - (detect.c:341) <Error> (SigLoadSignatures) --
[ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
/etc/suricata/rules/emerging-web.rules



Thanks

2010/6/14 Will Metcalf <william.metcalf at gmail.com>

> > before changing the rule (without protocol)
> > we have this log :
> >
> > 06/14/10-13:14:30.774567 www.facebook.com [**] / [**] Mozilla/5.0 (X11;
> U;
> > Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid)
> > Firefox/3.6.3 [**] 192.168.44.135:55433 -> 69.63.189.26:80
>
> This looks like the http.log file correct?  This will log all http
> traffic regardless of the traffic generating an alert.
>
> > but I think it's a false positive, or bug, because I noticed that it's
> not
> > alert of my rule, but it happens even when i enter to youtube
>
> Hmmm Perhaps youtube content is served off of google servers.  Take a
> look at the alert-debug.log file to look at what is being dropped. I'm
> guessing you will probably see Host: headers with google in there
> somewhere ;-).
>
> > the second test of the new rule : drop tcp any any -> any any
> (msg:"Facebook
> > forbidden"; content:"facebook";sid:1;)
> > didn't drop :
>
> This rule works for me, drops, and prevents me from reaching facebook.
>  Perhaps you have multiple rules loaded with the same sid?  If this is
> the case try changing the sid on one of the rules to say "2".
>
> +================
> TIME:              06/14/10-14:28:48.290197
> ALERT CNT:         1
> ALERT MSG [00]:    Facebook forbidden
> ALERT GID [00]:    1
> ALERT SID [00]:    1
> ALERT REV [00]:    0
> ALERT CLASS [00]:  (null)
> ALERT PRIO [00]:   3
> SRC IP:            192.168.7.241
> DST IP:            66.220.147.11
> PROTO:             6
> SRC PORT:          47152
> DST PORT:          80
> TCP SEQ:           2271938637
> TCP ACK:           1997977476
> FLOW:              to_server: TRUE, to_client FALSE
> PACKET LEN:        437
> PACKET:
>  0000  45 00 01 B5 98 52 40 00  40 06 02 70 C0 A8 07 F1   E....R at .
> @..p....
>  0010  42 DC 93 0B B8 30 00 50  87 6B 08 4D 77 16 B7 84   B....0.P .k.Mw...
>  0020  80 18 00 2E 8E 99 00 00  01 01 08 0A 00 01 93 B3   ........ ........
>  0030  36 DD 42 B4 47 45 54 20  2F 20 48 54 54 50 2F 31   6.B.GET  / HTTP/1
>  0040  2E 31 0D 0A 48 6F 73 74  3A 20 77 77 77 2E 66 61   .1..Host : www.fa
>  0050  63 65 62 6F 6F 6B 2E 63  6F 6D 0D 0A 55 73 65 72   cebook.c om..User
>  0060  2D 41 67 65 6E 74 3A 20  4D 6F 7A 69 6C 6C 61 2F   -Agent:  Mozilla/
>  0070  35 2E 30 20 28 58 31 31  3B 20 55 3B 20 4C 69 6E   5.0 (X11 ; U; Lin
>  0080  75 78 20 78 38 36 5F 36  34 3B 20 65 6E 2D 55 53   ux x86_6 4; en-US
>  0090  3B 20 72 76 3A 31 2E 39  2E 32 2E 33 29 20 47 65   ; rv:1.9 .2.3) Ge
>  00A0  63 6B 6F 2F 32 30 31 30  30 34 32 33 20 55 62 75   cko/2010 0423 Ubu
>  00B0  6E 74 75 2F 31 30 2E 30  34 20 28 6C 75 63 69 64   ntu/10.0 4 (lucid
>  00C0  29 20 46 69 72 65 66 6F  78 2F 33 2E 36 2E 33 0D   ) Firefo x/
> 3.6.3.
>  00D0  0A 41 63 63 65 70 74 3A  20 74 65 78 74 2F 68 74   .Accept:  text/ht
>  00E0  6D 6C 2C 61 70 70 6C 69  63 61 74 69 6F 6E 2F 78   ml,appli cation/x
>  00F0  68 74 6D 6C 2B 78 6D 6C  2C 61 70 70 6C 69 63 61   html+xml ,applica
>  0100  74 69 6F 6E 2F 78 6D 6C  3B 71 3D 30 2E 39 2C 2A   tion/xml ;q=0.9,*
>  0110  2F 2A 3B 71 3D 30 2E 38  0D 0A 41 63 63 65 70 74   /*;q=0.8 ..Accept
>  0120  2D 4C 61 6E 67 75 61 67  65 3A 20 65 6E 2D 75 73   -Languag e: en-us
>  0130  2C 65 6E 3B 71 3D 30 2E  35 0D 0A 41 63 63 65 70   ,en;q=0. 5..Accep
>  0140  74 2D 45 6E 63 6F 64 69  6E 67 3A 20 67 7A 69 70   t-Encodi ng: gzip
>  0150  2C 64 65 66 6C 61 74 65  0D 0A 41 63 63 65 70 74   ,deflate ..Accept
>  0160  2D 43 68 61 72 73 65 74  3A 20 49 53 4F 2D 38 38   -Charset : ISO-88
>  0170  35 39 2D 31 2C 75 74 66  2D 38 3B 71 3D 30 2E 37   59-1,utf -8;q=0.7
>  0180  2C 2A 3B 71 3D 30 2E 37  0D 0A 4B 65 65 70 2D 41   ,*;q=0.7 ..Keep-A
>  0190  6C 69 76 65 3A 20 31 31  35 0D 0A 43 6F 6E 6E 65   live: 11 5..Conne
>  01A0  63 74 69 6F 6E 3A 20 6B  65 65 70 2D 61 6C 69 76   ction: k eep-aliv
>  01B0  65 0D 0A 0D 0A                                     e....
>
>
>                                               282,2         Bot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100614/72cd728a/attachment.html

More information about the Oisf-users mailing list