[Oisf-users] Fwd: IPS
Anas.B
a.bouhsaina at gmail.com
Mon Jun 14 15:44:17 UTC 2010
yeessss
I've discovred the problem, reference in *suricata.yaml* file was wrong
you're right that was http log file,
because alert-debug file was *empty*
so http.log just log all http traffic !!??
other thing, (I've copied snort rules)
*we can use both rules in the same time ?* (emergine and snort rules)
I have a lot of messages/errors when I run Suricata !
like :
[4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
[ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
$EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Sun Java System
Web Server 7.0 WebDAV format string exploit attempt - LOCK method";
flow:to_server,established; content:"LOCK"; fast_pattern; nocase;
http_method; content:"encoding";
pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
reference:bugtraq,37910; reference:cve,2010-0388; classtype:attempted-user;
sid:16427; rev:1;)" from file /etc/suricata/rules/web-misc.rules at line 555
[4389] 14/6/2010 -- 15:59:02 - (detect-fast-pattern.c:72) <Error>
(DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value
[4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
[ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
$EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected";
flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only;
metadata:service x11; reference:arachnids,396; classtype:attempted-user;
sid:1225; rev:6;)" from file /etc/suricata/rules/x11.rules at line 23
[4389] 14/6/2010 -- 15:59:02 - (detect-fast-pattern.c:72) <Error>
(DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value
[4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
[ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
$EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established;
content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only;
metadata:service x11; reference:arachnids,395; classtype:unknown; sid:1226;
rev:6;)" from file /etc/suricata/rules/x11.rules at line 24
[4389] 14/6/2010 -- 15:59:02 - (detect.c:341) <Error> (SigLoadSignatures) --
[ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
/etc/suricata/rules/x11.rules
[4389] 14/6/2010 -- 15:59:03 - (detect.c:341) <Error> (SigLoadSignatures) --
[ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
/etc/suricata/rules/emerging-web.rules
Thanks
2010/6/14 Will Metcalf <william.metcalf at gmail.com>
> > before changing the rule (without protocol)
> > we have this log :
> >
> > 06/14/10-13:14:30.774567 www.facebook.com [**] / [**] Mozilla/5.0 (X11;
> U;
> > Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid)
> > Firefox/3.6.3 [**] 192.168.44.135:55433 -> 69.63.189.26:80
>
> This looks like the http.log file correct? This will log all http
> traffic regardless of the traffic generating an alert.
>
> > but I think it's a false positive, or bug, because I noticed that it's
> not
> > alert of my rule, but it happens even when i enter to youtube
>
> Hmmm Perhaps youtube content is served off of google servers. Take a
> look at the alert-debug.log file to look at what is being dropped. I'm
> guessing you will probably see Host: headers with google in there
> somewhere ;-).
>
> > the second test of the new rule : drop tcp any any -> any any
> (msg:"Facebook
> > forbidden"; content:"facebook";sid:1;)
> > didn't drop :
>
> This rule works for me, drops, and prevents me from reaching facebook.
> Perhaps you have multiple rules loaded with the same sid? If this is
> the case try changing the sid on one of the rules to say "2".
>
> +================
> TIME: 06/14/10-14:28:48.290197
> ALERT CNT: 1
> ALERT MSG [00]: Facebook forbidden
> ALERT GID [00]: 1
> ALERT SID [00]: 1
> ALERT REV [00]: 0
> ALERT CLASS [00]: (null)
> ALERT PRIO [00]: 3
> SRC IP: 192.168.7.241
> DST IP: 66.220.147.11
> PROTO: 6
> SRC PORT: 47152
> DST PORT: 80
> TCP SEQ: 2271938637
> TCP ACK: 1997977476
> FLOW: to_server: TRUE, to_client FALSE
> PACKET LEN: 437
> PACKET:
> 0000 45 00 01 B5 98 52 40 00 40 06 02 70 C0 A8 07 F1 E....R at .
> @..p....
> 0010 42 DC 93 0B B8 30 00 50 87 6B 08 4D 77 16 B7 84 B....0.P .k.Mw...
> 0020 80 18 00 2E 8E 99 00 00 01 01 08 0A 00 01 93 B3 ........ ........
> 0030 36 DD 42 B4 47 45 54 20 2F 20 48 54 54 50 2F 31 6.B.GET / HTTP/1
> 0040 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 66 61 .1..Host : www.fa
> 0050 63 65 62 6F 6F 6B 2E 63 6F 6D 0D 0A 55 73 65 72 cebook.c om..User
> 0060 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F -Agent: Mozilla/
> 0070 35 2E 30 20 28 58 31 31 3B 20 55 3B 20 4C 69 6E 5.0 (X11 ; U; Lin
> 0080 75 78 20 78 38 36 5F 36 34 3B 20 65 6E 2D 55 53 ux x86_6 4; en-US
> 0090 3B 20 72 76 3A 31 2E 39 2E 32 2E 33 29 20 47 65 ; rv:1.9 .2.3) Ge
> 00A0 63 6B 6F 2F 32 30 31 30 30 34 32 33 20 55 62 75 cko/2010 0423 Ubu
> 00B0 6E 74 75 2F 31 30 2E 30 34 20 28 6C 75 63 69 64 ntu/10.0 4 (lucid
> 00C0 29 20 46 69 72 65 66 6F 78 2F 33 2E 36 2E 33 0D ) Firefo x/
> 3.6.3.
> 00D0 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 .Accept: text/ht
> 00E0 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 ml,appli cation/x
> 00F0 68 74 6D 6C 2B 78 6D 6C 2C 61 70 70 6C 69 63 61 html+xml ,applica
> 0100 74 69 6F 6E 2F 78 6D 6C 3B 71 3D 30 2E 39 2C 2A tion/xml ;q=0.9,*
> 0110 2F 2A 3B 71 3D 30 2E 38 0D 0A 41 63 63 65 70 74 /*;q=0.8 ..Accept
> 0120 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 -Languag e: en-us
> 0130 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 ,en;q=0. 5..Accep
> 0140 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 t-Encodi ng: gzip
> 0150 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 74 ,deflate ..Accept
> 0160 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 -Charset : ISO-88
> 0170 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 59-1,utf -8;q=0.7
> 0180 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 41 ,*;q=0.7 ..Keep-A
> 0190 6C 69 76 65 3A 20 31 31 35 0D 0A 43 6F 6E 6E 65 live: 11 5..Conne
> 01A0 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 ction: k eep-aliv
> 01B0 65 0D 0A 0D 0A e....
>
>
> 282,2 Bot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100614/72cd728a/attachment.html
More information about the Oisf-users
mailing list