[Oisf-users] Fwd: IPS

Anas.B a.bouhsaina at gmail.com
Mon Jun 14 13:43:07 UTC 2010 

No, with suricata running, it's fine

I don't know what to say or to do to thank you :)

I don't know if i can ask you again during my installation and research
about Suricata

Tank you.

before changing the rule (without protocol)
we have this log :

06/14/10-13:14:30.774567 *www.facebook.com* [**] / [**] Mozilla/5.0 (X11; U;
Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid)
Firefox/3.6.3 [**] 192.168.44.135:55433 -> 69.63.189.26:80
06/14/10-13:14:31.258973 static.ak.fbcdn.net [**]
/rsrc.php/zCPKQ/hash/9fysy1oy.css [**] Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 [**]
192.168.44.135:40405 -> 195.27.154.34:80
06/14/10-13:14:31.274580 static.ak.fbcdn.net [**]
/rsrc.php/z12E0/hash/8q2anwu7.gif [**] Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 [**]
192.168.44.135:40406 -> 195.27.154.34:80
06/14/10-13:14:31.529557 static.ak.fbcdn.net [**]
/rsrc.php/z6XUT/hash/bqmhyox3.jpg [**] Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 [**]
192.168.44.135:40406 -> 195.27.154.34:80
06/14/10-13:14:31.536275 static.ak.fbcdn.net [**]
/rsrc.php/zEX21/hash/75j4m1ms.png [**] Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 [**]
192.168.44.135:40405 -> 195.27.154.34:80
06/14/10-13:14:31.637614 static.ak.fbcdn.net [**]
/rsrc.php/z8OGI/hash/41j5eq4v.png [**] Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 [**]
192.168.44.135:40408 -> 195.27.154.34:80
06/14/10-13:14:31.643865 static.ak.fbcdn.net [**]
/rsrc.php/z9P6V/hash/1icttijq.jpg [**] Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 [**]
192.168.44.135:40407 -> 195.27.154.34:80
06/14/10-13:14:31.684912 static.ak.fbcdn.net [**]
/rsrc.php/z9Q0Q/hash/8yhim1ep.ico [**] Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 [**]
192.168.44.135:40409 -> 195.27.154.34:80
06/14/10-13:14:32.385586 static.ak.fbcdn.net [**]
/rsrc.php/z31SK/p/hash/clmpf3e7.js [**] Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 [**]
192.168.44.135:40406 -> 195.27.154.34:80
06/14/10-13:14:32.392440 static.ak.fbcdn.net [**]
/rsrc.php/zBBP5/p/hash/6g517tdl.js [**] Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 [**]
192.168.44.135:40405 -> 195.27.154.34:80

but I think it's a false positive, or bug, because I noticed that it's not
alert of my rule, but it happens even when i enter to youtube

the second test of the new rule : *drop tcp any any -> any any
(msg:"Facebook forbidden"; content:"facebook";sid:1;)*
didn't drop :

[3747] 14/6/2010 -- 14:37:53 - (source-nfq.c:533) <Info>
> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 179, *dropped 0*
> [3749] 14/6/2010 -- 14:37:53 - (alert-fastlog.c:256) <Info>
> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 0
> [3749] 14/6/2010 -- 14:37:53 - (alert-unified-log.c:304) <Info>
> (AlertUnifiedLogThreadDeinit) -- Alert unified1 log module wrote 0 alerts
> [3749] 14/6/2010 -- 14:37:53 - (alert-unified-alert.c:281) <Info>
> (AlertUnifiedAlertThreadDeinit) -- Alert unified1 alert module wrote 0
> alerts
> [3749] 14/6/2010 -- 14:37:53 - (alert-unified2-alert.c:582) <Info>
> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 0 alerts
> [3749] 14/6/2010 -- 14:37:53 - (log-httplog.c:391) <Info>
> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 5
> [3749] 14/6/2010 -- 14:37:53 - (alert-debuglog.c:254) <Info>
> (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 0
> [3750] 14/6/2010 -- 14:37:53 - (flow.c:767) <Info> (FlowManagerThread) -- 0
> new flows, 0 established flows were timed out, 0 flows in closed state
> [3737] 14/6/2010 -- 14:37:53 - (flow.c:588) <Info> (FlowPrintQueueInfo) --
> flowbits added: 0, removed: 0, max memory usage: 0
> [3737] 14/6/2010 -- 14:37:53 - (stream-tcp.c:365) <Info>
> (StreamTcpFreeConfig) -- Max memuse of stream engine 15022024 (in use 0)
> [3737] 14/6/2010 -- 14:37:53 - (detect.c:2492) <Info>
> (SigAddressCleanupStage1) -- cleaning up signature grouping structure...
> [3737] 14/6/2010 -- 14:37:53 - (detect.c:2509) <Info>
> (SigAddressCleanupStage1) -- cleaning up signature grouping structure...
> done
>

even if i've changed "drop" to "alert" i didn't get my alert (*facebook is
forbidden*)

(I restart suricata each time).


Regards.

2010/6/14 Pablo <pablo.rincon.crespo at gmail.com>

> if you setup the rules to filter with suricata, then suricata needs to be
> running, otherwise all the traffic is dropped, since no program sets a
> veredict to allow or deny each packet. Is this happening with suricata
> running?
>
> El 14/06/2010 14:45, "Anas.B" <a.bouhsaina at gmail.com> escribió:
>
> Thank youu,
>
> I have a problem,
> now, when i flush iptables the ping between both machines is successful
> but , when i configure the INPUT/OUPUT -j NFQUEUE , I loose connection, no
> ping even to the localhost
>
> do you know why , help meeee, and sorry .
>
>
> 2010/6/14 Pablo <pablo.rincon.crespo at gmail.com>
>
>
> >
> > On my last mail I wrote the rule of the example without a protocol (my
> apologizes, I forgot it)...
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100614/9239f25f/attachment-0002.html>

More information about the Oisf-users mailing list