[Oisf-users] Fwd: IPS
Will Metcalf
william.metcalf at gmail.com
Mon Jun 14 14:47:52 UTC 2010
> before changing the rule (without protocol)
> we have this log :
>
> 06/14/10-13:14:30.774567 www.facebook.com [**] / [**] Mozilla/5.0 (X11; U;
> Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid)
> Firefox/3.6.3 [**] 192.168.44.135:55433 -> 69.63.189.26:80
This looks like the http.log file correct? This will log all http
traffic regardless of the traffic generating an alert.
> but I think it's a false positive, or bug, because I noticed that it's not
> alert of my rule, but it happens even when i enter to youtube
Hmmm Perhaps youtube content is served off of google servers. Take a
look at the alert-debug.log file to look at what is being dropped. I'm
guessing you will probably see Host: headers with google in there
somewhere ;-).
> the second test of the new rule : drop tcp any any -> any any (msg:"Facebook
> forbidden"; content:"facebook";sid:1;)
> didn't drop :
This rule works for me, drops, and prevents me from reaching facebook.
Perhaps you have multiple rules loaded with the same sid? If this is
the case try changing the sid on one of the rules to say "2".
+================
TIME: 06/14/10-14:28:48.290197
ALERT CNT: 1
ALERT MSG [00]: Facebook forbidden
ALERT GID [00]: 1
ALERT SID [00]: 1
ALERT REV [00]: 0
ALERT CLASS [00]: (null)
ALERT PRIO [00]: 3
SRC IP: 192.168.7.241
DST IP: 66.220.147.11
PROTO: 6
SRC PORT: 47152
DST PORT: 80
TCP SEQ: 2271938637
TCP ACK: 1997977476
FLOW: to_server: TRUE, to_client FALSE
PACKET LEN: 437
PACKET:
0000 45 00 01 B5 98 52 40 00 40 06 02 70 C0 A8 07 F1 E....R at . @..p....
0010 42 DC 93 0B B8 30 00 50 87 6B 08 4D 77 16 B7 84 B....0.P .k.Mw...
0020 80 18 00 2E 8E 99 00 00 01 01 08 0A 00 01 93 B3 ........ ........
0030 36 DD 42 B4 47 45 54 20 2F 20 48 54 54 50 2F 31 6.B.GET / HTTP/1
0040 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 66 61 .1..Host : www.fa
0050 63 65 62 6F 6F 6B 2E 63 6F 6D 0D 0A 55 73 65 72 cebook.c om..User
0060 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F -Agent: Mozilla/
0070 35 2E 30 20 28 58 31 31 3B 20 55 3B 20 4C 69 6E 5.0 (X11 ; U; Lin
0080 75 78 20 78 38 36 5F 36 34 3B 20 65 6E 2D 55 53 ux x86_6 4; en-US
0090 3B 20 72 76 3A 31 2E 39 2E 32 2E 33 29 20 47 65 ; rv:1.9 .2.3) Ge
00A0 63 6B 6F 2F 32 30 31 30 30 34 32 33 20 55 62 75 cko/2010 0423 Ubu
00B0 6E 74 75 2F 31 30 2E 30 34 20 28 6C 75 63 69 64 ntu/10.0 4 (lucid
00C0 29 20 46 69 72 65 66 6F 78 2F 33 2E 36 2E 33 0D ) Firefo x/3.6.3.
00D0 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 .Accept: text/ht
00E0 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 ml,appli cation/x
00F0 68 74 6D 6C 2B 78 6D 6C 2C 61 70 70 6C 69 63 61 html+xml ,applica
0100 74 69 6F 6E 2F 78 6D 6C 3B 71 3D 30 2E 39 2C 2A tion/xml ;q=0.9,*
0110 2F 2A 3B 71 3D 30 2E 38 0D 0A 41 63 63 65 70 74 /*;q=0.8 ..Accept
0120 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 -Languag e: en-us
0130 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 ,en;q=0. 5..Accep
0140 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 t-Encodi ng: gzip
0150 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 74 ,deflate ..Accept
0160 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 -Charset : ISO-88
0170 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 59-1,utf -8;q=0.7
0180 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 41 ,*;q=0.7 ..Keep-A
0190 6C 69 76 65 3A 20 31 31 35 0D 0A 43 6F 6E 6E 65 live: 11 5..Conne
01A0 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 ction: k eep-aliv
01B0 65 0D 0A 0D 0A e....
282,2 Bot
More information about the Oisf-users
mailing list