[Oisf-users] Fwd: IPS

Will Metcalf william.metcalf at gmail.com
Mon Jun 14 14:47:52 UTC 2010


> before changing the rule (without protocol)
> we have this log :
>
> 06/14/10-13:14:30.774567 www.facebook.com [**] / [**] Mozilla/5.0 (X11; U;
> Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid)
> Firefox/3.6.3 [**] 192.168.44.135:55433 -> 69.63.189.26:80

This looks like the http.log file correct?  This will log all http
traffic regardless of the traffic generating an alert.

> but I think it's a false positive, or bug, because I noticed that it's not
> alert of my rule, but it happens even when i enter to youtube

Hmmm Perhaps youtube content is served off of google servers.  Take a
look at the alert-debug.log file to look at what is being dropped. I'm
guessing you will probably see Host: headers with google in there
somewhere ;-).

> the second test of the new rule : drop tcp any any -> any any (msg:"Facebook
> forbidden"; content:"facebook";sid:1;)
> didn't drop :

This rule works for me, drops, and prevents me from reaching facebook.
 Perhaps you have multiple rules loaded with the same sid?  If this is
the case try changing the sid on one of the rules to say "2".

+================
TIME:              06/14/10-14:28:48.290197
ALERT CNT:         1
ALERT MSG [00]:    Facebook forbidden
ALERT GID [00]:    1
ALERT SID [00]:    1
ALERT REV [00]:    0
ALERT CLASS [00]:  (null)
ALERT PRIO [00]:   3
SRC IP:            192.168.7.241
DST IP:            66.220.147.11
PROTO:             6
SRC PORT:          47152
DST PORT:          80
TCP SEQ:           2271938637
TCP ACK:           1997977476
FLOW:              to_server: TRUE, to_client FALSE
PACKET LEN:        437
PACKET:
 0000  45 00 01 B5 98 52 40 00  40 06 02 70 C0 A8 07 F1   E....R at . @..p....
 0010  42 DC 93 0B B8 30 00 50  87 6B 08 4D 77 16 B7 84   B....0.P .k.Mw...
 0020  80 18 00 2E 8E 99 00 00  01 01 08 0A 00 01 93 B3   ........ ........
 0030  36 DD 42 B4 47 45 54 20  2F 20 48 54 54 50 2F 31   6.B.GET  / HTTP/1
 0040  2E 31 0D 0A 48 6F 73 74  3A 20 77 77 77 2E 66 61   .1..Host : www.fa
 0050  63 65 62 6F 6F 6B 2E 63  6F 6D 0D 0A 55 73 65 72   cebook.c om..User
 0060  2D 41 67 65 6E 74 3A 20  4D 6F 7A 69 6C 6C 61 2F   -Agent:  Mozilla/
 0070  35 2E 30 20 28 58 31 31  3B 20 55 3B 20 4C 69 6E   5.0 (X11 ; U; Lin
 0080  75 78 20 78 38 36 5F 36  34 3B 20 65 6E 2D 55 53   ux x86_6 4; en-US
 0090  3B 20 72 76 3A 31 2E 39  2E 32 2E 33 29 20 47 65   ; rv:1.9 .2.3) Ge
 00A0  63 6B 6F 2F 32 30 31 30  30 34 32 33 20 55 62 75   cko/2010 0423 Ubu
 00B0  6E 74 75 2F 31 30 2E 30  34 20 28 6C 75 63 69 64   ntu/10.0 4 (lucid
 00C0  29 20 46 69 72 65 66 6F  78 2F 33 2E 36 2E 33 0D   ) Firefo x/3.6.3.
 00D0  0A 41 63 63 65 70 74 3A  20 74 65 78 74 2F 68 74   .Accept:  text/ht
 00E0  6D 6C 2C 61 70 70 6C 69  63 61 74 69 6F 6E 2F 78   ml,appli cation/x
 00F0  68 74 6D 6C 2B 78 6D 6C  2C 61 70 70 6C 69 63 61   html+xml ,applica
 0100  74 69 6F 6E 2F 78 6D 6C  3B 71 3D 30 2E 39 2C 2A   tion/xml ;q=0.9,*
 0110  2F 2A 3B 71 3D 30 2E 38  0D 0A 41 63 63 65 70 74   /*;q=0.8 ..Accept
 0120  2D 4C 61 6E 67 75 61 67  65 3A 20 65 6E 2D 75 73   -Languag e: en-us
 0130  2C 65 6E 3B 71 3D 30 2E  35 0D 0A 41 63 63 65 70   ,en;q=0. 5..Accep
 0140  74 2D 45 6E 63 6F 64 69  6E 67 3A 20 67 7A 69 70   t-Encodi ng: gzip
 0150  2C 64 65 66 6C 61 74 65  0D 0A 41 63 63 65 70 74   ,deflate ..Accept
 0160  2D 43 68 61 72 73 65 74  3A 20 49 53 4F 2D 38 38   -Charset : ISO-88
 0170  35 39 2D 31 2C 75 74 66  2D 38 3B 71 3D 30 2E 37   59-1,utf -8;q=0.7
 0180  2C 2A 3B 71 3D 30 2E 37  0D 0A 4B 65 65 70 2D 41   ,*;q=0.7 ..Keep-A
 0190  6C 69 76 65 3A 20 31 31  35 0D 0A 43 6F 6E 6E 65   live: 11 5..Conne
 01A0  63 74 69 6F 6E 3A 20 6B  65 65 70 2D 61 6C 69 76   ction: k eep-aliv
 01B0  65 0D 0A 0D 0A                                     e....


                                               282,2         Bot



More information about the Oisf-users mailing list