[Oisf-users] Fwd: IPS
Will Metcalf
william.metcalf at gmail.com
Mon Jun 14 15:50:08 UTC 2010
We don't have support for this modifier to fast_pattern currently.
Our first production release will target compatibility with the
2.8.5.x rulesets so I guess for now use the 2853 rules tarball instead
of the 2860 rules file. This doesn't mean that we won't add support
for this before our first production release, just that it isn't
currently tasked.
fast_pattern:only;
Regards,
Will
On Mon, Jun 14, 2010 at 10:44 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> yeessss
> I've discovred the problem, reference in suricata.yaml file was wrong
> you're right that was http log file,
> because alert-debug file was empty
>
> so http.log just log all http traffic !!??
>
> other thing, (I've copied snort rules)
> we can use both rules in the same time ? (emergine and snort rules)
>
> I have a lot of messages/errors when I run Suricata !
> like :
>
> [4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
> $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Sun Java System
> Web Server 7.0 WebDAV format string exploit attempt - LOCK method";
> flow:to_server,established; content:"LOCK"; fast_pattern; nocase;
> http_method; content:"encoding";
> pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> reference:bugtraq,37910; reference:cve,2010-0388; classtype:attempted-user;
> sid:16427; rev:1;)" from file /etc/suricata/rules/web-misc.rules at line 555
> [4389] 14/6/2010 -- 15:59:02 - (detect-fast-pattern.c:72) <Error>
> (DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
> DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value
> [4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
> $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected";
> flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only;
> metadata:service x11; reference:arachnids,396; classtype:attempted-user;
> sid:1225; rev:6;)" from file /etc/suricata/rules/x11.rules at line 23
> [4389] 14/6/2010 -- 15:59:02 - (detect-fast-pattern.c:72) <Error>
> (DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
> DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value
> [4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
> $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established;
> content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only;
> metadata:service x11; reference:arachnids,395; classtype:unknown; sid:1226;
> rev:6;)" from file /etc/suricata/rules/x11.rules at line 24
> [4389] 14/6/2010 -- 15:59:02 - (detect.c:341) <Error> (SigLoadSignatures) --
> [ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
> /etc/suricata/rules/x11.rules
> [4389] 14/6/2010 -- 15:59:03 - (detect.c:341) <Error> (SigLoadSignatures) --
> [ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
> /etc/suricata/rules/emerging-web.rules
>
>
>
> Thanks
>
> 2010/6/14 Will Metcalf <william.metcalf at gmail.com>
>>
>> > before changing the rule (without protocol)
>> > we have this log :
>> >
>> > 06/14/10-13:14:30.774567 www.facebook.com [**] / [**] Mozilla/5.0 (X11;
>> > U;
>> > Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid)
>> > Firefox/3.6.3 [**] 192.168.44.135:55433 -> 69.63.189.26:80
>>
>> This looks like the http.log file correct? This will log all http
>> traffic regardless of the traffic generating an alert.
>>
>> > but I think it's a false positive, or bug, because I noticed that it's
>> > not
>> > alert of my rule, but it happens even when i enter to youtube
>>
>> Hmmm Perhaps youtube content is served off of google servers. Take a
>> look at the alert-debug.log file to look at what is being dropped. I'm
>> guessing you will probably see Host: headers with google in there
>> somewhere ;-).
>>
>> > the second test of the new rule : drop tcp any any -> any any
>> > (msg:"Facebook
>> > forbidden"; content:"facebook";sid:1;)
>> > didn't drop :
>>
>> This rule works for me, drops, and prevents me from reaching facebook.
>> Perhaps you have multiple rules loaded with the same sid? If this is
>> the case try changing the sid on one of the rules to say "2".
>>
>> +================
>> TIME: 06/14/10-14:28:48.290197
>> ALERT CNT: 1
>> ALERT MSG [00]: Facebook forbidden
>> ALERT GID [00]: 1
>> ALERT SID [00]: 1
>> ALERT REV [00]: 0
>> ALERT CLASS [00]: (null)
>> ALERT PRIO [00]: 3
>> SRC IP: 192.168.7.241
>> DST IP: 66.220.147.11
>> PROTO: 6
>> SRC PORT: 47152
>> DST PORT: 80
>> TCP SEQ: 2271938637
>> TCP ACK: 1997977476
>> FLOW: to_server: TRUE, to_client FALSE
>> PACKET LEN: 437
>> PACKET:
>> 0000 45 00 01 B5 98 52 40 00 40 06 02 70 C0 A8 07 F1 E....R at .
>> @..p....
>> 0010 42 DC 93 0B B8 30 00 50 87 6B 08 4D 77 16 B7 84 B....0.P
>> .k.Mw...
>> 0020 80 18 00 2E 8E 99 00 00 01 01 08 0A 00 01 93 B3 ........
>> ........
>> 0030 36 DD 42 B4 47 45 54 20 2F 20 48 54 54 50 2F 31 6.B.GET /
>> HTTP/1
>> 0040 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 66 61 .1..Host :
>> www.fa
>> 0050 63 65 62 6F 6F 6B 2E 63 6F 6D 0D 0A 55 73 65 72 cebook.c
>> om..User
>> 0060 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F -Agent:
>> Mozilla/
>> 0070 35 2E 30 20 28 58 31 31 3B 20 55 3B 20 4C 69 6E 5.0 (X11 ; U;
>> Lin
>> 0080 75 78 20 78 38 36 5F 36 34 3B 20 65 6E 2D 55 53 ux x86_6 4;
>> en-US
>> 0090 3B 20 72 76 3A 31 2E 39 2E 32 2E 33 29 20 47 65 ; rv:1.9 .2.3)
>> Ge
>> 00A0 63 6B 6F 2F 32 30 31 30 30 34 32 33 20 55 62 75 cko/2010 0423
>> Ubu
>> 00B0 6E 74 75 2F 31 30 2E 30 34 20 28 6C 75 63 69 64 ntu/10.0 4
>> (lucid
>> 00C0 29 20 46 69 72 65 66 6F 78 2F 33 2E 36 2E 33 0D ) Firefo
>> x/3.6.3.
>> 00D0 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 .Accept:
>> text/ht
>> 00E0 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 ml,appli
>> cation/x
>> 00F0 68 74 6D 6C 2B 78 6D 6C 2C 61 70 70 6C 69 63 61 html+xml
>> ,applica
>> 0100 74 69 6F 6E 2F 78 6D 6C 3B 71 3D 30 2E 39 2C 2A tion/xml
>> ;q=0.9,*
>> 0110 2F 2A 3B 71 3D 30 2E 38 0D 0A 41 63 63 65 70 74 /*;q=0.8
>> ..Accept
>> 0120 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 -Languag e:
>> en-us
>> 0130 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 ,en;q=0.
>> 5..Accep
>> 0140 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 t-Encodi ng:
>> gzip
>> 0150 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 74 ,deflate
>> ..Accept
>> 0160 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 -Charset :
>> ISO-88
>> 0170 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 59-1,utf
>> -8;q=0.7
>> 0180 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 41 ,*;q=0.7
>> ..Keep-A
>> 0190 6C 69 76 65 3A 20 31 31 35 0D 0A 43 6F 6E 6E 65 live: 11
>> 5..Conne
>> 01A0 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 ction: k
>> eep-aliv
>> 01B0 65 0D 0A 0D 0A e....
>>
>>
>> 282,2 Bot
>
>
More information about the Oisf-users
mailing list