[Oisf-users] Fwd: IPS

Will Metcalf william.metcalf at gmail.com
Mon Jun 14 15:50:08 UTC 2010 

We don't have support for this modifier to fast_pattern currently.
Our first production release will target compatibility with the
2.8.5.x rulesets so I guess for now use the 2853 rules tarball instead
of the 2860 rules file.  This doesn't mean that we won't add support
for this before our first production release, just that it isn't
currently tasked.

fast_pattern:only;

Regards,

Will
On Mon, Jun 14, 2010 at 10:44 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> yeessss
> I've discovred the problem, reference in suricata.yaml file was wrong
> you're right that was http log file,
> because alert-debug file was empty
>
> so http.log just log all http traffic !!??
>
> other thing, (I've copied snort rules)
> we can use both rules in the same time ? (emergine and snort rules)
>
> I have a lot of messages/errors when I run Suricata !
> like :
>
> [4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
> $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Sun Java System
> Web Server 7.0 WebDAV format string exploit attempt - LOCK method";
> flow:to_server,established; content:"LOCK"; fast_pattern; nocase;
> http_method; content:"encoding";
> pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> reference:bugtraq,37910; reference:cve,2010-0388; classtype:attempted-user;
> sid:16427; rev:1;)" from file /etc/suricata/rules/web-misc.rules at line 555
> [4389] 14/6/2010 -- 15:59:02 - (detect-fast-pattern.c:72) <Error>
> (DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
> DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value
> [4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
> $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected";
> flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only;
> metadata:service x11; reference:arachnids,396; classtype:attempted-user;
> sid:1225; rev:6;)" from file /etc/suricata/rules/x11.rules at line 23
> [4389] 14/6/2010 -- 15:59:02 - (detect-fast-pattern.c:72) <Error>
> (DetectFastPatternSetup) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
> DetectFastPatternSetup: fast_pattern shouldn't be supplied with a value
> [4389] 14/6/2010 -- 15:59:02 - (detect.c:297) <Error> (DetectLoadSigFile) --
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
> $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established;
> content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only;
> metadata:service x11; reference:arachnids,395; classtype:unknown; sid:1226;
> rev:6;)" from file /etc/suricata/rules/x11.rules at line 24
> [4389] 14/6/2010 -- 15:59:02 - (detect.c:341) <Error> (SigLoadSignatures) --
> [ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
> /etc/suricata/rules/x11.rules
> [4389] 14/6/2010 -- 15:59:03 - (detect.c:341) <Error> (SigLoadSignatures) --
> [ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
> /etc/suricata/rules/emerging-web.rules
>
>
>
> Thanks
>
> 2010/6/14 Will Metcalf <william.metcalf at gmail.com>
>>
>> > before changing the rule (without protocol)
>> > we have this log :
>> >
>> > 06/14/10-13:14:30.774567 www.facebook.com [**] / [**] Mozilla/5.0 (X11;
>> > U;
>> > Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid)
>> > Firefox/3.6.3 [**] 192.168.44.135:55433 -> 69.63.189.26:80
>>
>> This looks like the http.log file correct?  This will log all http
>> traffic regardless of the traffic generating an alert.
>>
>> > but I think it's a false positive, or bug, because I noticed that it's
>> > not
>> > alert of my rule, but it happens even when i enter to youtube
>>
>> Hmmm Perhaps youtube content is served off of google servers.  Take a
>> look at the alert-debug.log file to look at what is being dropped. I'm
>> guessing you will probably see Host: headers with google in there
>> somewhere ;-).
>>
>> > the second test of the new rule : drop tcp any any -> any any
>> > (msg:"Facebook
>> > forbidden"; content:"facebook";sid:1;)
>> > didn't drop :
>>
>> This rule works for me, drops, and prevents me from reaching facebook.
>>  Perhaps you have multiple rules loaded with the same sid?  If this is
>> the case try changing the sid on one of the rules to say "2".
>>
>> +================
>> TIME:              06/14/10-14:28:48.290197
>> ALERT CNT:         1
>> ALERT MSG [00]:    Facebook forbidden
>> ALERT GID [00]:    1
>> ALERT SID [00]:    1
>> ALERT REV [00]:    0
>> ALERT CLASS [00]:  (null)
>> ALERT PRIO [00]:   3
>> SRC IP:            192.168.7.241
>> DST IP:            66.220.147.11
>> PROTO:             6
>> SRC PORT:          47152
>> DST PORT:          80
>> TCP SEQ:           2271938637
>> TCP ACK:           1997977476
>> FLOW:              to_server: TRUE, to_client FALSE
>> PACKET LEN:        437
>> PACKET:
>>  0000  45 00 01 B5 98 52 40 00  40 06 02 70 C0 A8 07 F1   E....R at .
>> @..p....
>>  0010  42 DC 93 0B B8 30 00 50  87 6B 08 4D 77 16 B7 84   B....0.P
>> .k.Mw...
>>  0020  80 18 00 2E 8E 99 00 00  01 01 08 0A 00 01 93 B3   ........
>> ........
>>  0030  36 DD 42 B4 47 45 54 20  2F 20 48 54 54 50 2F 31   6.B.GET  /
>> HTTP/1
>>  0040  2E 31 0D 0A 48 6F 73 74  3A 20 77 77 77 2E 66 61   .1..Host :
>> www.fa
>>  0050  63 65 62 6F 6F 6B 2E 63  6F 6D 0D 0A 55 73 65 72   cebook.c
>> om..User
>>  0060  2D 41 67 65 6E 74 3A 20  4D 6F 7A 69 6C 6C 61 2F   -Agent:
>>  Mozilla/
>>  0070  35 2E 30 20 28 58 31 31  3B 20 55 3B 20 4C 69 6E   5.0 (X11 ; U;
>> Lin
>>  0080  75 78 20 78 38 36 5F 36  34 3B 20 65 6E 2D 55 53   ux x86_6 4;
>> en-US
>>  0090  3B 20 72 76 3A 31 2E 39  2E 32 2E 33 29 20 47 65   ; rv:1.9 .2.3)
>> Ge
>>  00A0  63 6B 6F 2F 32 30 31 30  30 34 32 33 20 55 62 75   cko/2010 0423
>> Ubu
>>  00B0  6E 74 75 2F 31 30 2E 30  34 20 28 6C 75 63 69 64   ntu/10.0 4
>> (lucid
>>  00C0  29 20 46 69 72 65 66 6F  78 2F 33 2E 36 2E 33 0D   ) Firefo
>> x/3.6.3.
>>  00D0  0A 41 63 63 65 70 74 3A  20 74 65 78 74 2F 68 74   .Accept:
>>  text/ht
>>  00E0  6D 6C 2C 61 70 70 6C 69  63 61 74 69 6F 6E 2F 78   ml,appli
>> cation/x
>>  00F0  68 74 6D 6C 2B 78 6D 6C  2C 61 70 70 6C 69 63 61   html+xml
>> ,applica
>>  0100  74 69 6F 6E 2F 78 6D 6C  3B 71 3D 30 2E 39 2C 2A   tion/xml
>> ;q=0.9,*
>>  0110  2F 2A 3B 71 3D 30 2E 38  0D 0A 41 63 63 65 70 74   /*;q=0.8
>> ..Accept
>>  0120  2D 4C 61 6E 67 75 61 67  65 3A 20 65 6E 2D 75 73   -Languag e:
>> en-us
>>  0130  2C 65 6E 3B 71 3D 30 2E  35 0D 0A 41 63 63 65 70   ,en;q=0.
>> 5..Accep
>>  0140  74 2D 45 6E 63 6F 64 69  6E 67 3A 20 67 7A 69 70   t-Encodi ng:
>> gzip
>>  0150  2C 64 65 66 6C 61 74 65  0D 0A 41 63 63 65 70 74   ,deflate
>> ..Accept
>>  0160  2D 43 68 61 72 73 65 74  3A 20 49 53 4F 2D 38 38   -Charset :
>> ISO-88
>>  0170  35 39 2D 31 2C 75 74 66  2D 38 3B 71 3D 30 2E 37   59-1,utf
>> -8;q=0.7
>>  0180  2C 2A 3B 71 3D 30 2E 37  0D 0A 4B 65 65 70 2D 41   ,*;q=0.7
>> ..Keep-A
>>  0190  6C 69 76 65 3A 20 31 31  35 0D 0A 43 6F 6E 6E 65   live: 11
>> 5..Conne
>>  01A0  63 74 69 6F 6E 3A 20 6B  65 65 70 2D 61 6C 69 76   ction: k
>> eep-aliv
>>  01B0  65 0D 0A 0D 0A                                     e....
>>
>>
>>                                               282,2         Bot
>
>

More information about the Oisf-users mailing list