[Oisf-users] some rule-based drops are not working
Aki Heikkinen
aki.heikkinen at kuusisolutions.fi
Tue Jun 22 10:42:32 UTC 2010
Hi,
I have suricata 0.9.2 installed on debian lenny in inline mode, trying
to replace obsolete snort_inline setup which has served us well for last
couple of years.
Unfortunately some drop rules are not working correctly, alert is
produced to logs but connection is not dropped.
For example:
# grep 2008986 /etc/suricata/rules/emerging-policy.rules
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Internal Host Retrieving External IP via whatismyip.com - Possible
Infection"; flow:established,to_server; content:"GET "; depth:4;
content:"|0d 0a|Host\: "; content:".whatismyip."; within:15;
classtype:attempted-recon;
reference:url,doc.emergingthreats.net/2008986;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check;
sid:2008986; rev:2;)
# grep 2008986 /var/log/suricata/fast.log
06/22/10-10:07:47.649993 [**] [1:2008986:2] ET POLICY Internal Host
Retrieving External IP via whatismyip.com - Possible Infection [**]
[Classification: Attempted Information Leak] [Priority: 3] {6}
AA.BB.CC.DD:57609 -> 72.233.89.200:80 [Xref =>
http://doc.emergingthreats.net/2008986][Xref =>
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check]
But this works as a charm:
drop tcp any any -> any any (msg:"drop google"; content:"google";sid:1;)
What am I missing?
Yours,
Aki Heikkinen
More information about the Oisf-users
mailing list