[Oisf-users] some rule-based drops are not working

Aki Heikkinen aki.heikkinen at kuusisolutions.fi
Tue Jun 22 10:42:32 UTC 2010


Hi,

I have suricata 0.9.2 installed on debian lenny in inline mode, trying 
to replace obsolete snort_inline setup which has served us well for last 
couple of years.

Unfortunately some drop rules are not working correctly, alert is 
produced to logs but connection is not dropped.

For example:

# grep 2008986 /etc/suricata/rules/emerging-policy.rules

drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY 
Internal Host Retrieving External IP via whatismyip.com - Possible 
Infection"; flow:established,to_server; content:"GET "; depth:4; 
content:"|0d 0a|Host\: "; content:".whatismyip."; within:15; 
classtype:attempted-recon; 
reference:url,doc.emergingthreats.net/2008986; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check; 
sid:2008986; rev:2;)

# grep 2008986 /var/log/suricata/fast.log

06/22/10-10:07:47.649993  [**] [1:2008986:2] ET POLICY Internal Host 
Retrieving External IP via whatismyip.com - Possible Infection [**] 
[Classification: Attempted Information Leak] [Priority: 3] {6} 
AA.BB.CC.DD:57609 -> 72.233.89.200:80 [Xref => 
http://doc.emergingthreats.net/2008986][Xref => 
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check]

But this works as a charm:

drop tcp any any ->  any any (msg:"drop google"; content:"google";sid:1;)


What am I missing?

Yours,

Aki Heikkinen




More information about the Oisf-users mailing list