[Oisf-users] some rule-based drops are not working

Will Metcalf william.metcalf at gmail.com
Tue Jun 22 18:46:33 UTC 2010


hehe ok so I think I know whats going on here ;-)...

The sig only allows for

Host: whatismyip.com\r\n

and not

Host: www.whatismyip.com\r\n

So at least for me the favicon.ico requests were going to Host:
whatismyip.com causing me to have alerts and drops fire but not
actually stop the page from loading.  The sig needs to be updated I
guess ;-) to have the within:16; at least be within:20; to account for
the www. if that is indeed the intent of the sig.  Matt?

Regards,

Will
On Tue, Jun 22, 2010 at 5:42 AM, Aki Heikkinen
<aki.heikkinen at kuusisolutions.fi> wrote:
> Hi,
>
> I have suricata 0.9.2 installed on debian lenny in inline mode, trying
> to replace obsolete snort_inline setup which has served us well for last
> couple of years.
>
> Unfortunately some drop rules are not working correctly, alert is
> produced to logs but connection is not dropped.
>
> For example:
>
> # grep 2008986 /etc/suricata/rules/emerging-policy.rules
>
> drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Internal Host Retrieving External IP via whatismyip.com - Possible
> Infection"; flow:established,to_server; content:"GET "; depth:4;
> content:"|0d 0a|Host\: "; content:".whatismyip."; within:15;
> classtype:attempted-recon;
> reference:url,doc.emergingthreats.net/2008986;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check;
> sid:2008986; rev:2;)
>
> # grep 2008986 /var/log/suricata/fast.log
>
> 06/22/10-10:07:47.649993  [**] [1:2008986:2] ET POLICY Internal Host
> Retrieving External IP via whatismyip.com - Possible Infection [**]
> [Classification: Attempted Information Leak] [Priority: 3] {6}
> AA.BB.CC.DD:57609 -> 72.233.89.200:80 [Xref =>
> http://doc.emergingthreats.net/2008986][Xref =>
> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check]
>
> But this works as a charm:
>
> drop tcp any any ->  any any (msg:"drop google"; content:"google";sid:1;)
>
>
> What am I missing?
>
> Yours,
>
> Aki Heikkinen
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



More information about the Oisf-users mailing list