[Oisf-users] some rule-based drops are not working

Will Metcalf william.metcalf at gmail.com
Wed Jun 23 01:43:02 UTC 2010 

hehe ok I'm trying to do to many things at once today.  Wrong sig, I
was testing with the OTHER whatismyip sig ;-)... Thanks for pointing
out my mess-up Frank.  I will test with 2008986 and let you know what
I find...

drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET BOTNET IP
Discovery via whatismyip.com"; flow:to_server,established;
content:"GET "; depth:4; content:"Host\: "; within:100;
content:"whatismyip.com|0d 0a|"; nocase; within:16;
classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2003051;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/BOT_IP_Discovery;
sid:2003051; rev:7;)

Regards,

Will
On Tue, Jun 22, 2010 at 1:46 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
> hehe ok so I think I know whats going on here ;-)...
>
> The sig only allows for
>
> Host: whatismyip.com\r\n
>
> and not
>
> Host: www.whatismyip.com\r\n
>
> So at least for me the favicon.ico requests were going to Host:
> whatismyip.com causing me to have alerts and drops fire but not
> actually stop the page from loading.  The sig needs to be updated I
> guess ;-) to have the within:16; at least be within:20; to account for
> the www. if that is indeed the intent of the sig.  Matt?
>
> Regards,
>
> Will
> On Tue, Jun 22, 2010 at 5:42 AM, Aki Heikkinen
> <aki.heikkinen at kuusisolutions.fi> wrote:
>> Hi,
>>
>> I have suricata 0.9.2 installed on debian lenny in inline mode, trying
>> to replace obsolete snort_inline setup which has served us well for last
>> couple of years.
>>
>> Unfortunately some drop rules are not working correctly, alert is
>> produced to logs but connection is not dropped.
>>
>> For example:
>>
>> # grep 2008986 /etc/suricata/rules/emerging-policy.rules
>>
>> drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>> Internal Host Retrieving External IP via whatismyip.com - Possible
>> Infection"; flow:established,to_server; content:"GET "; depth:4;
>> content:"|0d 0a|Host\: "; content:".whatismyip."; within:15;
>> classtype:attempted-recon;
>> reference:url,doc.emergingthreats.net/2008986;
>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check;
>> sid:2008986; rev:2;)
>>
>> # grep 2008986 /var/log/suricata/fast.log
>>
>> 06/22/10-10:07:47.649993  [**] [1:2008986:2] ET POLICY Internal Host
>> Retrieving External IP via whatismyip.com - Possible Infection [**]
>> [Classification: Attempted Information Leak] [Priority: 3] {6}
>> AA.BB.CC.DD:57609 -> 72.233.89.200:80 [Xref =>
>> http://doc.emergingthreats.net/2008986][Xref =>
>> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check]
>>
>> But this works as a charm:
>>
>> drop tcp any any ->  any any (msg:"drop google"; content:"google";sid:1;)
>>
>>
>> What am I missing?
>>
>> Yours,
>>
>> Aki Heikkinen
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>

More information about the Oisf-users mailing list