[Oisf-users] some rule-based drops are not working

Wed Jun 23 14:35:40 UTC 2010

There was a duplicate rule for this, so I've removed the less accurate one.

Thanks Will!

Matt

On 6/22/10 9:43 PM, Will Metcalf wrote:
> hehe ok I'm trying to do to many things at once today.  Wrong sig, I
> was testing with the OTHER whatismyip sig ;-)... Thanks for pointing
> out my mess-up Frank.  I will test with 2008986 and let you know what
> I find...
> 
> drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET BOTNET IP
> Discovery via whatismyip.com"; flow:to_server,established;
> content:"GET "; depth:4; content:"Host\: "; within:100;
> content:"whatismyip.com|0d 0a|"; nocase; within:16;
> classtype:trojan-activity;
> reference:url,doc.emergingthreats.net/2003051;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/BOT_IP_Discovery;
> sid:2003051; rev:7;)
> 
> Regards,
> 
> Will
> On Tue, Jun 22, 2010 at 1:46 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
>> hehe ok so I think I know whats going on here ;-)...
>>
>> The sig only allows for
>>
>> Host: whatismyip.com\r\n
>>
>> and not
>>
>> Host: www.whatismyip.com\r\n
>>
>> So at least for me the favicon.ico requests were going to Host:
>> whatismyip.com causing me to have alerts and drops fire but not
>> actually stop the page from loading.  The sig needs to be updated I
>> guess ;-) to have the within:16; at least be within:20; to account for
>> the www. if that is indeed the intent of the sig.  Matt?
>>
>> Regards,
>>
>> Will
>> On Tue, Jun 22, 2010 at 5:42 AM, Aki Heikkinen
>> <aki.heikkinen at kuusisolutions.fi> wrote:
>>> Hi,
>>>
>>> I have suricata 0.9.2 installed on debian lenny in inline mode, trying
>>> to replace obsolete snort_inline setup which has served us well for last
>>> couple of years.
>>>
>>> Unfortunately some drop rules are not working correctly, alert is
>>> produced to logs but connection is not dropped.
>>>
>>> For example:
>>>
>>> # grep 2008986 /etc/suricata/rules/emerging-policy.rules
>>>
>>> drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>>> Internal Host Retrieving External IP via whatismyip.com - Possible
>>> Infection"; flow:established,to_server; content:"GET "; depth:4;
>>> content:"|0d 0a|Host\: "; content:".whatismyip."; within:15;
>>> classtype:attempted-recon;
>>> reference:url,doc.emergingthreats.net/2008986;
>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check;
>>> sid:2008986; rev:2;)
>>>
>>> # grep 2008986 /var/log/suricata/fast.log
>>>
>>> 06/22/10-10:07:47.649993  [**] [1:2008986:2] ET POLICY Internal Host
>>> Retrieving External IP via whatismyip.com - Possible Infection [**]
>>> [Classification: Attempted Information Leak] [Priority: 3] {6}
>>> AA.BB.CC.DD:57609 -> 72.233.89.200:80 [Xref =>
>>> http://doc.emergingthreats.net/2008986][Xref =>
>>> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check]
>>>
>>> But this works as a charm:
>>>
>>> drop tcp any any ->  any any (msg:"drop google"; content:"google";sid:1;)
>>>
>>>
>>> What am I missing?
>>>
>>> Yours,
>>>
>>> Aki Heikkinen
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc