[Oisf-users] some rule-based drops are not working
Victor Julien
victor at inliniac.net
Thu Jun 24 08:09:00 UTC 2010
Aki Heikkinen wrote:
> Hi people,
>
> Sorry to bother you more;
No problem at all! We need feedback like this. It's very much appreciated :)
> Our suricata setup is totally missing some emerging-virus.rules (not
> even a mention in logs) like:
>
> emerging-virus.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting";
> flow:to_server,established; uricontent:"/search?q=";
> pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U";
> pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/";
> classtype:trojan-activity;
> reference:url,www.f-secure.com/weblog/archives/00001584.html;
> reference:url,doc.emergingthreats.net/bin/view/Main/2009024;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker;
> sid:2009024; rev:9;)
>
> But it still catches and drops some ok like:
>
> 06/24/10-05:37:54.715130 [**] [1:648:9] SHELLCODE x86 NOOP [**]
> [Classification: Executable code was detected] [Priority: 3] {6}
> 65.54.91.179:80 -> 10.42.42.121:63432 [Xref =>
> http://www.whitehats.com/info/IDS181]
>
> [30034] 24/6/2010 -- 10:21:05 - (source-nfq.c:537) <Info>
> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 13967161, dropped
> 14974
> [30036] 24/6/2010 -- 10:21:05 - (alert-fastlog.c:255) <Info>
> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 15238
>
> Suricata is started via:
>
> suricata -q 10 -c /etc/suricata/suricata_wla.yaml -l
> /var/log/suricata/wla -D
>
> Heres the suricata yaml (default and dirty, haven't yet really cleaned
> up ruleslists):
<snip config looking normal>
>
> I had to roll back to snort_inline for now, and it seems to catch
> conficker without any problems - so it can't be iptables related.
>
> I did check that suricata is actually loading relevant conficker rules
> and not ignoring those.
>
> What I am missing?
My guess is that it's related to issue 155
(https://redmine.openinfosecfoundation.org/issues/155). We're working on
fixing that currently. I'll add your report to it so we can test for it.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list