[Oisf-users] some rule-based drops are not working

Victor Julien victor at inliniac.net
Thu Jun 24 08:09:00 UTC 2010 

Aki Heikkinen wrote:
> Hi people,
> 
> Sorry to bother you more;

No problem at all! We need feedback like this. It's very much appreciated :)

> Our suricata setup is totally missing some emerging-virus.rules (not 
> even a mention in logs) like:
> 
> emerging-virus.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; 
> flow:to_server,established; uricontent:"/search?q="; 
> pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; 
> pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; 
> classtype:trojan-activity; 
> reference:url,www.f-secure.com/weblog/archives/00001584.html; 
> reference:url,doc.emergingthreats.net/bin/view/Main/2009024; 
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; 
> sid:2009024; rev:9;)
> 
> But it still catches and drops some ok like:
> 
> 06/24/10-05:37:54.715130  [**] [1:648:9] SHELLCODE x86 NOOP [**] 
> [Classification: Executable code was detected] [Priority: 3] {6} 
> 65.54.91.179:80 -> 10.42.42.121:63432 [Xref => 
> http://www.whitehats.com/info/IDS181]
> 
> [30034] 24/6/2010 -- 10:21:05 - (source-nfq.c:537) <Info> 
> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 13967161, dropped 
> 14974
> [30036] 24/6/2010 -- 10:21:05 - (alert-fastlog.c:255) <Info> 
> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 15238
> 
> Suricata is started via:
> 
> suricata -q 10 -c /etc/suricata/suricata_wla.yaml -l 
> /var/log/suricata/wla -D
> 
> Heres the suricata yaml (default and dirty, haven't yet really cleaned 
> up ruleslists):

<snip config looking normal>

> 
> I had to roll back to snort_inline for now,  and it seems to catch 
> conficker without any problems - so it can't be iptables related.
> 
> I did check that suricata is actually loading relevant conficker rules 
> and not ignoring those.
> 
> What I am missing?

My guess is that it's related to issue 155
(https://redmine.openinfosecfoundation.org/issues/155). We're working on
fixing that currently. I'll add your report to it so we can test for it.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list