[Oisf-users] Whitelist rules

Nikolay Denev ndenev at gmail.com
Fri Sep 16 12:53:45 UTC 2011 

On Sep 16, 2011, at 2:50 PM, Nikolay Denev wrote:

> On Sep 16, 2011, at 1:00 PM, Peter Manev wrote:
> 
>> Hi Nikolay,
>> 
>> Can you please post an example of a rule of yours? 
>> 
>> Thanks
>> 
>> On Fri, Sep 16, 2011 at 11:32 AM, Nikolay Denev <ndenev at gmail.com> wrote:
>> Hello all,
>> 
>> I'm trying to install a few "pass" rules with "priority 1" as a whitelisting rules in "local.rules",
>> they are read ok, but they don't seem to work, and I start to wonder If I'm missing something.
>> 
>> My understanding is that if my rules in local.rules match, no further checking will be done on this packet/flow.
>> Can someone confirm that this is correct? Or is there another way to accomplish this.
>> Basically I want to preserve for example the shell code rules that are working on any port src/dest, but I have traffic
>> for an internal service that gives too many false positives, so I want to create a rule (basically the same shell code rule that get's triggered) but
>> modify it for the specific port of the service and change it from "alert" to "pass" and raise the priority.
>> 
>> Thanks in advance.
>> 
>> Regards,
>> Nikolay
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> 
>> 
>> 
>> -- 
>> Peter Manev
> 
> Ok, here's what I have :
> 
> This is in suricata.yaml:
> 
> 	HOME_NET: "[XXX.XXX.XXX.0/24,YYY.YYY.YYY.0/24,ZZZ.ZZZ.ZZZ.0/24,10.0.0.0/8]"
> 	EXTERNAL_NET: any
> 	SQL_SERVERS: "[10.XX.0.0/24,10.YY.0.0/24]"
> 
> Here is the alert rule from the ETPro ruleset:
> 
> 	alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5;)
> 
> Here is my rule in local.rules (it was "pass ip" initially, I changed it to "pass tcp" later with no change):
> 
> 	pass tcp $SQL_SERVERS any -> $SQL_SERVERS 1521 (msg:"GPL SHELLCODE x86 inc ebx NOOP false positive"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; priority:1;)
> 
> 
> And still I get alerts like these:
> 
> 	09/16/11-08:35:28.209283  [**] [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable Code was Detected] [Priority: 3] {6} 10.XX.0.66:29392 -> 10.YY.0.66:1521
> 
> 
> Regards,
> Nikolay

One more thing : If I change the rules in local.rules to be also "alert" instead of "pass" I get two alerts for each, so clearly my rules are matching :

09/16/11-12:42:23.466342  [**] [1:2009033:3] ET POLICY Suspicious Executable (PE under 128) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 3] {6} 10.XX.0.49:1521 -> 10.YY.0.37:56986 [Xref => http://doc.emergingthreats.net/2009033]

09/16/11-12:42:23.466342  [**] [1:0:0] ET POLICY Suspicious Executable (PE under 128) FALSE POSITIVE [**] [Classification: (null)] [Priority: 1] {6} 10.XX.0.49:1521 -> 10.YY.0.37:56986


Regards,
Nikolay

More information about the Oisf-users mailing list