[Oisf-users] Whitelist rules
Nikolay Denev
ndenev at gmail.com
Fri Sep 16 12:53:45 UTC 2011
On Sep 16, 2011, at 2:50 PM, Nikolay Denev wrote:
> On Sep 16, 2011, at 1:00 PM, Peter Manev wrote:
>
>> Hi Nikolay,
>>
>> Can you please post an example of a rule of yours?
>>
>> Thanks
>>
>> On Fri, Sep 16, 2011 at 11:32 AM, Nikolay Denev <ndenev at gmail.com> wrote:
>> Hello all,
>>
>> I'm trying to install a few "pass" rules with "priority 1" as a whitelisting rules in "local.rules",
>> they are read ok, but they don't seem to work, and I start to wonder If I'm missing something.
>>
>> My understanding is that if my rules in local.rules match, no further checking will be done on this packet/flow.
>> Can someone confirm that this is correct? Or is there another way to accomplish this.
>> Basically I want to preserve for example the shell code rules that are working on any port src/dest, but I have traffic
>> for an internal service that gives too many false positives, so I want to create a rule (basically the same shell code rule that get's triggered) but
>> modify it for the specific port of the service and change it from "alert" to "pass" and raise the priority.
>>
>> Thanks in advance.
>>
>> Regards,
>> Nikolay
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>>
>> --
>> Peter Manev
>
> Ok, here's what I have :
>
> This is in suricata.yaml:
>
> HOME_NET: "[XXX.XXX.XXX.0/24,YYY.YYY.YYY.0/24,ZZZ.ZZZ.ZZZ.0/24,10.0.0.0/8]"
> EXTERNAL_NET: any
> SQL_SERVERS: "[10.XX.0.0/24,10.YY.0.0/24]"
>
> Here is the alert rule from the ETPro ruleset:
>
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5;)
>
> Here is my rule in local.rules (it was "pass ip" initially, I changed it to "pass tcp" later with no change):
>
> pass tcp $SQL_SERVERS any -> $SQL_SERVERS 1521 (msg:"GPL SHELLCODE x86 inc ebx NOOP false positive"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; priority:1;)
>
>
> And still I get alerts like these:
>
> 09/16/11-08:35:28.209283 [**] [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable Code was Detected] [Priority: 3] {6} 10.XX.0.66:29392 -> 10.YY.0.66:1521
>
>
> Regards,
> Nikolay
One more thing : If I change the rules in local.rules to be also "alert" instead of "pass" I get two alerts for each, so clearly my rules are matching :
09/16/11-12:42:23.466342 [**] [1:2009033:3] ET POLICY Suspicious Executable (PE under 128) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 3] {6} 10.XX.0.49:1521 -> 10.YY.0.37:56986 [Xref => http://doc.emergingthreats.net/2009033]
09/16/11-12:42:23.466342 [**] [1:0:0] ET POLICY Suspicious Executable (PE under 128) FALSE POSITIVE [**] [Classification: (null)] [Priority: 1] {6} 10.XX.0.49:1521 -> 10.YY.0.37:56986
Regards,
Nikolay
More information about the Oisf-users
mailing list