[Oisf-users] IPS mode drop Problem on suri 1.4.5R
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Thu Aug 22 08:49:52 UTC 2013
Hi all,
I have here…
Executing: suricata --user sguil --group sguil -c /etc/nsm/Wecker-intern/suricata.yaml -q 1 -l /nsm/sensor_data/Wecker-intern
22/8/2013 -- 06:00:26 - <Info> - This is Suricata version 1.4.5 RELEASE
22/8/2013 -- 06:00:26 - <Info> - CPUs/cores online: 4
22/8/2013 -- 06:00:26 - <Info> - Enabling fail-open on queue
22/8/2013 -- 06:00:26 - <Info> - NFQ running in standard ACCEPT/DROP mode
Have a problem with a rule, i don't understand here.
Although this rule on alert marks, drop suricata the data stream.
If i disable the rule, the data are forwarded (not drop) .
Why ?
Any idea?
Thx
Stefan
rules:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:"Java/1.6.0_"; ht
tp_user_agent; content:!"51"; within:2; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_s
rc; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:31;)
Fast.log
08/22/2013-08:36:38.770429 [**] [1:2011582:31] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2
] {TCP} 192.168.0.143:4803 -> 156.151.59.19:80
drop.log
08/22/2013-08:36:38.770429: IN= OUT= SRC=192.168.0.143 DST=156.151.59.19 LEN=221 TOS=0x00 TTL=128 ID=18727 PROTO=TCP SPT=4803 DPT=80 SEQ=2569271462 ACK=1691
480634 WINDOW=64240 ACK PSH RES=0x00 URGP=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130822/8b16d1b5/attachment.html>
More information about the Oisf-users
mailing list