[Oisf-users] RE : Re: IPS mode drop Problem on suri 1.4.5R

Fri Aug 23 16:36:20 UTC 2013

Hi Stefan,
Another test if you have few minutes please, 
Could you disable only sid 2011582 and check if always drop please? 
If is repeatable, could you simulate with a wget/curl/fetch User-Agent java like please? (For easy reproduce)
Could you post suricata.yaml (conf) and signatures ruleset please? (Try reduce conf/sigs to minimal as soon possible)
Do you use nfqueue / afpacket / pfring ?
Do you have compiled suricata?  What option? 
Regards
@Rmkml

-------- Message d'origine --------
De : Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com> 
Date :  
A : rmkml <rmkml at yahoo.fr> 
Cc : oisf-users at lists.openinfosecfoundation.org 
Objet : Re: [Oisf-users] IPS mode drop Problem on suri 1.4.5R 

Hi all,
how can resolve this bug ?

Stefan

Am 23.08.2013 10:06, schrieb Stefan Sabolowitsch:
> OK, this rule work correctly only "alone" (no drops), without all other
> rules.
>
>
>
>
> Am 23.08.13 09:25 schrieb "rmkml" unter <rmkml at yahoo.fr>:
>
>> Hi Stefan,
>>
>> Yes you are certainly right it's a bug,
>>
>> another test if you permit: could you active only sid  please ?
>> could you drop again ?
>>
>> Regards
>> @Rmkml
>>
>>
>> On Fri, 23 Aug 2013, Stefan Sabolowitsch wrote:
>>
>>> Bonjour Hi , rmkml
>>> This will not help.
>>> Only this one rule make this Problem.
>>>
>>> Any idea, perhaps a bug in suri ?
>>>
>>> Regards Stefan
>>>
>>>
>>>
>>> Am 22.08.13 17:23 schrieb "rmkml" unter <rmkml at yahoo.fr>:
>>>
>>>> Thx Stefan for reply,
>>>>
>>>> Could you try if you disable temporary all drop sig below please ?
>>>> (and if you alert sig  drop again your network traffic ?)
>>>>
>>>> Regards
>>>> @Rmkml
>>>>
>>>>
>>>> On Thu, 22 Aug 2013, Stefan Sabolowitsch wrote:
>>>>
>>>>> Hi Rmkl,
>>>>> i found this drop rules.
>>>>>
>>>>> Regards
>>>>> Stefan
>>>>>
>>>>> [root at ipd2 rules]# grep "^drop.*set,ET.http.javaclient.vulnerable"
>>>>> *.rules
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By
>>>>> Vulnerable
>>>>> Client"; flow:established,to_client;
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider";
>>>>> classtype:bad-unknown; sid:2013484; rev:3;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS - Modified Metasploit Jar";
>>>>> flow:from_server,established;
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560;
>>>>> rev:6;)
>>>>>
>>>>> emerging-current_events.rules:drop http $HOME_NET any -> $EXTERNAL_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java
>>>>> payload request to /1digit.html";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_server;
>>>>> urilen:7; content:".html"; http_uri; content:" Java/1"; http_header;
>>>>> pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding;
>>>>> classtype:trojan-activity; sid:2014750; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $HOME_NET any -> $EXTERNAL_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download";
>>>>> flow:established,to_server; content:"java_ara&name="; http_uri;
>>>>> content:"/forum/"; http_uri; content:".php?"; http_uri;
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity;
>>>>> sid:2014805; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by
>>>>> Vulnerable Version - Likely Driveby";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_client;
>>>>> content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity;
>>>>> sid:2014909; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established;
>>>>> content:"|0d 0a 0d 0a|PK"; content:"C1.class"; fast_pattern;
>>>>> distance:0;
>>>>> content:"C2.class"; distance:0;
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity;
>>>>> sid:2014983; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12";
>>>>> flow:to_client,established; file_data; content:"PK"; within:2;
>>>>> content:"SecretKey.class"; fast_pattern; distance:0;
>>>>> content:"Mac.class";
>>>>> distance:0; flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity; sid:2015812; rev:3;)
>>>>>
>>>>> emerging-current_events.rules:drop tcp $EXTERNAL_NET $HTTP_PORTS ->
>>>>> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path
>>>>> (Seen
>>>>> in Unknown EK) 10/29/12"; flow:to_client,established; file_data;
>>>>> content:"PK"; within:2; content:"cve1723/";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity;
>>>>> sid:2015849; rev:3;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12";
>>>>> flow:to_client,established; file_data; content:"PK"; within:2;
>>>>> content:"SecretKey.class"; fast_pattern:only; content:"Anony";
>>>>> pcre:"/^(mous)?\.class/R";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity; sid:2015876; rev:3;)
>>>>>
>>>>> emerging-current_events.rules:drop http $HOME_NET any -> $EXTERNAL_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload
>>>>> Request
>>>>> URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_server; content:"/33.html"; depth:8; http_uri;
>>>>> urilen:8; flowbits:set,et.exploitkitlanding;
>>>>> classtype:trojan-activity;
>>>>> sid:2015930; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $HOME_NET any -> $EXTERNAL_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload
>>>>> Request
>>>>> to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_server; content:"/41.html"; depth:8; http_uri;
>>>>> urilen:8; flowbits:set,et.exploitkitlanding;
>>>>> classtype:trojan-activity;
>>>>> sid:2015931; rev:2;)
>>>>>
>>>>> emerging-trojan.rules:drop http $EXTERNAL_NET any -> $HOME_NET any
>>>>> (msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely
>>>>> Driveby";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_client;
>>>>> content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little;
>>>>> content:"PE|00
>>>>> 00|"; distance:-64; within:4; threshold:type limit,track by_src,count
>>>>> 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:7;)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Am 22.08.13 11:01 schrieb "rmkml" unter <rmkml at yahoo.fr>:
>>>>>
>>>>>> Hi Stefan,
>>>>>>
>>>>>> Sorry I don't help,
>>>>>>
>>>>>> but I have a question: can you search on your rules if you have
>>>>>> another
>>>>>> rule with flowbits but on drop mode please ?
>>>>>> (like this: grep "^drop.*set,ET.http.javaclient.vulnerable" *.rules)
>>>>>>
>>>>>> Regards
>>>>>> @Rmkml
>>>>>>
>>>>>>
>>>>>> On Thu, 22 Aug 2013, Stefan Sabolowitsch wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>> I have hereŠ
>>>>>>> Executing: suricata --user sguil --group sguil -c
>>>>>>> /etc/nsm/Wecker-intern/suricata.yaml -q 1 -l
>>>>>>> /nsm/sensor_data/Wecker-intern
>>>>>>> 22/8/2013 -- 06:00:26 - <Info> - This is Suricata version 1.4.5
>>>>>>> RELEASE
>>>>>>> 22/8/2013 -- 06:00:26 - <Info> - CPUs/cores online: 4
>>>>>>> 22/8/2013 -- 06:00:26 - <Info> - Enabling fail-open on queue
>>>>>>> 22/8/2013 -- 06:00:26 - <Info> - NFQ running in standard ACCEPT/DROP
>>>>>>> mode
>>>>>>>
>>>>>>> Have a problem with a rule, i don't understand here.
>>>>>>> Although this rule on alert marks, drop suricata the data stream.
>>>>>>> If i disable the rule, the data are forwarded (not drop) .
>>>>>>>
>>>>>>> Why ?
>>>>>>> Any idea?
>>>>>>>
>>>>>>> Thx
>>>>>>> Stefan
>>>>>>>
>>>>>>> rules:
>>>>>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
>>>>>>> Vulnerable Java Version 1.6.x Detected"; flow:established,to_server;
>>>>>>> content:"Java/1.6.0_"; ht
>>>>>>> tp_user_agent; content:!"51"; within:2; http_user_agent;
>>>>>>> flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit,
>>>>>>> count
>>>>>>> 2, seconds 300, track by_s
>>>>>>> rc; reference:url,javatester.org/version.html;
>>>>>>> classtype:bad-unknown;
>>>>>>> sid:2011582; rev:31;)
>>>>>>>
>>>>>>> Fast.log
>>>>>>> 08/22/2013-08:36:38.770429  [**] [1:2011582:31] ET POLICY Vulnerable
>>>>>>> Java Version 1.6.x Detected [**] [Classification: Potentially Bad
>>>>>>> Traffic] [Priority: 2
>>>>>>> ] {TCP} 192.168.0.143:4803 -> 156.151.59.19:80
>>>>>>>
>>>>>>> drop.log
>>>>>>> 08/22/2013-08:36:38.770429: IN= OUT= SRC=192.168.0.143
>>>>>>> DST=156.151.59.19 LEN=221 TOS=0x00 TTL=128 ID=18727 PROTO=TCP
>>>>>>> SPT=4803
>>>>>>> DPT=80 SEQ=2569271462 ACK=1691
>>>>>>> 480634 WINDOW=64240 ACK PSH RES=0x00 URGP=0
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130823/e443043c/attachment-0001.html>