[Oisf-users] IPS mode drop Problem on suri 1.4.5R

[rmkml]

Hi Stefan,

Sorry I don't help,

but I have a question: can you search on your rules if you have another rule with flowbits but on drop mode please ?
(like this: grep "^drop.*set,ET.http.javaclient.vulnerable" *.rules)

Regards
@Rmkml


On Thu, 22 Aug 2013, Stefan Sabolowitsch wrote:

> Hi all,
> I have here…
> Executing: suricata --user sguil --group sguil -c /etc/nsm/Wecker-intern/suricata.yaml -q 1 -l /nsm/sensor_data/Wecker-intern
> 22/8/2013 -- 06:00:26 - <Info> - This is Suricata version 1.4.5 RELEASE
> 22/8/2013 -- 06:00:26 - <Info> - CPUs/cores online: 4
> 22/8/2013 -- 06:00:26 - <Info> - Enabling fail-open on queue
> 22/8/2013 -- 06:00:26 - <Info> - NFQ running in standard ACCEPT/DROP mode
> 
> Have a problem with a rule, i don't understand here.
> Although this rule on alert marks, drop suricata the data stream.
> If i disable the rule, the data are forwarded (not drop) .
> 
> Why ?
> Any idea?
> 
> Thx
> Stefan
> 
> rules:
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:"Java/1.6.0_"; ht
> tp_user_agent; content:!"51"; within:2; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_s
> rc; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:31;)
> 
> Fast.log
> 08/22/2013-08:36:38.770429  [**] [1:2011582:31] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2
> ] {TCP} 192.168.0.143:4803 -> 156.151.59.19:80
> 
> drop.log
> 08/22/2013-08:36:38.770429: IN= OUT= SRC=192.168.0.143 DST=156.151.59.19 LEN=221 TOS=0x00 TTL=128 ID=18727 PROTO=TCP SPT=4803 DPT=80 SEQ=2569271462 ACK=1691
> 480634 WINDOW=64240 ACK PSH RES=0x00 URGP=0
> 
> 
> 
>