[Oisf-users] IPS mode drop Problem on suri 1.4.5R

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Fri Aug 23 15:59:05 UTC 2013


Hi all,
how can resolve this bug ?

Stefan

Am 23.08.2013 10:06, schrieb Stefan Sabolowitsch:
> OK, this rule work correctly only "alone" (no drops), without all other
> rules.
>
>
>
>
> Am 23.08.13 09:25 schrieb "rmkml" unter <rmkml at yahoo.fr>:
>
>> Hi Stefan,
>>
>> Yes you are certainly right it's a bug,
>>
>> another test if you permit: could you active only sid 2011582 please ?
>> could you drop again ?
>>
>> Regards
>> @Rmkml
>>
>>
>> On Fri, 23 Aug 2013, Stefan Sabolowitsch wrote:
>>
>>> Bonjour Hi , rmkml
>>> This will not help.
>>> Only this one rule make this Problem.
>>>
>>> Any idea, perhaps a bug in suri ?
>>>
>>> Regards Stefan
>>>
>>>
>>>
>>> Am 22.08.13 17:23 schrieb "rmkml" unter <rmkml at yahoo.fr>:
>>>
>>>> Thx Stefan for reply,
>>>>
>>>> Could you try if you disable temporary all drop sig below please ?
>>>> (and if you alert sig  drop again your network traffic ?)
>>>>
>>>> Regards
>>>> @Rmkml
>>>>
>>>>
>>>> On Thu, 22 Aug 2013, Stefan Sabolowitsch wrote:
>>>>
>>>>> Hi Rmkl,
>>>>> i found this drop rules.
>>>>>
>>>>> Regards
>>>>> Stefan
>>>>>
>>>>> [root at ipd2 rules]# grep "^drop.*set,ET.http.javaclient.vulnerable"
>>>>> *.rules
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By
>>>>> Vulnerable
>>>>> Client"; flow:established,to_client;
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider";
>>>>> classtype:bad-unknown; sid:2013484; rev:3;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS - Modified Metasploit Jar";
>>>>> flow:from_server,established;
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560;
>>>>> rev:6;)
>>>>>
>>>>> emerging-current_events.rules:drop http $HOME_NET any -> $EXTERNAL_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java
>>>>> payload request to /1digit.html";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_server;
>>>>> urilen:7; content:".html"; http_uri; content:" Java/1"; http_header;
>>>>> pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding;
>>>>> classtype:trojan-activity; sid:2014750; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $HOME_NET any -> $EXTERNAL_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download";
>>>>> flow:established,to_server; content:"java_ara&name="; http_uri;
>>>>> content:"/forum/"; http_uri; content:".php?"; http_uri;
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity;
>>>>> sid:2014805; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by
>>>>> Vulnerable Version - Likely Driveby";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_client;
>>>>> content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity;
>>>>> sid:2014909; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established;
>>>>> content:"|0d 0a 0d 0a|PK"; content:"C1.class"; fast_pattern;
>>>>> distance:0;
>>>>> content:"C2.class"; distance:0;
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity;
>>>>> sid:2014983; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12";
>>>>> flow:to_client,established; file_data; content:"PK"; within:2;
>>>>> content:"SecretKey.class"; fast_pattern; distance:0;
>>>>> content:"Mac.class";
>>>>> distance:0; flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity; sid:2015812; rev:3;)
>>>>>
>>>>> emerging-current_events.rules:drop tcp $EXTERNAL_NET $HTTP_PORTS ->
>>>>> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path
>>>>> (Seen
>>>>> in Unknown EK) 10/29/12"; flow:to_client,established; file_data;
>>>>> content:"PK"; within:2; content:"cve1723/";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity;
>>>>> sid:2015849; rev:3;)
>>>>>
>>>>> emerging-current_events.rules:drop http $EXTERNAL_NET any -> $HOME_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12";
>>>>> flow:to_client,established; file_data; content:"PK"; within:2;
>>>>> content:"SecretKey.class"; fast_pattern:only; content:"Anony";
>>>>> pcre:"/^(mous)?\.class/R";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> classtype:trojan-activity; sid:2015876; rev:3;)
>>>>>
>>>>> emerging-current_events.rules:drop http $HOME_NET any -> $EXTERNAL_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload
>>>>> Request
>>>>> URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_server; content:"/33.html"; depth:8; http_uri;
>>>>> urilen:8; flowbits:set,et.exploitkitlanding;
>>>>> classtype:trojan-activity;
>>>>> sid:2015930; rev:2;)
>>>>>
>>>>> emerging-current_events.rules:drop http $HOME_NET any -> $EXTERNAL_NET
>>>>> any
>>>>> (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload
>>>>> Request
>>>>> to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_server; content:"/41.html"; depth:8; http_uri;
>>>>> urilen:8; flowbits:set,et.exploitkitlanding;
>>>>> classtype:trojan-activity;
>>>>> sid:2015931; rev:2;)
>>>>>
>>>>> emerging-trojan.rules:drop http $EXTERNAL_NET any -> $HOME_NET any
>>>>> (msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely
>>>>> Driveby";
>>>>> flowbits:isset,ET.http.javaclient.vulnerable;
>>>>> flow:established,to_client;
>>>>> content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little;
>>>>> content:"PE|00
>>>>> 00|"; distance:-64; within:4; threshold:type limit,track by_src,count
>>>>> 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:7;)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Am 22.08.13 11:01 schrieb "rmkml" unter <rmkml at yahoo.fr>:
>>>>>
>>>>>> Hi Stefan,
>>>>>>
>>>>>> Sorry I don't help,
>>>>>>
>>>>>> but I have a question: can you search on your rules if you have
>>>>>> another
>>>>>> rule with flowbits but on drop mode please ?
>>>>>> (like this: grep "^drop.*set,ET.http.javaclient.vulnerable" *.rules)
>>>>>>
>>>>>> Regards
>>>>>> @Rmkml
>>>>>>
>>>>>>
>>>>>> On Thu, 22 Aug 2013, Stefan Sabolowitsch wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>> I have here҆
>>>>>>> Executing: suricata --user sguil --group sguil -c
>>>>>>> /etc/nsm/Wecker-intern/suricata.yaml -q 1 -l
>>>>>>> /nsm/sensor_data/Wecker-intern
>>>>>>> 22/8/2013 -- 06:00:26 - <Info> - This is Suricata version 1.4.5
>>>>>>> RELEASE
>>>>>>> 22/8/2013 -- 06:00:26 - <Info> - CPUs/cores online: 4
>>>>>>> 22/8/2013 -- 06:00:26 - <Info> - Enabling fail-open on queue
>>>>>>> 22/8/2013 -- 06:00:26 - <Info> - NFQ running in standard ACCEPT/DROP
>>>>>>> mode
>>>>>>>
>>>>>>> Have a problem with a rule, i don't understand here.
>>>>>>> Although this rule on alert marks, drop suricata the data stream.
>>>>>>> If i disable the rule, the data are forwarded (not drop) .
>>>>>>>
>>>>>>> Why ?
>>>>>>> Any idea?
>>>>>>>
>>>>>>> Thx
>>>>>>> Stefan
>>>>>>>
>>>>>>> rules:
>>>>>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
>>>>>>> Vulnerable Java Version 1.6.x Detected"; flow:established,to_server;
>>>>>>> content:"Java/1.6.0_"; ht
>>>>>>> tp_user_agent; content:!"51"; within:2; http_user_agent;
>>>>>>> flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit,
>>>>>>> count
>>>>>>> 2, seconds 300, track by_s
>>>>>>> rc; reference:url,javatester.org/version.html;
>>>>>>> classtype:bad-unknown;
>>>>>>> sid:2011582; rev:31;)
>>>>>>>
>>>>>>> Fast.log
>>>>>>> 08/22/2013-08:36:38.770429  [**] [1:2011582:31] ET POLICY Vulnerable
>>>>>>> Java Version 1.6.x Detected [**] [Classification: Potentially Bad
>>>>>>> Traffic] [Priority: 2
>>>>>>> ] {TCP} 192.168.0.143:4803 -> 156.151.59.19:80
>>>>>>>
>>>>>>> drop.log
>>>>>>> 08/22/2013-08:36:38.770429: IN= OUT= SRC=192.168.0.143
>>>>>>> DST=156.151.59.19 LEN=221 TOS=0x00 TTL=128 ID=18727 PROTO=TCP
>>>>>>> SPT=4803
>>>>>>> DPT=80 SEQ=2569271462 ACK=1691
>>>>>>> 480634 WINDOW=64240 ACK PSH RES=0x00 URGP=0
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>





More information about the Oisf-users mailing list