[Oisf-users] Suricata 1.4 simple alert rule, first visit to website not triggering an alert

Fri Jan 11 19:47:14 UTC 2013

Thank you all for the quick responses. Trying out the different ways of the
rules and using different browsers, the results were inconsistent for me to
rely on the simple test rule I was trying to use to make Suricata see if it
could detect a prohibited site. As Anoop suggested and doing the tests
again today, the nslookup for www.businessweek.com changed too many times
for me to make any consistent results.

alert http any any -> ipaddress any (msg: "visiting";)

My new question for you all then, in order to make a simple alert test, how
should I craft the alert rule to detect if something within my network is
trying to visit a prohibited site? Would I need to use the rule options
where it looks  at the content? Is specifying an ip address in the rule not
something I should rely on? Is there a website reference you guys use to
know how to create good rules?

On Thu, Jan 10, 2013 at 10:53 PM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> Have you checked the dst ip is the same as the one specified in your
> rule?  With load-balancing the dns can resolve to different ip
> addresses.
>
> On Fri, Jan 11, 2013 at 3:00 AM, Vincent Fang <vincent.y.fang at gmail.com>
> wrote:
> > Response to Peter Manav:
> >
> > Immediately after the first visit when I stop suricata, the logs stay the
> > same with fast.log being at 0 bytes with no alerts along with unified2. A
> > weird thing I'm noticing is that the http.log is also at 0 bytes as well
> > even though I see get requests being made and passing through wireshark.
> >
> > I then saved the pcap file called businessweek from wireshark and cleared
> > the logs again and ran suricata in offline pcap mode with the following
> > command
> > suricata -c /pathtoyaml/suricata.yaml -r /pathtopcap/businessweek
> >
> > and the resulting logs were the same, 0 bytes in the fast.log and 0
> bytes in
> > the http.log
> >
> > Response to rmkml:
> >
> > I tried with wget and the same situation occurs with with the fast.log
> being
> > 0. I also tried clearing the google cache and restarting the test again,
> and
> > the same result occurred. I switched browsers to firefox and cleared the
> > cache however, and alerts started popping up in the fast.log, but only
> if I
> > cleared the cached after already visiting the webpage once, otherwise
> > fast.log would never populate.
> >
> > The thing that confuses me is what am I seeing in wireshark if it sees
> http
> > packets matching the destination ip address? Or because it's all running
> on
> > a local box, a special scenario occurs?
> >
> >
> > Response to Eoin Miller:
> >
> > Changing the rule to tcp did not affect the outcome, and wiresharks
> didn't
> > match the filter
> > tcp && ip.dst == 207.86.164.0/24
> >
> >
> > So it looks like I get the correct results with Firefox if the cache is
> > cleared, but what exactly is going on if I see matching http packets in
> > wireshark with the matching ip destination?
> >
> >
> >
> > NOTE: Sorry for the spam, if someone could clean up the mail archive, I'm
> > not use to this mailing list.
> >
> >
> > On Thu, Jan 10, 2013 at 3:37 PM, Eoin Miller
> > <eoin.miller at trojanedbinaries.com> wrote:
> >>
> >> On 1/10/2013 20:34, Eoin Miller wrote:
> >> > On 1/10/2013 19:57, Vincent Fang wrote:
> >> >>
> >> >> alert http any any -> 207.86.164.0/24 <http://207.86.164.0/24> any
> >> >> (msg:
> >> >> "visiting businessweek")
> >> >
> >> > Maybe try alert tcp instead of alert http.
> >> >
> >> > -- Eoin
> >>
> >> alert ip might even be better.
> >>
> >> -- Eoin
> >>
> >>
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> OISF: http://www.openinfosecfoundation.org/
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
>
>
>
> --
> Anoop Saldanha
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130111/06f10266/attachment-0002.html>