[Oisf-users] (no subject)

Cooper F. Nelson cnelson at ucsd.edu
Fri Jun 14 18:51:33 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It depends on the alert.

For example, these alerts will never trigger with your current
configuration:

> emerging-scan.rules:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Outbound"; threshold: type limit, track by_src, seconds 600, count 1; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2011924; rev:2;)
> emerging-scan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; threshold: type limit, track by_src, seconds 600, count 1; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:3;)

You would need a rule like this:

$HOME_NET any -> $HOME_NET any

or

any any -> $HOME_NET any

... if you want to test for internal attacks.

In my production configuration I actually use a BPF rule to prevent
suricata from processing internal traffic.

- -Coop

On 6/14/2013 11:07 AM, mouna amani wrote:
> here is the deal I am a beginner with ips and everything
> I have a host A with ip 192.168.50.3
> an Host B with ip 192.168.50.1
> the HostB sometimes sends good traffic and sometimes attacks .
> I set HOME_NET:192.168.50.0/24
> and EXTERNAL_NET: "!$HOME_NET"
> if my hostB decides to send bad traffic the ips will generate an alert??
>  (I did not change the rules to drop)
> or should I set EXTERNAL_NET to any
> 
> 
> *
> *
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRu2Y1AAoJEKIFRYQsa8FW0iwIAJvVfpqjkQmw5zmRIV4T4A1B
SscGsN5UGyIpZqZIJtYMWFHPMaLmpyhTFTppy9k2URJNlfszS8wdDhOvL/TtgVO9
KZMEZb/O+LsjmujE9JSf1loWwjZUVGpOsaiv5bNHFyLk+EBm4HCK1ynHCt04Bxss
pLJI1zFQIBZfKVKDLBSEcGPvX8XanvPowUIai1obbiFVNXALz2LFoQu5bvVFwVlW
tKX5zH79AgbrVSwmHWHkfAYD+QOiMnAExMXcWs/1AbY8SA/Y4Ufln5tCPzT4uCVo
crCoHJLF0L9Viy/BAZHRcrFuv3rtulMbtdxGfBKe2ynETBmJlltL4Phob2DFslk=
=f5xI
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list