[Oisf-users] IPS mode drop Problem on suri 1.4.5R

Thu Sep 5 13:51:30 UTC 2013

On 08/22/2013 10:49 AM, Stefan Sabolowitsch wrote:
> Hi all,
> I have here…
> Executing: suricata --user sguil --group sguil -c
> /etc/nsm/Wecker-intern/suricata.yaml -q 1 -l /nsm/sensor_data/Wecker-intern
> 22/8/2013 -- 06:00:26 - <Info> - This is Suricata version 1.4.5 RELEASE
> 22/8/2013 -- 06:00:26 - <Info> - CPUs/cores online: 4
> 22/8/2013 -- 06:00:26 - <Info> - Enabling fail-open on queue
> 22/8/2013 -- 06:00:26 - <Info> - NFQ running in standard ACCEPT/DROP mode
> 
> Haveaproblemwitharule,idon'tunderstandhere.
> Althoughthisruleonalert marks,dropsuricatathe data stream.
> Ifidisabletherule,thedataareforwarded (not drop) .
> 
> Why ?
> Any idea?
> 
> Thx
> Stefan
> 
> rules:
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable
> Java Version 1.6.x Detected"; flow:established,to_server;
> content:"Java/1.6.0_"; ht
> tp_user_agent; content:!"51"; within:2; http_user_agent;
> flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count
> 2, seconds 300, track by_s
> rc; reference:url,javatester.org/version.html; classtype:bad-unknown;
> sid:2011582; rev:31;)
> 
> Fast.log
> 08/22/2013-08:36:38.770429  [**] [1:2011582:31] ET POLICY Vulnerable
> Java Version 1.6.x Detected [**] [Classification: Potentially Bad
> Traffic] [Priority: 2
> ] {TCP} 192.168.0.143:4803 -> 156.151.59.19:80
> 
> drop.log
> 08/22/2013-08:36:38.770429: IN= OUT= SRC=192.168.0.143 DST=156.151.59.19
> LEN=221 TOS=0x00 TTL=128 ID=18727 PROTO=TCP SPT=4803 DPT=80
> SEQ=2569271462 ACK=1691
> 480634 WINDOW=64240 ACK PSH RES=0x00 URGP=0

drop.log entries do not necessarily relate to rules that alert.
Especially if you use stream.inline option, some bad packets are dropped
by the stream engine. Mostly retransmissions.

Does the entire connection get dropped?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------