[Oisf-users] Configure Suricata drop rule to drop whole source

Cooper F. Nelson cnelson at ucsd.edu
Fri Aug 22 16:24:13 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think you want to add the "flow" keyword as follows to drop rules:

> # IPS, enforce
> drop tcp any any -> any 80 (msg:"SURICATA DROP Port 80 but not HTTP";
> flow:to_server; app-layer-protocol:!http; sid:993001;)
> drop tcp any any -> any 443 (msg:"SURICATA DROP Port 443 but not
> SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:993002;)
> drop tcp any any -> any 993 (msg:"SURICATA DROP Port 993 but not
> SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:993003;)

If you really want to drop port 80 client traffic with suricata, this is
probably what you want:

> drop tcp any any -> any 80 (msg: "drop port 80"; flow:from_client; classtype:drop-rule;sid:14051;rev:1; threshold: type both, track by_src, count 10, seconds 10;)

See: >
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords

..for more details.  But as I mentioned recently, it may be the case
that suricata waits for at least the three-way handshake to make the
decision to drop a flow.

At the risk of being pedantic, if you really just want to block port 80
at layer 4, use a firewall.  The whole idea of an IPS is be able to
detect and drop application layer traffic.

- -Coop

On 8/22/2014 8:08 AM, First Root | Michael wrote:
> Hello,
> 
> we are playing around with some basic drop rules for suricata inline and are running this very basic rule:
> drop tcp any any -> any 80 (msg: "drop port 80"; classtype:drop-rule;sid:14051;rev:1; threshold: type both, track by_src, count 10, seconds 10;)
> 
> From the logs we can see that it drops the connection but based on the source ip address and source port which is, i think, not what we want as the source port is given by the os and should be random.
> So is there a way to configure suricata to keep track of this based on the source ip and not source ip and source port? 
> Also, is it possible that suricata creates a drop rule for the whole source ip address and not the source ip and source port?
> 
> Regards
> Michael
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJT926tAAoJEKIFRYQsa8FWeI4H/24Fu/Wtm4vvAk1AsR65Bwcm
IPiKu/wl0CbmMoWZTohKbgNv00EXc2g+kIHQcydwsMNE2fFvhAi9TPZMYeHKkhc0
UR6ue2DQjLr4t2z7YSvwK4jZe9NKIdKNn9XXy5tdp9xH94kEpaw9SWUg91/YMDgq
LA3wH02f1Iz38GWO0aoaenolDZE2mJOvWyoklMPN8EDshBbeNUk27e85GaAvU7J9
Nbv7xgkMv7/LwAsUFiDvZGNsoJQtq/tqAEz/YjHYpJnQIPrIIcP35bHrJZwusx5R
sV9GHwAg61Fp7/QzNtrzB9mF3fqA7Dmob6uM2Hwrkq+kFnIiHxc3zu+2TRnn7+w=
=9ZHP
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list