[Oisf-users] Configure Suricata drop rule to drop whole source

First Root | Michael mh at first-root.com
Fri Aug 22 17:43:57 UTC 2014


Hello Cooper,

thanks for your response. 
it is not the case that i simply want to drop specific traffic, but this was the easiest way to show what my problem is ;).

Is there any way to define how long the drop is valid as i asked in my last email?

Regards
Michael

Am 22.08.2014 um 18:24 schrieb Cooper F. Nelson <cnelson at ucsd.edu>:

> Signierter PGP Teil
> I think you want to add the "flow" keyword as follows to drop rules:
> 
> > # IPS, enforce
> > drop tcp any any -> any 80 (msg:"SURICATA DROP Port 80 but not HTTP";
> > flow:to_server; app-layer-protocol:!http; sid:993001;)
> > drop tcp any any -> any 443 (msg:"SURICATA DROP Port 443 but not
> > SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:993002;)
> > drop tcp any any -> any 993 (msg:"SURICATA DROP Port 993 but not
> > SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:993003;)
> 
> If you really want to drop port 80 client traffic with suricata, this is
> probably what you want:
> 
> > drop tcp any any -> any 80 (msg: "drop port 80"; flow:from_client; classtype:drop-rule;sid:14051;rev:1; threshold: type both, track by_src, count 10, seconds 10;)
> 
> See: >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords
> 
> ..for more details.  But as I mentioned recently, it may be the case
> that suricata waits for at least the three-way handshake to make the
> decision to drop a flow.
> 
> At the risk of being pedantic, if you really just want to block port 80
> at layer 4, use a firewall.  The whole idea of an IPS is be able to
> detect and drop application layer traffic.
> 
> -Coop
> 
> On 8/22/2014 8:08 AM, First Root | Michael wrote:
> > Hello,
> >
> > we are playing around with some basic drop rules for suricata inline and are running this very basic rule:
> > drop tcp any any -> any 80 (msg: "drop port 80"; classtype:drop-rule;sid:14051;rev:1; threshold: type both, track by_src, count 10, seconds 10;)
> >
> > From the logs we can see that it drops the connection but based on the source ip address and source port which is, i think, not what we want as the source port is given by the os and should be random.
> > So is there a way to configure suricata to keep track of this based on the source ip and not source ip and source port?
> > Also, is it possible that suricata creates a drop rule for the whole source ip address and not the source ip and source port?
> >
> > Regards
> > Michael
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
> 
> 
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140822/7a67b812/attachment-0002.html>


More information about the Oisf-users mailing list