[Oisf-users] Ignore ips in rule

Matt Carothers matt at somedamn.com
Wed Aug 27 15:11:03 UTC 2014 

$EXTERNAL_NET is every IP that isn't in your $HOME_NET, and that includes
the Google DNS servers.  It's like saying [8.8.8.8,!8.8.8.8], which matches
both 8.8.8.8 and every IP that isn't 8.8.8.8, so it's always a true
condition.  You can fix it just by removing the $EXTERNAL_NET, unless your
sensor is positioned where it would see port 53 traffic between internal
hosts.  If that's the case, you can exclude particular IPs by putting a pass
rule ahead of the alert rule.

 

- Matt

 

From: oisf-users-bounces at lists.openinfosecfoundation.org
[mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of
Xavier Romero
Sent: Wednesday, August 27, 2014 4:40 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Ignore ips in rule

 

Hello,

 

I've this custom rule:

 

...

alert udp [$EXTERNAL_NET,!$GOOGLE_DNS] 53 -> [$HOME_NET,!$DNS_SERVERS] any
(msg:"Possible atac DNS"; threshold: type both, track by_dst, count 600,
seconds 60; classtype:attempted-dos; sid:101111009; rev:5;)

...

 

 

And this definition on suricata.yaml:

 

...

# Holds variables that would be used by the engine.

vars:

 

  # Holds the address group vars that would be passed in a Signature.

  # These would be retrieved during the Signature address parsing stage.

  address-groups:

 

    HOME_NET: "[x.x.x.x/24]"

 

    GOOGLE_DNS: "[8.8.8.8,8.8.4.4]"

 

    EXTERNAL_NET: "!$HOME_NET"

 

    HTTP_SERVERS: "$HOME_NET"

 

    SMTP_SERVERS: "$HOME_NET"

 

    SQL_SERVERS: "$HOME_NET"

 

    DNS_SERVERS: "[a.a.a.a,b.b.b.b,c.c.c.c,d.d.d.d]"

 

    TELNET_SERVERS: "$HOME_NET"

...

 

However, there are alerts like these:

...

08/27/2014-10:33:37.344581  [**] [1:101111009:5] Possible atac DNS [**]
[Classification: Attempted Denial of Service] [Priority: 2] {UDP} 8.8.8.8:53
-> a.b.c.d:52721

08/27/2014-10:33:48.511591  [**] [1:101111009:5] Possible atac DNS [**]
[Classification: Attempted Denial of Service] [Priority: 2] {UDP} 8.8.8.8:53
-> a.b.c.d:35899

...

 

I'm expecting to totally ignore packets whith IP source 8.8.8.8. What I'm
doing wrong?

 

I've also tried

  [$EXTERNAL_NET,![8.8.8.8,8.8.4.4]]

Instead of:

 [$EXTERNAL_NET,!$GOOGLE_DNS]

With the same result.

 

Each time I modify the rule, I increment REV number and restart suricata.

 

Thank you very much,

Xavier Romero

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140827/3ea519fb/attachment-0002.html>

More information about the Oisf-users mailing list