[Oisf-users] Ignore ips in rule

Matt Carothers matt at somedamn.com
Wed Aug 27 15:11:03 UTC 2014

$EXTERNAL_NET is every IP that isn't in your $HOME_NET, and that includes
the Google DNS servers.  It's like saying [,!], which matches
both and every IP that isn't, so it's always a true
condition.  You can fix it just by removing the $EXTERNAL_NET, unless your
sensor is positioned where it would see port 53 traffic between internal
hosts.  If that's the case, you can exclude particular IPs by putting a pass
rule ahead of the alert rule.


- Matt


From: oisf-users-bounces at lists.openinfosecfoundation.org
[mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of
Xavier Romero
Sent: Wednesday, August 27, 2014 4:40 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Ignore ips in rule




I've this custom rule:



alert udp [$EXTERNAL_NET,!$GOOGLE_DNS] 53 -> [$HOME_NET,!$DNS_SERVERS] any
(msg:"Possible atac DNS"; threshold: type both, track by_dst, count 600,
seconds 60; classtype:attempted-dos; sid:101111009; rev:5;)




And this definition on suricata.yaml:



# Holds variables that would be used by the engine.



  # Holds the address group vars that would be passed in a Signature.

  # These would be retrieved during the Signature address parsing stage.



    HOME_NET: "[x.x.x.x/24]"


    GOOGLE_DNS: "[,]"










    DNS_SERVERS: "[a.a.a.a,b.b.b.b,c.c.c.c,d.d.d.d]"





However, there are alerts like these:


08/27/2014-10:33:37.344581  [**] [1:101111009:5] Possible atac DNS [**]
[Classification: Attempted Denial of Service] [Priority: 2] {UDP}
-> a.b.c.d:52721

08/27/2014-10:33:48.511591  [**] [1:101111009:5] Possible atac DNS [**]
[Classification: Attempted Denial of Service] [Priority: 2] {UDP}
-> a.b.c.d:35899



I'm expecting to totally ignore packets whith IP source What I'm
doing wrong?


I've also tried


Instead of:


With the same result.


Each time I modify the rule, I increment REV number and restart suricata.


Thank you very much,

Xavier Romero

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140827/3ea519fb/attachment-0002.html>

More information about the Oisf-users mailing list