[Oisf-users] Ignore ips in rule

Xavier Romero XRomero at nexica.com
Thu Aug 28 10:50:07 UTC 2014 

Hi,

You're right. Another user pointed me in the right direction by suggesting to put in first the negated range:
[!$GOOGLE_DNS,$EXTERNAL_NET]

Which also worked OK. I guess than removing the $EXTERNAL_NET would be better for performance.

Thank you very much,
Xavier Romero

De: Matt Carothers [mailto:matt at somedamn.com]
Enviado el: dimecres, 27 d'agost de 2014 17:11
Para: Xavier Romero; oisf-users at lists.openinfosecfoundation.org
Asunto: RE: [Oisf-users] Ignore ips in rule

$EXTERNAL_NET is every IP that isn't in your $HOME_NET, and that includes the Google DNS servers.  It's like saying [8.8.8.8,!8.8.8.8], which matches both 8.8.8.8 and every IP that isn't 8.8.8.8, so it's always a true condition.  You can fix it just by removing the $EXTERNAL_NET, unless your sensor is positioned where it would see port 53 traffic between internal hosts.  If that's the case, you can exclude particular IPs by putting a pass rule ahead of the alert rule.

- Matt

From: oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Xavier Romero
Sent: Wednesday, August 27, 2014 4:40 AM
To: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: [Oisf-users] Ignore ips in rule

Hello,

I've this custom rule:

...
alert udp [$EXTERNAL_NET,!$GOOGLE_DNS] 53 -> [$HOME_NET,!$DNS_SERVERS] any (msg:"Possible atac DNS"; threshold: type both, track by_dst, count 600, seconds 60; classtype:attempted-dos; sid:101111009; rev:5;)
...


And this definition on suricata.yaml:

...
# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.
  address-groups:

    HOME_NET: "[x.x.x.x/24]"

    GOOGLE_DNS: "[8.8.8.8,8.8.4.4]"

    EXTERNAL_NET: "!$HOME_NET"

    HTTP_SERVERS: "$HOME_NET"

    SMTP_SERVERS: "$HOME_NET"

    SQL_SERVERS: "$HOME_NET"

    DNS_SERVERS: "[a.a.a.a,b.b.b.b,c.c.c.c,d.d.d.d]"

    TELNET_SERVERS: "$HOME_NET"
...

However, there are alerts like these:
...
08/27/2014-10:33:37.344581  [**] [1:101111009:5] Possible atac DNS [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 8.8.8.8:53 -> a.b.c.d:52721
08/27/2014-10:33:48.511591  [**] [1:101111009:5] Possible atac DNS [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 8.8.8.8:53 -> a.b.c.d:35899
...

I'm expecting to totally ignore packets whith IP source 8.8.8.8. What I'm doing wrong?

I've also tried
  [$EXTERNAL_NET,![8.8.8.8,8.8.4.4]]
Instead of:
 [$EXTERNAL_NET,!$GOOGLE_DNS]
With the same result.

Each time I modify the rule, I increment REV number and restart suricata.

Thank you very much,
Xavier Romero
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140828/6abcfaa4/attachment-0002.html>

More information about the Oisf-users mailing list