[Oisf-users] home vs external net and really_external_net

Peter Manev petermanev at gmail.com
Mon Dec 15 11:06:08 UTC 2014 

On Fri, Dec 12, 2014 at 8:26 PM, Michał Purzyński
<michalpurzynski1 at gmail.com> wrote:
> Hello. I'm getting interesting results when trying to fine tune the
> rule set and get rid of most false positives. Some IP addresses /
> subnets were changed for this email.
>
> There are several variables defined, such as
>
>     HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,50.50.50.0/20,224.0.0.0/4,!$PROXY_SERVERS]"
>
>     REALLY_EXTERNAL_NET: "!$HOME_NET"
>
>
> OK, so Really external net should be "everything not us" i.e.
> Internet. Now let's redefine rules so that only trigger on North-South
> direction and only from/to the Internet
>
>
> alert http $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"ET TROJAN
> Common Downloader Header Pattern UH"; flow:established,to_server;
> content:"GET"; http_method; nocase; content:" HTTP/1.1|0d
> 0a|User-Agent|3a| "; content:"|0d 0a|Host|3a| "; within:100;
> content:"|0d 0a 0d 0a|"; within:60; content:!".microsoft.com|0d 0a|";
> content:!"|0d 0a|Accept"; content:!"|0d 0a|Cache"; content:!"|0d
> 0a|Connection"; flowbits:set,ET.header.bad; flowbits:set,ET.header.UH;
> classtype:bad-unknown; sid:2803274; rev:9;)
>
> alert http $REALLY_EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY
> PE EXE or DLL Windows file download HTTP"; flow:established,to_client;
> flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2;
> byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64;
> within:4; flowbits:set,ET.http.binary;
> reference:url,doc.emergingthreats.net/bin/view/Main/2000419;
> classtype:policy-violation; sid:2018959; rev:2;)
>
>
> Unfortunately both trigger on communication between hosts in
> 10.0.0.0/8. For example
>
> TROJAN Common Downloader Header Pattern triggers on
>
> 10.22.73.67 : 59212 -> 10.22.74.73 : 3128
>
> How is that even possible, when it should only work for
> really_external_net? What am I doing wrong here? :)
>
> --
> Cheers
> Michal
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

Do you still have the same issue if you remove "!$PROXY_SERVERS" from
the home net? (or at least remove the negation - "!")

thanks

-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list