[Oisf-users] Ineffective rules

Andreas Moe moe.andreas at gmail.com
Mon May 4 21:10:35 UTC 2015 

You have set them up to alert in any direction (the '<>') [1]. If you had
say A -> B it would only alert if this was a packet from host A towards
host B. Also, might be better to define some netvariables like say
HOME_NET[2] and so on to better divide where the rules will trigger, rather
than doing single IP management in the rules.

[1] http://manual.snort.org/node29.html#SECTION00425000000000000000
[2]
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml#Rule-vars

2015-05-04 23:05 GMT+02:00 James Moe <jimoe at sohnen-moe.com>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>   suricata 2.0.7
>   linux 3.16.7-21-desktop x86_64
>
>   Last night suricata exploded in action, logging huge numbers
> (2,688,052) of "invalid ack" alerts between 2:19am and 8:58am (when I
> stopped suricata). The alerts were only two SIDs: 2210029 and 2210045.
>
>   I have two problems with this:
> 1. Why are the modified rules (see below) not effective? My
> understanding is that the alert would be valid for all IPs *except*
> 192.168.69.245 in either direction.
>
> 2. Why do these alerts stop after restarting suricata?
>
>
> - ----[ modified rules ]----
> alert tcp ![192.168.69.245] any <> any any \
>   (msg:"SURICATA STREAM ESTABLISHED invalid ack"; \
>   stream-event:est_invalid_ack; sid:2210029; rev:1;)
>
> alert tcp ![192.168.69.245] any <> any any \
>   (msg:"SURICATA STREAM Packet with invalid ack"; \
>   stream-event:pkt_invalid_ack; sid:2210045; rev:1;)
> - ----[ end ]----
>
> - ----[ 2 of 2,688,052 alerts ]----
> 05/04/2015-02:19:39.051549  [**] [1:2210029:1] \
>   SURICATA STREAM ESTABLISHED invalid ack [**] \
>   [Classification: (null)] [Priority: 3] {TCP} \
>   192.168.69.245:2049 -> 192.168.69.115:883
>
> 05/04/2015-02:19:39.051549  [**] [1:2210045:1] \
>   SURICATA STREAM Packet with invalid ack [**] \
>   [Classification: (null)] [Priority: 3] {TCP} \
>   192.168.69.245:2049 -> 192.168.69.115:883
> - ----[ end ]----
>
> 28/4/2015 -- 20:10:34 - <Info> - 48 rule files processed. 16417 rules
> successfully loaded, 0 rules failed
>
> 28/4/2015 -- 20:10:38 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)]
> - - Using Pcap capture with GRO or LRO activated can lead to capture
> problems
>
>
> - --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iEYEARECAAYFAlVH3zEACgkQzTcr8Prq0ZNXSwCfbmt8fusI1DV3tTgvYFDXPKYB
> B9kAoLUei7QRXad2Y9E8R7SLN2/Yf+3A
> =vvmL
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150504/c38d2790/attachment-0002.html>

More information about the Oisf-users mailing list