[Oisf-users] Two Suricata Rule Questions (Andreas Herz)

Nasir Bilal bilalbox at gmail.com
Mon Jan 4 16:35:08 UTC 2016 

Andreas,

Thanks, I actually found a good way to perform similar functionality to the
iprepuation using LUA scripting and http-headers:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting

As for the HTTPS, I was able to use "tls.subject" keyword. Still struggling
to get that to work with LUA scripting, but it works when the tls.subject
is referenced within the suricata rule itself.

Thanks again for your reply!

Regards,
Nasir


On Sun, Jan 3, 2016 at 12:00 PM <
oisf-users-request at lists.openinfosecfoundation.org> wrote:

> Send Oisf-users mailing list submissions to
>         oisf-users at lists.openinfosecfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> or, via email, send a message with subject or body 'help' to
>         oisf-users-request at lists.openinfosecfoundation.org
>
> You can reach the person managing the list at
>         oisf-users-owner at lists.openinfosecfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Two Suricata Rule Questions (Andreas Herz)
>    2. SonicWall Global VPN Client Incompatible with Suricata
>       Follow-up (Leonard Jacobs)
>    3. Re: Rule Processing Order Issue (Özkan KIRIK)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 2 Jan 2016 20:12:43 +0100
> From: Andreas Herz <andi at geekosphere.org>
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Two Suricata Rule Questions
> Message-ID: <20160102191243.GC29003 at kvmbude>
> Content-Type: text/plain; charset=utf-8
>
> On 24/12/15 at 17:12, Nasir Bilal wrote:
> > I have a couple of questions about Suricata/Snort rules:
> > 1) Is there a way to reference a list of strings in a suricata rule,
> > similar to the ipreputation engine, and the way it references external
> text
> > files full of IP's? We're looking at using Suricata for URL filtering.
>
> Could you describe this a little more?
> But i guess if you want to have the same way iprep works, that's a
> feature request.
>
> > 2) Similar to the first question, is there a way to read specifically
> from
> > the SSL Server Certificate fields in the SSL/TLS handshake during HTTPS
> > session initiation? We'd like to perform URL filtering on HTTPS traffic
> > without SSL decrypt, and I know that many vendors do this by reading the
> > fields of the SSL server certificates.
>
> AFAIK that also depends on how the SSL/TLS is configured, with SNI you
> could already check the SNI for the URL.
>
> There are also TLS keywords:
>
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords
>
> --
> Andreas Herz
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 2 Jan 2016 14:16:26 -0600
> From: Leonard Jacobs <ljacobs at netsecuris.com>
> To: Peter Manev <petermanev at gmail.com>,
>         oisf-users at openinfosecfoundation.org
> Subject: [Oisf-users] SonicWall Global VPN Client Incompatible with
>         Suricata        Follow-up
> Message-ID: <66620115-11604 at mail1.netsecuris.com>
> Content-Type: text/plain; charset="utf-8"
>
> We tried running the latest version of SonicWALL's Global VPN Client with
> no signature rules running on Suricata and get the same results.  VPN Phase
> 1 ISAKMP requests do not complete.
>
>
> Any other ideas?  SonicWALL refuses to help.  It works fine with an way
> older version of VPN Client.
>
>
>
> Thanks.
>
> Leonard
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160102/8292ae66/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Sun, 3 Jan 2016 00:01:31 +0200
> From: Özkan KIRIK <ozkan.kirik at gmail.com>
> To: Peter Manev <petermanev at gmail.com>
> Cc: "oisf-users at lists.openinfosecfoundation.org"
>         <oisf-users at lists.openinfosecfoundation.org>
> Subject: Re: [Oisf-users] Rule Processing Order Issue
> Message-ID:
>         <
> CAAcX-AGmQGODS+T5Poqmj1PNxeUNnnMVgNCtp4wUbUrE3CS6kA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Thank you Peter,
>
> But this configuration doesnt disable ordering. If drop action processed
> first, all packets to userGroup-25 will be dropped. If pass action
> processed first, drop rule for Others will not be processed. So i need to
> disable rule ordering.
> Is there a way for disabling rule ordering ?
>
> Thanks again.
>
> On Sat, Jan 2, 2016 at 5:36 PM, Peter Manev <petermanev at gmail.com> wrote:
>
> > On Sat, Jan 2, 2016 at 7:24 AM, Özkan KIRIK <ozkan.kirik at gmail.com>
> wrote:
> > > Hi,
> > >
> > > Happy new year to everbody,
> > >
> > > I have a trouble with suricata rule processing order. I'm trying to
> apply
> > > different policies to different users. My rules are as below. But
> > suriacata
> > > processes pass first, drop second. So that, the last rule "pass any.."
> > > allows to every body.
> > >
> > > Can suricata run my rules as I wrote without reordering ?
> >
> > You also have some default ordering that can be further configured in
> > suricata.yaml -
> >
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032
> >
> >
> > >
> > > Thanks
> > >
> > > # Ruleset for userGroup-25
> > > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> > > tls.subject:"example.com"; sid:3230002; rev:1;)
> > > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> > > tls.subject:"example.net"; sid:3230004; rev:1;)
> > > drop tcp any any -> $userGroup-25 any (msg:"Default Drop For
> > userGroup-25";
> > > sid:3230010; rev:1;)
> > >
> > > ...
> > > #Rules for other userGroups
> > > ...
> > >
> > > # Ruleset for Others
> > > drop tls any any -> any any (msg:"SSL Cert Denied";
> > > tls.subject:"example1.com"; sid:3230007; rev:1;)
> > > pass tcp any any -> any any (msg:"Default Pass"; sid:3230010; rev:1;)
> > >
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > Suricata User Conference November 4 & 5 in Barcelona:
> > http://oisfevents.net
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160103/44ff41aa/attachment-0001.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> ------------------------------
>
> End of Oisf-users Digest, Vol 74, Issue 2
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160104/c24b2321/attachment-0001.html>

More information about the Oisf-users mailing list