[Oisf-users] whitelist with timeout?

Victor Julien lists at inliniac.net
Thu Oct 13 14:37:35 UTC 2016 

On 12-10-16 20:41, John Devine wrote:
> thanks for your input. That's the path I'm going down at the moment,
> creating my own custom rules file. The key piece I need to know is if
> there is timeout functionality on the rules and where, if at all, does
> suricata keep track of what it has blocked. I want to be able to see an
> IP that was blocked by suricata, unblock it "for now" (not whitelist it
> entirely) but have it alert again if it generates bad traffic in the future.

Suricata has no automatic built-in blacklist/whitelist and doesn't keep
track of drops. You can add something like it yourself through the
rules. Below is an example of rules incoming to my SSH server.

The first 2 rules match on a SSH software version often used in bots.
They drop the traffic and create an 'xbit' 'badssh' for the source ip.
It expired in an hour.

drop ssh any any -> $MYSERVER 22 (msg:"DROP libssh incoming"; \
  flow:to_server,established; ssh.softwareversion:"libssh"; \
  xbits:set, badssh, track ip_src, expire 3600; sid:4000000005;)
drop ssh any any -> $MYSERVER 22 (msg:"DROP libssh incoming"; \
  flow:to_server,established; ssh.softwareversion:"PUTTY"; \
  xbits:set, badssh, track ip_src, expire 3600; sid:4000000007;)

Then I have a rule that simply drops any incoming traffic to that server
that is on that 'badssh' list. *

drop ssh any any -> $MYSERVER 22 (msg:"DROP BLACKLISTED"; \
  xbits:isset, badssh, track ip_src; sid:4000000006;)

*) Technically it works the other way around, it is stored in a host
table where per host information about which bits are set is stored.

You can create your own whitelist/blacklist logic with timeouts using
the xbits keyword.

Cheers,
Victor

> 
> 
> 
> ------------------------------------------------------------------------
> *From:* Cooper F. Nelson <cnelson at ucsd.edu>
> *Sent:* Wednesday, October 12, 2016 1:21 PM
> *To:* John Devine; oisf-users at lists.openinfosecfoundation.org
> *Subject:* Re: [Oisf-users] whitelist with timeout?
>  
> Sort of.
> 
> What you could do is create pass rules to whitelist the IPs and then
> store them in a separate rules file, like 'pass.rules'.
> 
> You could then have a separate process to add/remove pass rules in this
> file via cron or some other mechanism, then trigger a rule reload on the
> suricata process.
> 
> -Coop
> 
> On 10/12/2016 5:49 AM, John Devine wrote:
>> Hi all,
>> 
>> Quick question regarding suricata: is it possible to whitelist IPs with a specific timeout in suricata?
>> 
>> Thanks
>> 
>> 
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> <http://suricata-ids.org/support/>
> 	
> Support <http://suricata-ids.org/support/>
> suricata-ids.org
> FAQ A list of frequently asked questions (and their answers) is
> available here: Frequently Asked Questions Training Training options are
> now available: training Mailinglists Several users and devel…
> 
> 
> <http://suricata-ids.org/>
> 	
> Suricata <http://suricata-ids.org/>
> suricata-ids.org
> Open Source IDS / IPS / NSM engine
> 
> 
> 
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> 2016 Conference in Washington, DC - suricon.net <http://suricon.net/>
> suricon.net
> Doug started Security Onion in 2008 to provide a comprehensive platform
> for intrusion detection, network security monitoring, and log management.
> 
> 
> 
>> 
> 
> 
> -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list