[Oisf-users] xbit 'expire' keyword?

John Devine john.devine at nuspire.com
Mon Oct 17 21:13:03 UTC 2016 

Hi all,

So I am messing around with xbits in suricata and have created two custom rules:


alert ip any any -> any any (msg:"CUSTOM XBITS!"; \
xbits:set, testthisbit, track ip_src, expire 360; sid:5000000001;)

alert ip any any -> any any (msg:"XBITS!"; \
xbits:isset, testthisbit, track ip_src; sid:5000000002;)

My understanding is that the 'expire' keyword expires the set xbit after the time specified (6 minutes) yet after that time I am still getting alerts based on that xbit. How exactly does the 'expire' keyword work? How can I get an alert to stop alerting after a certain time using xbits?

Thanks


________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
Sent: Thursday, October 13, 2016 10:37 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] whitelist with timeout?

On 12-10-16 20:41, John Devine wrote:
> thanks for your input. That's the path I'm going down at the moment,
> creating my own custom rules file. The key piece I need to know is if
> there is timeout functionality on the rules and where, if at all, does
> suricata keep track of what it has blocked. I want to be able to see an
> IP that was blocked by suricata, unblock it "for now" (not whitelist it
> entirely) but have it alert again if it generates bad traffic in the future.

Suricata has no automatic built-in blacklist/whitelist and doesn't keep
track of drops. You can add something like it yourself through the
rules. Below is an example of rules incoming to my SSH server.

The first 2 rules match on a SSH software version often used in bots.
They drop the traffic and create an 'xbit' 'badssh' for the source ip.
It expired in an hour.

drop ssh any any -> $MYSERVER 22 (msg:"DROP libssh incoming"; \
  flow:to_server,established; ssh.softwareversion:"libssh"; \
  xbits:set, badssh, track ip_src, expire 3600; sid:4000000005;)
drop ssh any any -> $MYSERVER 22 (msg:"DROP libssh incoming"; \
  flow:to_server,established; ssh.softwareversion:"PUTTY"; \
  xbits:set, badssh, track ip_src, expire 3600; sid:4000000007;)

Then I have a rule that simply drops any incoming traffic to that server
that is on that 'badssh' list. *

drop ssh any any -> $MYSERVER 22 (msg:"DROP BLACKLISTED"; \
  xbits:isset, badssh, track ip_src; sid:4000000006;)

*) Technically it works the other way around, it is stored in a host
table where per host information about which bits are set is stored.

You can create your own whitelist/blacklist logic with timeouts using
the xbits keyword.

Cheers,
Victor

>
>
>
> ------------------------------------------------------------------------
> *From:* Cooper F. Nelson <cnelson at ucsd.edu>
> *Sent:* Wednesday, October 12, 2016 1:21 PM
> *To:* John Devine; oisf-users at lists.openinfosecfoundation.org
> *Subject:* Re: [Oisf-users] whitelist with timeout?
>
> Sort of.
>
> What you could do is create pass rules to whitelist the IPs and then
> store them in a separate rules file, like 'pass.rules'.
>
> You could then have a separate process to add/remove pass rules in this
> file via cron or some other mechanism, then trigger a rule reload on the
> suricata process.
>
> -Coop
>
> On 10/12/2016 5:49 AM, John Devine wrote:
>> Hi all,
>>
>> Quick question regarding suricata: is it possible to whitelist IPs with a specific timeout in suricata?
>>
>> Thanks
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
[https://secure.gravatar.com/blavatar/b35fe77e09a7541f738f500f4db6b857?s=200&ts=1476738549]<http://suricata-ids.org/support/>

Support<http://suricata-ids.org/support/>
suricata-ids.org
FAQ A list of frequently asked questions (and their answers) is available here: Frequently Asked Questions Training Training options are now available: training Mailinglists Several users and devel...


[https://secure.gravatar.com/blavatar/b35fe77e09a7541f738f500f4db6b857?s=200&ts=1476738472]<http://suricata-ids.org/>

Suricata<http://suricata-ids.org/>
suricata-ids.org
Open Source IDS / IPS / NSM engine



> <http://suricata-ids.org/support/>
[https://secure.gravatar.com/blavatar/b35fe77e09a7541f738f500f4db6b857?s=200&ts=1476738551]<http://suricata-ids.org/support/>

Support<http://suricata-ids.org/support/>
suricata-ids.org
FAQ A list of frequently asked questions (and their answers) is available here: Frequently Asked Questions Training Training options are now available: training Mailinglists Several users and devel...



>
> Support <http://suricata-ids.org/support/>
[https://secure.gravatar.com/blavatar/b35fe77e09a7541f738f500f4db6b857?s=200&ts=1476738550]<http://suricata-ids.org/support/>

Support<http://suricata-ids.org/support/>
suricata-ids.org
FAQ A list of frequently asked questions (and their answers) is available here: Frequently Asked Questions Training Training options are now available: training Mailinglists Several users and devel...



> suricata-ids.org
> FAQ A list of frequently asked questions (and their answers) is
> available here: Frequently Asked Questions Training Training options are
> now available: training Mailinglists Several users and devel...
>
>
> <http://suricata-ids.org/>
[https://secure.gravatar.com/blavatar/b35fe77e09a7541f738f500f4db6b857?s=200&ts=1476738472]<http://suricata-ids.org/>

Suricata<http://suricata-ids.org/>
suricata-ids.org
Open Source IDS / IPS / NSM engine



>
> Suricata <http://suricata-ids.org/>
> suricata-ids.org
> Open Source IDS / IPS / NSM engine
>
>
>
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
2016 Conference in Washington, DC - suricon.net<http://suricon.net/>
suricon.net
Doug started Security Onion in 2008 to provide a comprehensive platform for intrusion detection, network security monitoring, and log management.



> 2016 Conference in Washington, DC - suricon.net <http://suricon.net/>
2016 Conference in Washington, DC - suricon.net<http://suricon.net/>
suricon.net
Doug started Security Onion in 2008 to provide a comprehensive platform for intrusion detection, network security monitoring, and log management.



> suricon.net
> Doug started Security Onion in 2008 to provide a comprehensive platform
> for intrusion detection, network security monitoring, and log management.
>
>
>
>>
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
[https://secure.gravatar.com/blavatar/b35fe77e09a7541f738f500f4db6b857?s=200&ts=1476738731]<http://suricata-ids.org/support/>

Support<http://suricata-ids.org/support/>
suricata-ids.org
FAQ A list of frequently asked questions (and their answers) is available here: Frequently Asked Questions Training Training options are now available: training Mailinglists Several users and devel...


[https://secure.gravatar.com/blavatar/b35fe77e09a7541f738f500f4db6b857?s=200&ts=1476738472]<http://suricata-ids.org/>

Suricata<http://suricata-ids.org/>
suricata-ids.org
Open Source IDS / IPS / NSM engine



> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
2016 Conference in Washington, DC - suricon.net<http://suricon.net/>
suricon.net
Doug started Security Onion in 2008 to provide a comprehensive platform for intrusion detection, network security monitoring, and log management.



>


--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161017/c2c18730/attachment-0002.html>

More information about the Oisf-users mailing list