[Oisf-users] xbit 'expire' keyword?

Victor Julien lists at inliniac.net
Mon Oct 17 21:19:20 UTC 2016 

On 17-10-16 23:13, John Devine wrote:
> Hi all,
> 
> So I am messing around with xbits in suricata and have created two
> custom rules:
> 
> alert ip any any -> any any (msg:"CUSTOM XBITS!"; \
> xbits:set, testthisbit, track ip_src, expire 360; sid:5000000001;)
> 
> alert ip any any -> any any (msg:"XBITS!"; \
> xbits:isset, testthisbit, track ip_src; sid:5000000002;)
> 
> My understanding is that the 'expire' keyword expires the set xbit after
> the time specified (6 minutes) yet after that time I am still getting
> alerts based on that xbit. How exactly does the 'expire' keyword work?
> How can I get an alert to stop alerting after a certain time using xbits?

The timer is reset each time 5000000001 matches. So that should probably
be a more unique rule.

Cheers,
Victor



> 
> Thanks
> 
> 
> 
> ------------------------------------------------------------------------
> *From:* Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org>
> on behalf of Victor Julien <lists at inliniac.net>
> *Sent:* Thursday, October 13, 2016 10:37 AM
> *To:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* Re: [Oisf-users] whitelist with timeout?
>  
> On 12-10-16 20:41, John Devine wrote:
>> thanks for your input. That's the path I'm going down at the moment,
>> creating my own custom rules file. The key piece I need to know is if
>> there is timeout functionality on the rules and where, if at all, does
>> suricata keep track of what it has blocked. I want to be able to see an
>> IP that was blocked by suricata, unblock it "for now" (not whitelist it
>> entirely) but have it alert again if it generates bad traffic in the future.
> 
> Suricata has no automatic built-in blacklist/whitelist and doesn't keep
> track of drops. You can add something like it yourself through the
> rules. Below is an example of rules incoming to my SSH server.
> 
> The first 2 rules match on a SSH software version often used in bots.
> They drop the traffic and create an 'xbit' 'badssh' for the source ip.
> It expired in an hour.
> 
> drop ssh any any -> $MYSERVER 22 (msg:"DROP libssh incoming"; \
>   flow:to_server,established; ssh.softwareversion:"libssh"; \
>   xbits:set, badssh, track ip_src, expire 3600; sid:4000000005;)
> drop ssh any any -> $MYSERVER 22 (msg:"DROP libssh incoming"; \
>   flow:to_server,established; ssh.softwareversion:"PUTTY"; \
>   xbits:set, badssh, track ip_src, expire 3600; sid:4000000007;)
> 
> Then I have a rule that simply drops any incoming traffic to that server
> that is on that 'badssh' list. *
> 
> drop ssh any any -> $MYSERVER 22 (msg:"DROP BLACKLISTED"; \
>   xbits:isset, badssh, track ip_src; sid:4000000006;)
> 
> *) Technically it works the other way around, it is stored in a host
> table where per host information about which bits are set is stored.
> 
> You can create your own whitelist/blacklist logic with timeouts using
> the xbits keyword.
> 
> Cheers,
> Victor
> 
>> 
>> 
>> 
>> ------------------------------------------------------------------------
>> *From:* Cooper F. Nelson <cnelson at ucsd.edu>
>> *Sent:* Wednesday, October 12, 2016 1:21 PM
>> *To:* John Devine; oisf-users at lists.openinfosecfoundation.org
>> *Subject:* Re: [Oisf-users] whitelist with timeout?
>>  
>> Sort of.
>> 
>> What you could do is create pass rules to whitelist the IPs and then
>> store them in a separate rules file, like 'pass.rules'.
>> 
>> You could then have a separate process to add/remove pass rules in this
>> file via cron or some other mechanism, then trigger a rule reload on the
>> suricata process.
>> 
>> -Coop
>> 
>> On 10/12/2016 5:49 AM, John Devine wrote:
>>> Hi all,
>>> 
>>> Quick question regarding suricata: is it possible to whitelist IPs with a specific timeout in suricata?
>>> 
>>> Thanks
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> <http://suricata-ids.org/support/>
> 	
> Support <http://suricata-ids.org/support/>
> suricata-ids.org
> FAQ A list of frequently asked questions (and their answers) is
> available here: Frequently Asked Questions Training Training options are
> now available: training Mailinglists Several users and devel…
> 
> 
> <http://suricata-ids.org/>
> 	
> Suricata <http://suricata-ids.org/>
> suricata-ids.org
> Open Source IDS / IPS / NSM engine
> 
> 
> 
>> <http://suricata-ids.org/support/>
> <http://suricata-ids.org/support/>
> 	
> Support <http://suricata-ids.org/support/>
> suricata-ids.org
> FAQ A list of frequently asked questions (and their answers) is
> available here: Frequently Asked Questions Training Training options are
> now available: training Mailinglists Several users and devel…
> 
> 
> 
>>        
>> Support <http://suricata-ids.org/support/>
> <http://suricata-ids.org/support/>
> 	
> Support <http://suricata-ids.org/support/>
> suricata-ids.org
> FAQ A list of frequently asked questions (and their answers) is
> available here: Frequently Asked Questions Training Training options are
> now available: training Mailinglists Several users and devel…
> 
> 
> 
>> suricata-ids.org
>> FAQ A list of frequently asked questions (and their answers) is
>> available here: Frequently Asked Questions Training Training options are
>> now available: training Mailinglists Several users and devel…
>> 
>> 
>> <http://suricata-ids.org/>
> <http://suricata-ids.org/>
> 	
> Suricata <http://suricata-ids.org/>
> suricata-ids.org
> Open Source IDS / IPS / NSM engine
> 
> 
> 
>>        
>> Suricata <http://suricata-ids.org/>
>> suricata-ids.org
>> Open Source IDS / IPS / NSM engine
>> 
>> 
>> 
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> 2016 Conference in Washington, DC - suricon.net <http://suricon.net/>
> suricon.net
> Doug started Security Onion in 2008 to provide a comprehensive platform
> for intrusion detection, network security monitoring, and log management.
> 
> 
> 
>> 2016 Conference in Washington, DC - suricon.net <http://suricon.net/>
> 2016 Conference in Washington, DC - suricon.net <http://suricon.net/>
> suricon.net
> Doug started Security Onion in 2008 to provide a comprehensive platform
> for intrusion detection, network security monitoring, and log management.
> 
> 
> 
>> suricon.net
>> Doug started Security Onion in 2008 to provide a comprehensive platform
>> for intrusion detection, network security monitoring, and log management.
>> 
>> 
>> 
>>> 
>> 
>> 
>> -- 
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ITS Security Team
>> cnelson at ucsd.edu x41042
>> 
>> 
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> <http://suricata-ids.org/support/>
> 	
> Support <http://suricata-ids.org/support/>
> suricata-ids.org
> FAQ A list of frequently asked questions (and their answers) is
> available here: Frequently Asked Questions Training Training options are
> now available: training Mailinglists Several users and devel…
> 
> 
> <http://suricata-ids.org/>
> 	
> Suricata <http://suricata-ids.org/>
> suricata-ids.org
> Open Source IDS / IPS / NSM engine
> 
> 
> 
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> 2016 Conference in Washington, DC - suricon.net <http://suricon.net/>
> suricon.net
> Doug started Security Onion in 2008 to provide a comprehensive platform
> for intrusion detection, network security monitoring, and log management.
> 
> 
> 
>> 
> 
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list