[Oisf-users] suricata reject rule

Vieri rentorbuy at yahoo.com
Tue Feb 28 12:44:46 UTC 2017 

Hi,

I'm having trouble using Suricata in IPS mode with a reject rule.

# grep ^reject /etc/suricata/rules/*.rules
/etc/suricata/rules/emerging-policy.rules:reject http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; content:"User-Agent|3a| asafaweb.com|0d 0a|"; http_header; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:3;)

I'm running:
/usr/bin/suricata --pidfile /var/run/suricata/suricata.pid -D -c /etc/suricata/suricata-CUSTOM.yaml -vvvv -q 0 -q 1 -q 2 -q 3 -q 4 -q 5 --set logging.outputs.1.file.filename=/var/log/suricata/suricata.log --user=root --group=root -l /var/log/suricata

# curl --interface enp9s6 -A 'asafaweb.com' http://1.2.3.4/

{"timestamp":"2017-02-28T13:21:30.447981+0100","flow_id":1393336435445541,"event_type":"drop","src_ip":"1.2.3.4","src_port":11031,"dest_ip":"192.168.0.1","dest_port":80,"proto":"TCP","drop":{"len":145,"tos":0,"ttl":60,"ipid":56453,"tcpseq":2829965017,"tcpack":1140257709,"tcpwin":229,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2014233,"rev":3,"signature":"ET POLICY ASaf Web Scan User-Agent (asafaweb.com)","category":"Detection of a Network Scan","severity":3},"tx_id":0}

28/2/2017 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_LIBNET_INIT(144)] - libnet_init failed: libnet_open_raw4(): SOCK_RAW allocation failed: Operation not permitted
28/2/2017 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread TX#02 failed

Why is there a problem accessing SOCK_RAW if the suricata process is launched (and drops as) as root?
I know it's simpler not to specify --user/--group=root but I'm asking because I was also hoping to run Suricata with reject rules and launching the main process with --user=/--group=unpriviledged, as I'm already doing with "drop" rules.

So I restarted suricata without specifying user/group:
/usr/bin/suricata --pidfile /var/run/suricata/suricata.pid -D -c /etc/suricata/suricata-CUSTOM.yaml -vvvv -q 0 -q 1 -q 2 -q 3 -q 4 -q 5 --set logging.outputs.1.file.filename=/var/log/suricata/suricata.log -l /var/log/suricata

Then I start the client:
# curl --interface enp9s6 -A 'asafaweb.com' http://1.2.3.4/

This time, the suricata log does NOT show any errors regarding SOCK_RAW and I get this in EVE:

{"timestamp":"2017-02-28T13:25:35.601476+0100","flow_id":978968744294849,"event_type":"drop","src_ip":"1.2.3.4","src_port":13153,"dest_ip":"192.168.0.1","dest_port":80,"proto":"TCP","drop":{"len":145,"tos":0,"ttl":60,"ipid":31218,"tcpseq":3990427198,"tcpack":3200910351,"tcpwin":229,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2014233,"rev":3,"signature":"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)","category":"Detection of a Network Scan","severity":3},"tx_id":0}

However, the curl client connection is not being rejected, but dropped.
The client is stuck connecting when it should have been actively reset.

The yaml file suricata.yaml is default (found in upstream package) and the custom yaml file contains:

%YAML 1.1
---

include: /etc/suricata/suricata.yaml

include: /etc/suricata/suricata-CUSTOM-rules.yaml

outputs:
- fast:
enabled: no
filename: fast.log
append: yes
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- drop:
alerts: yes      # log alerts that caused drops
flows: start       # start or all: 'start' logs only a single drop

- http-log:
enabled: no
filename: http.log
append: yes

- tls-log:
enabled: no  # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes

- tls-store:
enabled: no

- dns-log:
enabled: no
filename: dns.log
append: yes

- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
mode: normal # normal, multi or sguil.
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.

- alert-debug:
enabled: no
filename: alert-debug.log
append: yes

- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes

- stats:
enabled: no
filename: stats.log
totals: yes       # stats for all threads merged together
threads: no       # per thread stats

- syslog:
enabled: no
facility: local5

- drop:
enabled: no
filename: drop.log
append: yes

- file-store:
enabled: no       # set to yes to enable
log-dir: files    # directory to store the files
force-magic: no   # force logging magic on all stored files
force-filestore: no # force storing of all files

- file-log:
enabled: no
filename: files-json.log
append: yes
force-magic: no   # force logging magic on all logged files

- tcp-data:
enabled: no
type: file
filename: tcp-data.log

- http-body-data:
enabled: no
type: file
filename: http-data.log

- lua:
enabled: no
scripts:

How can I make correct reject rules?

Vieri

More information about the Oisf-users mailing list