[Oisf-users] Turn off flow tracking?

Michael J. Sheldon msheldon at godaddy.com
Fri Jan 6 18:45:40 UTC 2017 

Suricata 3.1.3 Running in IPS mode

Is it possible to tell Suricata to NOT do flow tracking for UDP?
We use suricata for DNS traffic, and flow tracking is quite frankly useless, as there are no true flows with DNS UDP

On top of that, it appears that somehow, some folks are bypassing the rules by flooding from the same IP:port.

You can see from the below log, that the same source/port was sending the same request repeatedly. I have a drop rule in place, but when the tx_id reaches 501, it stops blocking, and the traffic goes through. The flow_id is the same for every request. There are identical chains in the log for different ip:port combinations.

So effectively, instead of blocking the source address completely, I only end up blocking the first 501 requests. A new source will get blocked, but again, only for 501 requests.

rule:
drop dns $EXTERNAL_NET any -> $INTERNAL_NET $DNS_PORTS (msg:"DROP Config sourcenetwork filter test"; dns_query; content:"example.com"; nocase; sid:3110039;)

eve log:
{"timestamp":"2017-01-06T11:15:58.964841-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":491,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.965639-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":492,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.966339-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":493,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.967049-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":494,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.967874-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":495,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.968654-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":496,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.969412-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":497,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.970282-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":498,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.971085-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":499,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.971900-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":500,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}
{"timestamp":"2017-01-06T11:15:58.972701-0700","flow_id":788156007729507,"event_type":"alert","src_ip":"52.66.154.163","src_port":35137,"dest_ip":"208.109.255.24","dest_port":53,"proto":"UDP","tx_id":501,"alert":{"action":"blocked","gid":1,"signature_id":3110039,"rev":0,"signature":"DROP Config sourcenetwork filter test","category":"","severity":3}}

Michael Sheldon
Dev-DNS Services
GoDaddy.com

More information about the Oisf-users mailing list