[Oisf-users] Turn off flow tracking?

Jason Ish lists at unx.ca
Fri Jan 6 19:57:28 UTC 2017 

On Fri, Jan 6, 2017 at 12:45 PM, Michael J. Sheldon <msheldon at godaddy.com>
wrote:

> Suricata 3.1.3 Running in IPS mode
>
> Is it possible to tell Suricata to NOT do flow tracking for UDP?
> We use suricata for DNS traffic, and flow tracking is quite frankly
> useless, as there are no true flows with DNS UDP
>
> On top of that, it appears that somehow, some folks are bypassing the
> rules by flooding from the same IP:port.
>
> You can see from the below log, that the same source/port was sending the
> same request repeatedly. I have a drop rule in place, but when the tx_id
> reaches 501, it stops blocking, and the traffic goes through. The flow_id
> is the same for every request. There are identical chains in the log for
> different ip:port combinations.
>
> So effectively, instead of blocking the source address completely, I only
> end up blocking the first 501 requests. A new source will get blocked, but
> again, only for 501 requests.
>

I think this is an issue we need to look into further, but in the meantime
there might be a work-around.

In your suricata.yaml, under app-layer.dns, change "yes" to
"detection-only" like:

    dns:
      tcp:
        enabled: detection-only
        detection-ports:
          dp: 53
      udp:
        enabled: detection-only
        detection-ports:
          dp: 53


>
> rule:
> drop dns $EXTERNAL_NET any -> $INTERNAL_NET $DNS_PORTS (msg:"DROP Config
> sourcenetwork filter test"; dns_query; content:"example.com"; nocase;
> sid:3110039;)
>

Then you'll also need to change your rule to a more generic rule such as:

drop udp $EXTERNAL_NET any -> $INTERNET_NET $DNS_PORTS (msg:"DROP Config
sourcenetwork filter test"; flow:to_server; pcre:"/example.com/i"; nocase;
sid:3110039;)

Anyways, I know its not the answer you are likely looking for, and I will
be looking into it further. And in the mean time maybe someone else will
have a better suggestion?

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170106/6aa74f31/attachment-0002.html>

More information about the Oisf-users mailing list