[Oisf-users] Packet not dropped?

James Moe jimoe at sohnen-moe.com
Sat Nov 24 06:13:28 UTC 2018 

On 22/11/2018 3.15 PM, Andreas Herz wrote:

>> /usr/local/bin/suricata -v --pidfile /data01/var/run/suricata.pid -c
>> /usr/local/etc/suricata/suricata.yaml -q 0
>>
> Did you check that the NFQUEUE jump is working properly?
> 
  Hmm. What is "the NFQUEUE jump?" (Are the cool kids doing it?)
  What does it do when it is working correctly?

>>   The original post showed the log entry with "[DROP]" in it. Yet the
>> Alert entry showed the entry was not dropped.
>
> Can you also post the eve.json log output as well? alert-debug is not
> used much anymore, just want to make sure it's not just a log issue
> with alert-debug.
>

---[ fast.log ]---
11/23/2018-22:35:46.552692  [Drop] [**] [1:2260002:1] SURICATA Applayer
Detect protocol only one direction [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} 65.39.92.157:38880 ->
192.168.69.246:25

11/23/2018-22:35:47.003576  [Drop] [**] [1:2260002:1] SURICATA Applayer
Detect protocol only one direction [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} 127.0.0.1:57938 ->
127.0.0.1:125

11/23/2018-22:35:49.921047  [Drop] [**] [1:2220000:1] SURICATA SMTP
invalid reply [**] [Classification: Generic Protocol Command Decode]
[Priority: 3] {TCP} 127.0.0.1:125 -> 127.0.0.1:57938


---[ eve-json ]---
{"timestamp":"2018-11-23T22:35:46.552692-0700","flow_id":113274984228914,"event_type":"alert","src_ip":"65.39.92.157","src_port":38880,"dest_ip":"192.168.69.246","dest_port":25,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1}},"alert":{"action":"blocked","gid":1,"signature_id":2260002,"rev":1,"signature":"SURICATA
Applayer Detect protocol only one direction","category":"Generic
Protocol Command
Decode","severity":3},"smtp":{"helo":"sma-inc.us"},"app_proto":"smtp","app_proto_tc":"failed","flow":{"pkts_toserver":3,"pkts_toclient":2,"bytes_toserver":149,"bytes_toclient":157,"start":"2018-11-23T22:35:46.157746-0700"}}

{"timestamp":"2018-11-23T22:35:47.003576-0700","flow_id":1674761884330437,"event_type":"alert","src_ip":"127.0.0.1","src_port":57938,"dest_ip":"127.0.0.1","dest_port":125,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1}},"alert":{"action":"blocked","gid":1,"signature_id":2260002,"rev":1,"signature":"SURICATA
Applayer Detect protocol only one direction","category":"Generic
Protocol Command
Decode","severity":3},"smtp":{"helo":"sma-inc.us"},"app_proto":"smtp","app_proto_tc":"failed","flow":{"pkts_toserver":7,"pkts_toclient":4,"bytes_toserver":397,"bytes_toclient":354,"start":"2018-11-23T22:35:46.321989-0700"}}

{"timestamp":"2018-11-23T22:35:49.921047-0700","flow_id":1674761884330437,"event_type":"alert","src_ip":"127.0.0.1","src_port":125,"dest_ip":"127.0.0.1","dest_port":57938,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1,"smtp.anomaly.count":1}},"tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":2220000,"rev":1,"signature":"SURICATA
SMTP invalid reply","category":"Generic Protocol Command
Decode","severity":3},"smtp":{"helo":"sma-inc.us"},"app_proto":"smtp","app_proto_tc":"failed","flow":{"pkts_toserver":21,"pkts_toclient":15,"bytes_toserver":1223,"bytes_toclient":1124,"start":"2018-11-23T22:35:46.321989-0700"}}


---[ assp log ]---
2018-11-23_22:35:46 [Worker_1] Connected: session:7F0BAEFC8450
65.39.92.157:38880 > 192.168.69.246:25 > 127.0.0.1:125

2018-11-23_22:35:47 [Worker_1] 65.39.92.157 info: authentication - login
is used

2018-11-23_22:36:04 [Worker_1] 65.39.92.157 disconnected:
session:7F0BAEFC8450 65.39.92.157 - processing time 18 seconds

...note: the connection timed out because the Drop for 2220000 worked...

---[ mail server log ]---
22:35:47.920 1 ROUTER SYSTEM: 'ureed at sma-inc.us' rejected. Error
Code=unknown user account

22:35:47.920 1 SMTPI-043060([127.0.0.1]) failed to open ACCOUNT(ureed)
for [127.0.0.1]:57938->[127.0.0.1]:125. Error Code=unknown user account

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181123/b8ade887/attachment.sig>

More information about the Oisf-users mailing list