[Oisf-users] signature action drop instead of alert

Vieri rentorbuy at yahoo.com
Thu Jan 23 00:15:52 UTC 2020


Hi,

I'm using Suricata 5.0.1, and I'm getting lots of "drops" for several SURICATA STREAM signatures.

For instance, I'm getting this in eve:

"timestamp":"2020-01-23T00:13:52.212248+0100","flow_id":1562023082578895,"event_type":"drop","src_ip":"1.2.3.4","src_port":36608,"dest_ip":"4.3.2.1","dest_port":443,"proto":"TCP","drop":{"len":52,"tos":0,"ttl":49,"ipid":6627,"tcpseq":3853116763,"tcpack":2585824304,"tcpwin":635,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2210042,"rev":2,"signature":"SURICATA STREAM TIMEWAIT ACK with wrong seq","category":"Generic Protocol Command Decode","severity":3}}

Notice the "drop".

# cat /etc/suricata/drop.conf 
re:^alert (?!.*noalert)(.*classtype\s*:\s*bad-unknown)
re:^alert (?!.*noalert)(.*classtype\s*:\s*attempted-recon)
re:^alert (?!.*noalert)(.*classtype\s*:\s*successful-recon-limited)
re:^alert (?!.*noalert)(.*classtype\s*:\s*successful-recon-largescale)
re:^alert (?!.*noalert)(.*classtype\s*:\s*attempted-dos)
re:^alert (?!.*noalert)(.*classtype\s*:\s*successful-dos)
re:^alert (?!.*noalert)(.*classtype\s*:\s*attempted-user)
re:^alert (?!.*noalert)(.*classtype\s*:\s*unsuccessful-user)
re:^alert (?!.*noalert)(.*classtype\s*:\s*successful-user)
re:^alert (?!.*noalert)(.*classtype\s*:\s*attempted-admin)
re:^alert (?!.*noalert)(.*classtype\s*:\s*successful-admin)
re:^alert (?!.*noalert)(.*classtype\s*:\s*rpc-portmap-decode)
re:^alert (?!.*noalert)(.*classtype\s*:\s*shellcode-detect)
re:^alert (?!.*noalert)(.*classtype\s*:\s*suspicious-filename-detect)
re:^alert (?!.*noalert)(.*classtype\s*:\s*suspicious-login)
re:^alert (?!.*noalert)(.*classtype\s*:\s*system-call-detect)
re:^alert (?!.*noalert)(.*classtype\s*:\s*trojan-activity)
re:^alert (?!.*noalert)(.*classtype\s*:\s*unusual-client-port-connection)
re:^alert (?!.*noalert)(.*classtype\s*:\s*denial-of-service)
re:^alert (?!.*noalert)(.*classtype\s*:\s*non-standard-protocol)
re:^alert (?!.*noalert)(.*classtype\s*:\s*web-application-activity)
re:^alert (?!.*noalert)(.*classtype\s*:\s*web-application-attack)
re:^alert (?!.*noalert)(.*classtype\s*:\s*misc-attack)
re:^alert (?!.*noalert)(.*classtype\s*:\s*kickass-porn)
re:^alert (?!.*noalert)(.*classtype\s*:\s*policy-violation)
re:^alert (?!.*noalert)(.*classtype\s*:\s*default-login-attempt)
re:^alert (?!.*noalert)(.*classtype\s*:\s*targeted-activity)
re:^alert (?!.*noalert)(.*classtype\s*:\s*exploit-kit)
re:^alert (?!.*noalert)(.*classtype\s*:\s*external-ip-check)
re:^alert (?!.*noalert)(.*classtype\s*:\s*domain-c2)
re:^alert (?!.*noalert)(.*classtype\s*:\s*pup-activity)
re:^alert (?!.*noalert)(.*classtype\s*:\s*credential-theft)
re:^alert (?!.*noalert)(.*classtype\s*:\s*social-engineering)
re:^alert (?!.*noalert)(.*classtype\s*:\s*coin-mining)
re:^alert (?!.*noalert)(.*classtype\s*:\s*command-and-control)
re:^alert (?!.*noalert)(.*classtype\s*:\s*network-scan)
re:^alert (?!.*noalert)(.*classtype\s*:\s*protocol-command-decode)

# grep -r 2210042 /etc/suricata/*
/etc/suricata/modify.conf:2210042 drop alert

# grep -r 2210042 /var/lib/suricata/*
/var/lib/suricata/rules/suricata.rules:alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;)

If this signature has the "alert" action set in the rules file, why is EVE logging it as a "drop"?

Vieri


More information about the Oisf-users mailing list