[Oisf-users] signature action drop instead of alert

Vieri rentorbuy at yahoo.com
Fri Jan 24 07:58:01 UTC 2020

 On Thursday, January 23, 2020, 9:01:03 PM GMT+1, Andreas Herz <aherz at oisf.net> wrote: 
>> I'm using Suricata 5.0.1, and I'm getting lots of "drops" for several SURICATA STREAM signatures.
> In general you don't want to convert those rules to drop as they will
> trigger quite often at mixed traffic environments in some cases.

Would you suggest not dropping the SURICATA STREAM rules or the whole protocol-command-decode class type?
Any general guideline as to which categories/rulesets to drop for sure and which should be taken into account more cautiously for the drop action to take place?

>> # grep -r 2210042 /var/lib/suricata/*
>> /var/lib/suricata/rules/suricata.rules:alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-
>> event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;)
>> If this signature has the "alert" action set in the rules file, why is EVE logging it as a "drop"?
> Can you check what path is set in the suricata config?
> I would guess that it's using another ruleset where you have action drop
> instead of alert.

# ps aux | grep suricata
suricata 22683  3.4 10.9 1582864 441984 ?      Ssl  07:33   1:29 /usr/bin/suricata --pidfile /run/suricata/suricata.pid -D -c /etc/suricata/suricata-HMAN.yaml -vvvv -q 0 -q 1 -q 2 -q 3 -q 4 -q 5 --set vars.address-groups.HOME_NET=[,,] --set vars.address-groups.HTTP_SERVERS=[<HIDDEN>] --set vars.address-groups.SMTP_SERVERS=[ <HIDDEN>] --set vars.address-groups.SQL_SERVERS=[<HIDDEN>] --set vars.address-groups.DNS_SERVERS=[<HIDDEN>] --set vars.address-groups.TELNET_SERVERS=[<HIDDEN>] --set vars.port-groups.HTTP_PORTS=[80,8080,8008] --set vars.port-groups.SHELLCODE_PORTS=!80 --set vars.port-groups.ORACLE_PORTS=1521 --set vars.port-groups.SSH_PORTS=22 --set vars.port-groups.DNP3_PORTS=20000 --set vars.port-groups.MODBUS_PORTS=502 --set vars.port-groups.FILE_DATA_PORTS=[80,8080,110,143] --set vars.port-groups.FTP_PORTS=21 --set app-layer.protocols.modbus.enabled=yes --set app-layer.protocols.modbus.detection-ports.dp=502 --set app-layer.protocols.modbus.stream-depth=0 --set app-layer.protocols.dnp3.enabled=yes --set app-layer.protocols.dnp3.detection-ports.dp=20000 --set app-layer.protocols.enip.enabled=yes --set app-layer.protocols.enip.detection-ports.dp=44818 --set app-layer.protocols.enip.detection-ports.sp=44818 --set app-layer.protocols.http.enabled=yes --set logging.outputs.1.file.filename=/var/log/suricata/suricata.log --user=suricata --group=suricata -l /var/log/suricata

/etc/suricata/suricata-HMAN.yaml does not specify any rulesets and starts with:

# default upstream yaml file
include: /etc/suricata/suricata.yaml
# and now override stuff as needed...
# auto-generated:
include: /etc/suricata/suricata-HMAN-rules.yaml

The full content of /etc/suricata/suricata-HMAN-rules.yaml is:

# cat /etc/suricata/suricata-HMAN-rules.yaml
%YAML 1.1

default-rule-path: /var/lib/suricata/rules
 - suricata.rules
 - /etc/suricata/rules/community.rules
 - /SAMBA/gateway/rules.ips
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config

Can't find a duplicate of that rule:

# grep -r 2210042 /var/lib/suricata/*
/var/lib/suricata/rules/suricata.rules:alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;)
# grep -r 2210042 /etc/suricata/rules/community.rules
# grep -r 2210042 /SAMBA/gateway/rules.ips

Oddly enough, I haven't seen another drop event type for SURICATA STREAM since yesterday...
I'll keep an eye on this.



More information about the Oisf-users mailing list