[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oisf-users
Subject:    Re: [Oisf-users] Whitelist rules
From:       Nikolay Denev <ndenev () gmail ! com>
Date:       2011-09-16 12:53:45
Message-ID: 42CD45AA-CDED-444A-A30E-5AC8B70386DD () gmail ! com
[Download RAW message or body]


On Sep 16, 2011, at 2:50 PM, Nikolay Denev wrote:

> On Sep 16, 2011, at 1:00 PM, Peter Manev wrote:
> 
> > Hi Nikolay,
> > 
> > Can you please post an example of a rule of yours? 
> > 
> > Thanks
> > 
> > On Fri, Sep 16, 2011 at 11:32 AM, Nikolay Denev <ndenev@gmail.com> wrote:
> > Hello all,
> > 
> > I'm trying to install a few "pass" rules with "priority 1" as a whitelisting \
> > rules in "local.rules", they are read ok, but they don't seem to work, and I \
> > start to wonder If I'm missing something. 
> > My understanding is that if my rules in local.rules match, no further checking \
> > will be done on this packet/flow. Can someone confirm that this is correct? Or is \
> > there another way to accomplish this. Basically I want to preserve for example \
> > the shell code rules that are working on any port src/dest, but I have traffic \
> > for an internal service that gives too many false positives, so I want to create \
> > a rule (basically the same shell code rule that get's triggered) but modify it \
> > for the specific port of the service and change it from "alert" to "pass" and \
> > raise the priority. 
> > Thanks in advance.
> > 
> > Regards,
> > Nikolay
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users@openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > 
> > 
> > 
> > -- 
> > Peter Manev
> 
> Ok, here's what I have :
> 
> This is in suricata.yaml:
> 
> 	HOME_NET: "[XXX.XXX.XXX.0/24,YYY.YYY.YYY.0/24,ZZZ.ZZZ.ZZZ.0/24,10.0.0.0/8]"
> 	EXTERNAL_NET: any
> 	SQL_SERVERS: "[10.XX.0.0/24,10.YY.0.0/24]"
> 
> Here is the alert rule from the ETPro ruleset:
> 
> 	alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 \
> inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; \
> sid:1390; rev:5;) 
> Here is my rule in local.rules (it was "pass ip" initially, I changed it to "pass \
> tcp" later with no change): 
> 	pass tcp $SQL_SERVERS any -> $SQL_SERVERS 1521 (msg:"GPL SHELLCODE x86 inc ebx \
> NOOP false positive"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; priority:1;) 
> 
> And still I get alerts like these:
> 
> 	09/16/11-08:35:28.209283  [**] [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [**] \
> [Classification: Executable Code was Detected] [Priority: 3] {6} 10.XX.0.66:29392 \
> -> 10.YY.0.66:1521 
> 
> Regards,
> Nikolay

One more thing : If I change the rules in local.rules to be also "alert" instead of \
"pass" I get two alerts for each, so clearly my rules are matching :

09/16/11-12:42:23.466342  [**] [1:2009033:3] ET POLICY Suspicious Executable (PE \
under 128) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 3] \
{6} 10.XX.0.49:1521 -> 10.YY.0.37:56986 [Xref => \
http://doc.emergingthreats.net/2009033]

09/16/11-12:42:23.466342  [**] [1:0:0] ET POLICY Suspicious Executable (PE under 128) \
FALSE POSITIVE [**] [Classification: (null)] [Priority: 1] {6} 10.XX.0.49:1521 -> \
10.YY.0.37:56986


Regards,
Nikolay
_______________________________________________
Oisf-users mailing list
Oisf-users@openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic