[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] Whitelist rules
From: Nikolay Denev <ndenev () gmail ! com>
Date: 2011-09-16 12:53:45
Message-ID: 42CD45AA-CDED-444A-A30E-5AC8B70386DD () gmail ! com
[Download RAW message or body]
On Sep 16, 2011, at 2:50 PM, Nikolay Denev wrote:
> On Sep 16, 2011, at 1:00 PM, Peter Manev wrote:
>
> > Hi Nikolay,
> >
> > Can you please post an example of a rule of yours?
> >
> > Thanks
> >
> > On Fri, Sep 16, 2011 at 11:32 AM, Nikolay Denev <ndenev@gmail.com> wrote:
> > Hello all,
> >
> > I'm trying to install a few "pass" rules with "priority 1" as a whitelisting \
> > rules in "local.rules", they are read ok, but they don't seem to work, and I \
> > start to wonder If I'm missing something.
> > My understanding is that if my rules in local.rules match, no further checking \
> > will be done on this packet/flow. Can someone confirm that this is correct? Or is \
> > there another way to accomplish this. Basically I want to preserve for example \
> > the shell code rules that are working on any port src/dest, but I have traffic \
> > for an internal service that gives too many false positives, so I want to create \
> > a rule (basically the same shell code rule that get's triggered) but modify it \
> > for the specific port of the service and change it from "alert" to "pass" and \
> > raise the priority.
> > Thanks in advance.
> >
> > Regards,
> > Nikolay
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users@openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> >
> > --
> > Peter Manev
>
> Ok, here's what I have :
>
> This is in suricata.yaml:
>
> HOME_NET: "[XXX.XXX.XXX.0/24,YYY.YYY.YYY.0/24,ZZZ.ZZZ.ZZZ.0/24,10.0.0.0/8]"
> EXTERNAL_NET: any
> SQL_SERVERS: "[10.XX.0.0/24,10.YY.0.0/24]"
>
> Here is the alert rule from the ETPro ruleset:
>
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 \
> inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; \
> sid:1390; rev:5;)
> Here is my rule in local.rules (it was "pass ip" initially, I changed it to "pass \
> tcp" later with no change):
> pass tcp $SQL_SERVERS any -> $SQL_SERVERS 1521 (msg:"GPL SHELLCODE x86 inc ebx \
> NOOP false positive"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; priority:1;)
>
> And still I get alerts like these:
>
> 09/16/11-08:35:28.209283 [**] [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [**] \
> [Classification: Executable Code was Detected] [Priority: 3] {6} 10.XX.0.66:29392 \
> -> 10.YY.0.66:1521
>
> Regards,
> Nikolay
One more thing : If I change the rules in local.rules to be also "alert" instead of \
"pass" I get two alerts for each, so clearly my rules are matching :
09/16/11-12:42:23.466342 [**] [1:2009033:3] ET POLICY Suspicious Executable (PE \
under 128) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 3] \
{6} 10.XX.0.49:1521 -> 10.YY.0.37:56986 [Xref => \
http://doc.emergingthreats.net/2009033]
09/16/11-12:42:23.466342 [**] [1:0:0] ET POLICY Suspicious Executable (PE under 128) \
FALSE POSITIVE [**] [Classification: (null)] [Priority: 1] {6} 10.XX.0.49:1521 -> \
10.YY.0.37:56986
Regards,
Nikolay
_______________________________________________
Oisf-users mailing list
Oisf-users@openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic