Support #1534
closedP2P rules in emerging-p2p.rules not blocking p2p traffic
Description
I have set suricata in inline mode for my host machine only to block p2p traffic and set 'modifysid emerging-p2p.rules "^alert" | "drop" in /etc/oinkmaster.conf and rerun it.
As i can see it can block metafile(.torrent) file but it failed to block p2p traffic of already active torrents.
but some of the rules are logged in fast.log as [DROP] [**]
but still traffic is coming.
I guess most of the rules are not matched
Please sugest something regarding the issue.
Files
Updated by Victor Julien over 8 years ago
- Tracker changed from Bug to Support
- Priority changed from High to Normal
I'm not sure if the ET ruleset is designed to completely block all possible p2p, or merely detect it so admins can tell users to uninstall.
For a Suricata bug report, this is too vague. If you think a bug in Suricata exists you will need to show which rule doesn't block what exact traffic.
Updated by Ravin Goyal over 8 years ago
By blocking I mean to say that instead of being dropped traffic is still coming as I have set drop policy for p2p connections in emerging-p2p.rules.
I attached log file please see it most of the rules in emerging-p2p.rules file will are not matched.
Updated by Peter Manev over 8 years ago
As Victor mentions - you need to be more specific - rule/pcap case scenario for example.
If I understand correctly - non of the p2p rules match form what you say - do you have all the configuration variables set up correctly in suricata.yaml - home/ext net etc... are there any specifics about your set up - proxy env and so on.
Updated by Ravin Goyal over 8 years ago
No there is no specification regarding my setup, I just set my local network in $HOME_NET and rest is unchanged in configuration file.
drop tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"GPL P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2102181; rev:3;)
drop http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Deluge "; http_header; reference:url,deluge-torrent.org; reference:url,doc.emergingthreats.net/2011704; classtype:policy-violation; sid:2011704; rev:5;)
drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:12;)
drop http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P possible torrent download"; flow:to_server,established; uricontent:".torrent"; nocase; pcre:"/(\.torrent)$/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:5;)
drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008581; classtype:policy-violation; sid:2008581; rev:3;)
drop http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P possible torrent download"; flow:to_server,established; uricontent:".torrent"; nocase; pcre:"/(\.torrent)$/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:5;)
only these matched out of all rules in emerging-p2p.rules
only last one given above is doing what it is suppose to be doing regarding downloading .torrent file
rest of rules are still not working.
Updated by Ravin Goyal over 8 years ago
Ravin Goyal wrote:
No there is no additional specification regarding my setup, I just set my local network in $HOME_NET and rest is unchanged in configuration file.
drop tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"GPL P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2102181; rev:3;)
drop http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Deluge "; http_header; reference:url,deluge-torrent.org; reference:url,doc.emergingthreats.net/2011704; classtype:policy-violation; sid:2011704; rev:5;)
drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:12;)
drop http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P possible torrent download"; flow:to_server,established; uricontent:".torrent"; nocase; pcre:"/(\.torrent)$/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:5;)
drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008581; classtype:policy-violation; sid:2008581; rev:3;)
drop http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P possible torrent download"; flow:to_server,established; uricontent:".torrent"; nocase; pcre:"/(\.torrent)$/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:5;)
only these matched out of all rules in emerging-p2p.rules
only last one given above is doing what it is suppose to be doing regarding downloading .torrent filerest of rules are still not working.
Updated by Andreas Herz over 8 years ago
Do you have a pcap so we could investigate why those rules don't match?
Updated by Victor Julien almost 8 years ago
- Status changed from New to Closed
- Assignee deleted (
Ravin Goyal)