Project

General

Profile

Actions
Copy link

Bug #1790

closed

Rule Suppression not working

Added by zach hatsis over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata Version:

# suricata -V
This is Suricata version 3.0.1 RELEASE

Rule:
/etc/suricata/rules/malware.rules:alert http $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:13;)
/etc/suricata/rules/sid-msg.map:2008974 || ET MALWARE User-Agent (Mozilla/4.0 (compatible)) || url,doc.emergingthreats.net/bin/view/Main/2008974

Suppression Rule:

suppress gen_id 1, sig_id 2008974, track_by dst, ip 74.121.240.50

Event still firing:
[1:2008974:13] ET MALWARE User-Agent (Mozilla/4.0 (compatible)) [Classification: A Network Trojan was detected] [Priority: 1] {TCP} X.X.X.X:62165 -> 74.121.240.50:80

Tried the following:
@
suricatasc -c "reload-rules"

kill -USR2 $(pidof suricata)
@
also completely stopped and started suricata

Files

Download all files
2008974.pcap (1.24 KB) 2008974.pcap zach hatsis, 05/24/2016 02:29 PM
2404015.pcap (484 Bytes) 2404015.pcap zach hatsis, 05/24/2016 02:53 PM
Actions
Copy link
 #1

Updated by zach hatsis over 8 years ago

Another sample of a different sig that has the same issue. I am seeing this across 2404015-2404046:

suppress gen_id 1, sig_id 2404015, track_by src, ip [10.40.X.0/24,10.40.X.0/24,10.40.X.0/24]

Event Fired:

[1:2404015:4233] ET CNC Shadowserver Reported CnC Server IP group 16 [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 10.40.X.X:53 -> 192.99.4.170:7842

@

  1. sh -x reload_rules.sh
    + pidof suricata
     for pid in '$(pidof suricata)'
    + kill -USR2 38946
    + for pid in '$(pidof suricata)'
    + kill -USR2 38912
    + echo '[+] rules reloaded'
    [+] rules reloaded
    @
Actions
Copy link
 #2

Updated by Victor Julien over 8 years ago

The suppression rule is wrong, it generates an error when you load it. It should be:

suppress gen_id 1, sig_id 2008974, track by_dst, ip 74.121.240.50

Note: track by_dst instead of track_by dst.
Actions
Copy link
 #3

Updated by Victor Julien over 8 years ago

  • Status changed from New to Closed
Actions
Copy link

Also available in: Atom PDF