Bug #248
closedPrevention support
Description
I must say that this is awesome project. But still it lacks one but absolutely most important thing - prevention.
Currently web server protection can be achieved only with using "content" and "tcp" instead of "uricontent" and "http".
Also `pcre' does not work... Of course pushing -I OUTPUT -j NFQUEUE to iptables gives proper detection but no prevention whatsoever.
It's very unlikely that web attacks will be longer than 1 packet could handle. In that case packet drop should be immediate.
So what's the bug (one more time):
- prevention with web attacks (uricontent/pcre/http_*) needs to work
REJECT TCP + CONTENT -OUTPUT -j NFQUEUE
[22:29:08] debian32:/etc/suricata/rules# cat test.rules reject tcp any any -> any 80 (msg:"GPL WEB_SERVER .htaccess access"; content:".htaccess"; classtype:attempted-recon; sid:1129; rev:6;) [22:29:22] debian32:/etc/suricata/rules# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination NFQUEUE tcp -- anywhere anywhere tcp dpt:www NFQUEUE num 0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [22:29:23] debian32:/etc/suricata/rules# printf "GET /.htaccess HTTP/1.0\r\n\r\n" | nc localhost 80 [22:29:26] debian32:/etc/suricata/rules# tail -1 /var/log/suricata/fast.log 11/29/10-21:29:26.534863 [**] [1:1129:6] GPL WEB_SERVER .htaccess access [**] [Classification: Attempted Information Leak] [Priority: 3] {TCP} 127.0.0.1:48623 -> 127.0.0.1:80 [22:29:29] debian32:/etc/suricata/rules#
As we can see the request is dropped (empty http logs)
But when using uricontent (and/or pcre):
*SERVER* [22:42:01] debian32:/etc/suricata/rules# cat test.rules reject http any any -> any 80 (msg:"GPL WEB_SERVER .htaccess"; uricontent:".htaccess"; nocase; classtype:web-application-attack; sid:1071; rev:6;) [22:42:03] debian32:/etc/suricata/rules# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination NFQUEUE tcp -- anywhere anywhere tcp dpt:www NFQUEUE num 0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination NFQUEUE tcp -- anywhere anywhere tcp spt:www NFQUEUE num 0 *CLIENT*: [22:41:46] ponury@eva:~ $ printf "GET /.htaccess HTTP/1.1\r\nHost: debian32\r\n\r\n" | nc.traditional debian32 80 HTTP/1.1 200 OK Server: nginx/0.6.32 Date: Mon, 29 Nov 2010 21:42:13 GMT Content-Type: application/octet-stream Content-Length: 21 Last-Modified: Mon, 29 Nov 2010 21:24:16 GMT Connection: keep-alive Accept-Ranges: bytes my-super-secret-pass ^C [22:41:47] ponury@eva:~ $ *SERVER*: [22:42:06] debian32:/etc/suricata/rules# tail -1 /var/log/suricata/fast.log 11/29/10-21:42:13.297907 [**] [1:1071:6] GPL WEB_SERVER .htaccess [**] [Classification: Web Application Attack] [Priority: 3] {TCP} 192.168.0.128:56892 -> 192.168.0.4:80 [22:42:19] debian32:/etc/suricata/rules#
As we can see it detects attack but it does not prevent it.
In my opinion this should be fixed ASAP - my mom used to say that it's better to prevent than cure...
I really hope this could be fixed soon...
If you need more data or tests I can always try to do it.
Updated by Victor Julien almost 14 years ago
- Subject changed from *Prevention* support to Prevention support
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Priority changed from Immediate to Normal
- Target version changed from 1.0.2 to 1.1beta2
Solving problems when dropping in the reassembled stream will be a focus point of 1.0.4.
Updated by Victor Julien almost 14 years ago
Small update: I'm currently working on this. Should have code up for testing in a few days.
Updated by Victor Julien almost 14 years ago
I just pushed a large stream engine update that addresses this issue. It's in the current git master. To use it, enable the stream.inline mode. To see how, open up the example suricata.yaml after updating your git tree.
Updated by Victor Julien almost 14 years ago
- Status changed from Assigned to Closed
Updated by Bartosz Ponury almost 14 years ago
Victor Julien wrote:
I just pushed a large stream engine update that addresses this issue. It's in the current git master. To use it, enable the stream.inline mode. To see how, open up the example suricata.yaml after updating your git tree.
Hi, thanks for fixing it so fast. Now it's almost ready for production :) I didn't know if I should reopen new bug or not. But the problem is that it's not always working...
I've enabled stream inline mode and it always detects attacks (as before) and almost everytime it blocks them. In two different reasons somehow. Sometimes the packet's are dropped and sometimes it sends RST. Sometimes however it isn't blocked at all.
[ponury@c0x0d:~]$ printf "GET /.htpasswd HTTP/1.0\r\n\r\n" | nc xxx 80 // here it receives RST and connection is terminated instantly = superb [ponury@c0x0d:~]$ printf "GET /.htpasswd HTTP/1.0\r\n\r\n" | nc xxx 80 // here I suppose packets are dropped and request is sent few more times (more alerts) ^C // (Ctrl+C breaks it) but connection remains open (still it's good) [ponury@c0x0d:~]$ printf "GET /.htpasswd HTTP/1.0\r\n\r\n" | nc xxx 80 // here however the same request is received by application which is not good... HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 09 Feb 2011 16:49:19 GMT Content-Type: text/html Content-Length: 178 Connection: close [...]
All requests were made at the same time +- few seconds no configuration was changed during this time. From my observation it drops packets (without sending RST) in 60-70% of malicious requests. But packets reach application at least in 10% of cases.
Updated by Victor Julien almost 14 years ago
Thanks for testing this. Just to rule out any problem of reject vs drop could you change the rule to drop instead of reject?
Updated by Bartosz Ponury almost 14 years ago
If i change the rule to 'drop', packets are always dropped. So connection is not terminated. The good news is that bad traffic does not reach application.
Updated by Victor Julien almost 14 years ago
Thanks for checking. It means something is not completely right with dropping while we use the reject keyword. I'll let you know when I publish a fix!
Updated by Victor Julien almost 14 years ago
- Status changed from Closed to Assigned
Updated by Victor Julien over 13 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Commit 477bc1d050925d4ca66498fb9705746a2e7be62c fixes this.