Project

General

Profile

Actions

Bug #248

closed

Prevention support

Added by Bartosz Ponury about 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I must say that this is awesome project. But still it lacks one but absolutely most important thing - prevention.
Currently web server protection can be achieved only with using "content" and "tcp" instead of "uricontent" and "http".
Also `pcre' does not work... Of course pushing -I OUTPUT -j NFQUEUE to iptables gives proper detection but no prevention whatsoever.
It's very unlikely that web attacks will be longer than 1 packet could handle. In that case packet drop should be immediate.

So what's the bug (one more time):
- prevention with web attacks (uricontent/pcre/http_*) needs to work

REJECT TCP + CONTENT -OUTPUT -j NFQUEUE

[22:29:08] debian32:/etc/suricata/rules# cat test.rules 
reject tcp any any -> any 80 (msg:"GPL WEB_SERVER .htaccess access"; content:".htaccess"; classtype:attempted-recon; sid:1129; rev:6;)
[22:29:22] debian32:/etc/suricata/rules# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    tcp  --  anywhere             anywhere            tcp dpt:www NFQUEUE num 0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[22:29:23] debian32:/etc/suricata/rules# printf "GET /.htaccess HTTP/1.0\r\n\r\n" | nc localhost 80
[22:29:26] debian32:/etc/suricata/rules# tail -1 /var/log/suricata/fast.log 
11/29/10-21:29:26.534863  [**] [1:1129:6] GPL WEB_SERVER .htaccess access [**] [Classification: Attempted Information Leak] [Priority: 3] {TCP} 127.0.0.1:48623 -> 127.0.0.1:80
[22:29:29] debian32:/etc/suricata/rules# 

As we can see the request is dropped (empty http logs)

But when using uricontent (and/or pcre):

*SERVER*
[22:42:01] debian32:/etc/suricata/rules# cat test.rules 
reject http any any -> any 80 (msg:"GPL WEB_SERVER .htaccess"; uricontent:".htaccess"; nocase; classtype:web-application-attack; sid:1071; rev:6;)
[22:42:03] debian32:/etc/suricata/rules# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    tcp  --  anywhere             anywhere            tcp dpt:www NFQUEUE num 0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    tcp  --  anywhere             anywhere            tcp spt:www NFQUEUE num 0

*CLIENT*:
[22:41:46] ponury@eva:~ $ printf "GET /.htaccess HTTP/1.1\r\nHost: debian32\r\n\r\n" | nc.traditional debian32 80
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Mon, 29 Nov 2010 21:42:13 GMT
Content-Type: application/octet-stream
Content-Length: 21
Last-Modified: Mon, 29 Nov 2010 21:24:16 GMT
Connection: keep-alive
Accept-Ranges: bytes

my-super-secret-pass
^C
[22:41:47] ponury@eva:~ $ 

*SERVER*:
[22:42:06] debian32:/etc/suricata/rules# tail -1 /var/log/suricata/fast.log 
11/29/10-21:42:13.297907  [**] [1:1071:6] GPL WEB_SERVER .htaccess [**] [Classification: Web Application Attack] [Priority: 3] {TCP} 192.168.0.128:56892 -> 192.168.0.4:80
[22:42:19] debian32:/etc/suricata/rules# 

As we can see it detects attack but it does not prevent it.

In my opinion this should be fixed ASAP - my mom used to say that it's better to prevent than cure...

I really hope this could be fixed soon...
If you need more data or tests I can always try to do it.

Actions

Also available in: Atom PDF