Project

General

Profile

Actions
Copy link

Support #2546

closed

Suricata 4.0.x blocking issues

Added by Bryant Smith over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Affected Versions:
4.0.4, 4.0.5
Label:

Description

I was told about an issue with trying to block exe file downloaded via http. Upon doing some testing I installed 4.0.5 and 4.1-beta on Ubuntu 18.04. For version 4.0.x, the below signature will only generate an alert and not block the download from happening. If the signature is changed from use tcp as the protocol to http then it will generate an alert and also block the download.

We noticed that as long as the signature was placed in the "Inspect Application Layer" then it would block the download.

18/7/2018 -- 12:53:37 - <Info> - 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only
vs
18/7/2018 -- 12:56:19 - <Info> - 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only

I used the same configuration with 4.1-beta and regardless if the signature is using tcp or http as the protocol it will block the download.

Signature:

drop tcp any $HTTP_PORTS -> any any (msg:"PE EXE or DLL Windows file download HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; sid:123456; rev:1;)

drop http any $HTTP_PORTS -> any any (msg:"PE EXE or DLL Windows file download HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; sid:123456; rev:1;)

configuration:

sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE
sudo iptables -I FORWARD -j NFQUEUE

./configure --prefix=/opt/suricata-4.0.5/ --sysconfdir=/opt/suricata-4.0.5/etc --localstatedir=/opt/suricata-4.0.5/var --enable-profiling --enable-luajit --with-liblua-includes=/usr/local/include/luajit-2.0 --enable-debug --enable-nfqueue

Alerts - 4.0.5:
07/18/2018-12:49:10.440161 [Drop] [**] [1:123456:1] PE EXE or DLL Windows file download HTTP [**] [Classification: (null)] [Priority: 3] {TCP} 10.50.8.202:80 -> 172.16.173.168:57434

Actions
Copy link

Also available in: Atom PDF