Actions
Support #2612
closedsuricata.yaml vars address-groups config not take effect
Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Description
hello,i config my network-groups in suricata.yaml file
YS_NET: "[100.66.0.0/16]" DEV_NET: "[100.73.0.0/16,100.72.0.0/16]" YS_BLJ: "[100.76.34.250/32]" DC_NET: "[100.64.0.0/10,!$DEV_NET]"
DC_NET means match all ip addresses 100.64.0.0/10 except 100.73.0.0/16 and 100.72.0.0/16
I write a rule to match ssh connect from YS_NET to DC_NET
rule :alert ssh $YS_NET any -> $DC_NET any (msg:"ssh-connect"; threshold: type limit , track by_dst, seconds 300, count 1; sid:8889152; rev:01; )
start suricata success, but the alert is not what i want , it matches 100.73.0.0/16
the alert:
{"timestamp":"2018-08-31T17:26:53.981939+0800","flow_id":193849219437031,"in_iface":"em3","event_type":"ssh","src_ip":"100.66.212.104","src_port":38674,"dest_ip":"100.111.222.34","dest_port":22,"proto":"TCP","ssh":{"client":{"proto_version":"2.0","software_version":"JSCH-0.1.53"},"server":{"proto_version":"2.0","software_version":"OpenSSH_5.3"}}}
{"timestamp":"2018-08-31T17:26:54.200993+0800","flow_id":1991668842552896,"in_iface":"em3","event_type":"ssh","src_ip":"100.66.212.108","src_port":51443,"dest_ip":"100.73.18.28","dest_port":22,"proto":"TCP","ssh":{"client":{"proto_version":"2.0","software_version":"OpenSSH_5.3"},"server":{"proto_version":"2.0","software_version":"OpenSSH_5.3"}}}
{"timestamp":"2018-08-31T17:26:54.774279+0800","flow_id":1080414221281901,"in_iface":"em3","event_type":"ssh","src_ip":"100.66.212.104","src_port":38676,"dest_ip":"100.111.222.34","dest_port":22,"proto":"TCP","ssh":{"client":{"proto_version":"2.0","software_version":"JSCH-0.1.53"},"server":{"proto_version":"2.0","software_version":"OpenSSH_5.3"}}}
{"timestamp":"2018-08-31T17:26:55.176909+0800","flow_id":402565302816672,"in_iface":"em3","event_type":"ssh","src_ip":"100.66.212.104","src_port":38677,"dest_ip":"100.111.222.34","dest_port":22,"proto":"TCP","ssh":{"client":{"proto_version":"2.0","software_version":"JSCH-0.1.53"},"server":{"proto_version":"2.0","software_version":"OpenSSH_5.3"}}}
{"timestamp":"2018-08-31T17:26:55.570309+0800","flow_id":1556932252894628,"in_iface":"em3","event_type":"ssh","src_ip":"100.66.212.104","src_port":38678,"dest_ip":"100.111.222.34","dest_port":22,"proto":"TCP","ssh":{"client":{"proto_version":"2.0","software_version":"JSCH-0.1.53"},"server":{"proto_version":"2.0","software_version":"OpenSSH_5.3"}}}
{"timestamp":"2018-08-31T17:26:56.896414+0800","flow_id":1230909875453538,"in_iface":"em3","event_type":"ssh","src_ip":"100.66.212.104","src_port":48155,"dest_ip":"100.73.18.36","dest_port":22,"proto":"TCP","ssh":{"client":{"proto_version":"2.0","software_version":"OpenSSH_5.3"},"server":{"proto_version":"2.0","software_version":"OpenSSH_5.3"}}}
and another problem, i set a threshold in this rule : "threshold: type limit , track by_dst, seconds 300, count 1;" it does not take effect too~
Updated by Victor Julien over 6 years ago
- Tracker changed from Bug to Support
- Description updated (diff)
- Priority changed from High to Normal
- Target version deleted (
4.0.5) - Effort deleted (
high) - Affected Versions 4.0.5 added
Updated by Victor Julien over 6 years ago
None of these events are alerts. They are ssh log records that are not conditional. So the vars don't affect that logging.
Updated by yg lu over 6 years ago
Victor Julien wrote:
None of these events are alerts. They are ssh log records that are not conditional. So the vars don't affect that logging.
thanks reply so quick, i found my mistake , thanks
Actions