https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022019-02-25T21:32:42ZOpen Information Security FoundationSuricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=112842019-02-25T21:32:42ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li><li><strong>Target version</strong> set to <i>Support</i></li></ul><p>This should just occure if the flags <b>to_server</b> and <b>to_client</b> are both set. Can you give us more details about your configuration? how are HOME_NET and EXTERNAL_NET configured?</p> Suricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=112912019-02-26T05:32:10ZSamu Voutilainen
<ul></ul><p>Andreas Herz wrote:</p>
<blockquote>
<p>how are HOME_NET and EXTERNAL_NET configured?</p>
</blockquote>
<p>EXTERNAL_NET is just negation of HOME_NET:</p>
<pre>
vars.address-groups.EXTERNAL_NET = !$HOME_NET
</pre>
<p>HOME_NET is constructed from multiple variables, but because it also contains public IPs, I rather not paste it publicly here. It’s something like...</p>
<pre>
vars.address-groups.LOCALHOST = [127.0.0.1,::1,2.2.2.2]
vars.address-groups.IPV4_HOME = [1.1.1.1]
vars.address-groups.IPV6_HOME = [2001::/64,2002::1]
vars.address-groups.HOME_NET = [10.0.0.0/8,$LOCALHOST,$IPV4_HOME,$IPV6_HOME]
</pre> Suricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=112982019-02-26T21:19:12ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>This config output looks a bit off, how did you get it running?</p>
<p>I tried this and I don't get the warning with that rule:<br /><pre>
vars:
# more specific is better for alert accuracy and performance
address-groups:
LOCALHOST: "[127.0.0.1,::1,2.2.2.2]"
IPV4-HOME: "[1.1.1.1]"
IPV6-HOME: "[2001::/64,2002::1]"
HOME_NET: "[10.0.0.0/8,$LOCALHOST,$IPV4-HOME,$IPV6-HOME]"
</pre></p> Suricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=113042019-02-27T05:32:43ZSamu Voutilainen
<ul></ul><p>My output was from <code>suricata --dump-config</code>. Config has similar to what you tested.</p>
<p>Is there anything I could do to debug this or is there some extra information that would be helpful to debug this issue?</p> Suricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=113062019-02-27T06:51:35ZVictor Julienvictor@inliniac.net
<ul></ul><p>Andreas Herz wrote:</p>
<blockquote>
<p>This should just occur if the flags <b>to_server</b> and <b>to_client</b> are both set. [...]</p>
</blockquote>
<p>This, but also when the flow direction is not set. Based on the rest of this signature, it would appear this is looking for a dns query, so flow:to_server should be added. Without it, Suricata will also look for the pattern in to_client traffic.</p>
<p>The address vars don't affect this.</p> Suricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=113122019-02-28T07:30:09ZSamu Voutilainen
<ul></ul><p>Oka, thanks for the information. I guess that warning makes sense, though I assume there will be some false positives since some things makes sense to analyze to both directions. Actually, even in this case, in case you don’t trust your ”home network”, it may make sense to inspect that traffic too.</p>
<p>Just an idea, but maybe it would make sense to make this specific warning configurable, as it may well be that it’s false positive in a lot of cases?</p>
<p>I guess this ticket can be closed.</p> Suricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=113212019-02-28T10:52:41ZVictor Julienvictor@inliniac.net
<ul></ul><p>I think the risk of FP is very small especially when addresses and ports are used in the rule. In the example you gave<br /><pre>
udp $HOME_NET any -> $EXTERNAL_NET 53
</pre></p>
<p>It would match on traffic to_server using dest port 53 but also to_client using dest port 53. Normally you would expect the src port to be 53 for to_client dns packets.</p> Suricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=113242019-02-28T13:20:46ZSamu Voutilainen
<ul></ul><p>Oh, I see. And even if <-> is used, the rule only should specify where it should do the inspection, regardless of who is initiating the connection (i.e. look only from data from source or answer)?</p>
<p>I tried to think some way to improve that warning, maybe something like ”The rule is inspecting both request and response.” would make it a bit more clear?</p> Suricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=120282019-05-09T14:37:51ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Jeff Lucovsky</i></li><li><strong>Target version</strong> changed from <i>Support</i> to <i>70</i></li></ul><p>Hi Jeff, can you make this warning more clear (see comment 8)?</p> Suricata - Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis outputhttps://redmine.openinfosecfoundation.org/issues/2847?journal_id=120892019-05-20T06:22:11ZVictor Julienvictor@inliniac.net
<ul><li><strong>Tracker</strong> changed from <i>Support</i> to <i>Bug</i></li><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>Target version</strong> changed from <i>70</i> to <i>5.0rc1</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/3844">https://github.com/OISF/suricata/pull/3844</a></p>