Project

General

Profile

Actions
Copy link

Bug #248

closed

Prevention support

Added by Bartosz Ponury almost 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
1.1beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

I must say that this is awesome project. But still it lacks one but absolutely most important thing - prevention.
Currently web server protection can be achieved only with using "content" and "tcp" instead of "uricontent" and "http".
Also `pcre' does not work... Of course pushing -I OUTPUT -j NFQUEUE to iptables gives proper detection but no prevention whatsoever.
It's very unlikely that web attacks will be longer than 1 packet could handle. In that case packet drop should be immediate.

So what's the bug (one more time):
- prevention with web attacks (uricontent/pcre/http_*) needs to work

REJECT TCP + CONTENT -OUTPUT -j NFQUEUE

[22:29:08] debian32:/etc/suricata/rules# cat test.rules 
reject tcp any any -> any 80 (msg:"GPL WEB_SERVER .htaccess access"; content:".htaccess"; classtype:attempted-recon; sid:1129; rev:6;)
[22:29:22] debian32:/etc/suricata/rules# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    tcp  --  anywhere             anywhere            tcp dpt:www NFQUEUE num 0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[22:29:23] debian32:/etc/suricata/rules# printf "GET /.htaccess HTTP/1.0\r\n\r\n" | nc localhost 80
[22:29:26] debian32:/etc/suricata/rules# tail -1 /var/log/suricata/fast.log 
11/29/10-21:29:26.534863  [**] [1:1129:6] GPL WEB_SERVER .htaccess access [**] [Classification: Attempted Information Leak] [Priority: 3] {TCP} 127.0.0.1:48623 -> 127.0.0.1:80
[22:29:29] debian32:/etc/suricata/rules#

As we can see the request is dropped (empty http logs)

But when using uricontent (and/or pcre):

*SERVER*
[22:42:01] debian32:/etc/suricata/rules# cat test.rules 
reject http any any -> any 80 (msg:"GPL WEB_SERVER .htaccess"; uricontent:".htaccess"; nocase; classtype:web-application-attack; sid:1071; rev:6;)
[22:42:03] debian32:/etc/suricata/rules# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    tcp  --  anywhere             anywhere            tcp dpt:www NFQUEUE num 0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    tcp  --  anywhere             anywhere            tcp spt:www NFQUEUE num 0

*CLIENT*:
[22:41:46] ponury@eva:~ $ printf "GET /.htaccess HTTP/1.1\r\nHost: debian32\r\n\r\n" | nc.traditional debian32 80
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Mon, 29 Nov 2010 21:42:13 GMT
Content-Type: application/octet-stream
Content-Length: 21
Last-Modified: Mon, 29 Nov 2010 21:24:16 GMT
Connection: keep-alive
Accept-Ranges: bytes

my-super-secret-pass
^C
[22:41:47] ponury@eva:~ $ 

*SERVER*:
[22:42:06] debian32:/etc/suricata/rules# tail -1 /var/log/suricata/fast.log 
11/29/10-21:42:13.297907  [**] [1:1071:6] GPL WEB_SERVER .htaccess [**] [Classification: Web Application Attack] [Priority: 3] {TCP} 192.168.0.128:56892 -> 192.168.0.4:80
[22:42:19] debian32:/etc/suricata/rules#

As we can see it detects attack but it does not prevent it.

In my opinion this should be fixed ASAP - my mom used to say that it's better to prevent than cure...

I really hope this could be fixed soon...
If you need more data or tests I can always try to do it.

Actions
Copy link
 #1

Updated by Victor Julien almost 14 years ago

  • Subject changed from *Prevention* support to Prevention support
  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Priority changed from Immediate to Normal
  • Target version changed from 1.0.2 to 1.1beta2

Solving problems when dropping in the reassembled stream will be a focus point of 1.0.4.

Actions
Copy link
 #2

Updated by Victor Julien almost 14 years ago

Small update: I'm currently working on this. Should have code up for testing in a few days.

Actions
Copy link
 #3

Updated by Victor Julien almost 14 years ago

I just pushed a large stream engine update that addresses this issue. It's in the current git master. To use it, enable the stream.inline mode. To see how, open up the example suricata.yaml after updating your git tree.

Actions
Copy link
 #4

Updated by Victor Julien over 13 years ago

  • Status changed from Assigned to Closed
Actions
Copy link
 #5

Updated by Bartosz Ponury over 13 years ago

Victor Julien wrote:

I just pushed a large stream engine update that addresses this issue. It's in the current git master. To use it, enable the stream.inline mode. To see how, open up the example suricata.yaml after updating your git tree.

Hi, thanks for fixing it so fast. Now it's almost ready for production :) I didn't know if I should reopen new bug or not. But the problem is that it's not always working...
I've enabled stream inline mode and it always detects attacks (as before) and almost everytime it blocks them. In two different reasons somehow. Sometimes the packet's are dropped and sometimes it sends RST. Sometimes however it isn't blocked at all.

[ponury@c0x0d:~]$ printf "GET /.htpasswd HTTP/1.0\r\n\r\n" | nc xxx 80     // here it receives RST and connection is terminated instantly = superb
[ponury@c0x0d:~]$ printf "GET /.htpasswd HTTP/1.0\r\n\r\n" | nc xxx 80     // here I suppose packets are dropped and request is sent few more times (more alerts)
^C                                                                         // (Ctrl+C breaks it) but connection remains open (still it's good)
[ponury@c0x0d:~]$ printf "GET /.htpasswd HTTP/1.0\r\n\r\n" | nc xxx 80     // here however the same request is received by application which is not good...
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 09 Feb 2011 16:49:19 GMT
Content-Type: text/html
Content-Length: 178
Connection: close
[...]

All requests were made at the same time +- few seconds no configuration was changed during this time. From my observation it drops packets (without sending RST) in 60-70% of malicious requests. But packets reach application at least in 10% of cases.

Actions
Copy link
 #6

Updated by Victor Julien over 13 years ago

Thanks for testing this. Just to rule out any problem of reject vs drop could you change the rule to drop instead of reject?

Actions
Copy link
 #7

Updated by Bartosz Ponury over 13 years ago

If i change the rule to 'drop', packets are always dropped. So connection is not terminated. The good news is that bad traffic does not reach application.

Actions
Copy link
 #8

Updated by Victor Julien over 13 years ago

Thanks for checking. It means something is not completely right with dropping while we use the reject keyword. I'll let you know when I publish a fix!

Actions
Copy link
 #9

Updated by Victor Julien over 13 years ago

  • Status changed from Closed to Assigned
Actions
Copy link
 #10

Updated by Victor Julien over 13 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Commit 477bc1d050925d4ca66498fb9705746a2e7be62c fixes this.

Actions
Copy link

Also available in: Atom PDF