Bug #248
closedPrevention support
Description
I must say that this is awesome project. But still it lacks one but absolutely most important thing - prevention.
Currently web server protection can be achieved only with using "content" and "tcp" instead of "uricontent" and "http".
Also `pcre' does not work... Of course pushing -I OUTPUT -j NFQUEUE to iptables gives proper detection but no prevention whatsoever.
It's very unlikely that web attacks will be longer than 1 packet could handle. In that case packet drop should be immediate.
So what's the bug (one more time):
- prevention with web attacks (uricontent/pcre/http_*) needs to work
REJECT TCP + CONTENT -OUTPUT -j NFQUEUE
[22:29:08] debian32:/etc/suricata/rules# cat test.rules
reject tcp any any -> any 80 (msg:"GPL WEB_SERVER .htaccess access"; content:".htaccess"; classtype:attempted-recon; sid:1129; rev:6;)
[22:29:22] debian32:/etc/suricata/rules# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
NFQUEUE tcp -- anywhere anywhere tcp dpt:www NFQUEUE num 0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[22:29:23] debian32:/etc/suricata/rules# printf "GET /.htaccess HTTP/1.0\r\n\r\n" | nc localhost 80
[22:29:26] debian32:/etc/suricata/rules# tail -1 /var/log/suricata/fast.log
11/29/10-21:29:26.534863 [**] [1:1129:6] GPL WEB_SERVER .htaccess access [**] [Classification: Attempted Information Leak] [Priority: 3] {TCP} 127.0.0.1:48623 -> 127.0.0.1:80
[22:29:29] debian32:/etc/suricata/rules#
As we can see the request is dropped (empty http logs)
But when using uricontent (and/or pcre):
*SERVER*
[22:42:01] debian32:/etc/suricata/rules# cat test.rules
reject http any any -> any 80 (msg:"GPL WEB_SERVER .htaccess"; uricontent:".htaccess"; nocase; classtype:web-application-attack; sid:1071; rev:6;)
[22:42:03] debian32:/etc/suricata/rules# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
NFQUEUE tcp -- anywhere anywhere tcp dpt:www NFQUEUE num 0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
NFQUEUE tcp -- anywhere anywhere tcp spt:www NFQUEUE num 0
*CLIENT*:
[22:41:46] ponury@eva:~ $ printf "GET /.htaccess HTTP/1.1\r\nHost: debian32\r\n\r\n" | nc.traditional debian32 80
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Mon, 29 Nov 2010 21:42:13 GMT
Content-Type: application/octet-stream
Content-Length: 21
Last-Modified: Mon, 29 Nov 2010 21:24:16 GMT
Connection: keep-alive
Accept-Ranges: bytes
my-super-secret-pass
^C
[22:41:47] ponury@eva:~ $
*SERVER*:
[22:42:06] debian32:/etc/suricata/rules# tail -1 /var/log/suricata/fast.log
11/29/10-21:42:13.297907 [**] [1:1071:6] GPL WEB_SERVER .htaccess [**] [Classification: Web Application Attack] [Priority: 3] {TCP} 192.168.0.128:56892 -> 192.168.0.4:80
[22:42:19] debian32:/etc/suricata/rules#
As we can see it detects attack but it does not prevent it.
In my opinion this should be fixed ASAP - my mom used to say that it's better to prevent than cure...
I really hope this could be fixed soon...
If you need more data or tests I can always try to do it.