Suricata

Hi Ian,

1.Can you please post all your "suppression" rules in the threshold(privately if you would like) ?

2.I think you are referring to [[https://redmine.openinfosecfoundation.org/issues/366]] ? , not
[[https://redmine.openinfosecfoundation.org/issues/386]] - the last is a Mac OS compilation issue.

3. Do you have any other sig_id 2406000 and sig_id 2406001 in the threshold.conf file?

Thanks

so all of the suppression rules are not working?
or some are and some are not?

To be specific, my logs (since the 4th or 5th of the month) show:

sig_id 2404152, sig_id 2002026, and sig_id 2010645 have not been seen at all since I added the rules. And they were only coming in for the IPs specified, so they're working properly.

sig_id 2013031 continues to come in, but not for the 3 devices I've define in the rule. So it is suppressing alerts and tracking source properly.

sig_id 2406001 has never been seen on this sensor, I copied the line over from another sensor, so I can't say anything to qualify it on this sensor.

sig_id 2406000 is the only line that has failed to suppress alerts as expected.

Hi,

Just to confirm - the only rule ("sig_id 2406000") is the one that is not suppressing in your case, the others work fine, correct?

I tried to reproduce your issue but it behaves as it should at least in my tests.

Could you please try
suppress gen_id 1, sig_id 2406000, track by_dst, ip 108.59.1.205

see if that has some effect?

Correct, that's the only suppression rule that's misbehaving.

I've added the line as you suggested, I'll see how it behaves today. I'll also look back through my packet captures and see if it's doing something weird in context.

The conf suppression won't work because the rule has an event filter set, in which case the rule filter is given precedence over the conf.

You can see that the suppression works by disabling the rule's threshold.

We are working on updating our event filter/suppression engine to allow conf override and be used simultaneously with rule filters.

Outstanding. Thank you very much for the explanation. That makes perfect sense.

I can play with modifysid.conf in pulledpork as a workaround until this update comes to bear.

Dear All,

It seems I got a similar issue as well. Here is the suppression rule I made for my IPS:

suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2006445, track by_src, ip 192.168.200.10
suppress gen_id 1, sig_id 2011215, track by_src, ip 192.168.200.10

Neither of them work as expected under inline mode: it just suppressed the "alert", but not the "drop" action.

ips/emerging-icmp_info.rules:drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:2100366; rev:8;)

ips/emerging-web_server.rules:drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:10;)

ips/emerging-web_specific_apps.rules:drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011215; classtype:web-application-attack; sid:2011215; rev:5;)

while I run with this command:
suricata -c /etc/suricata/suricata-ips.yaml -q 0

Any idea?

Regards,
Hang

@Hang I think this actually works as expected. Suppression is about suppressing the output, while keeping the rule 'actions' (drop, setting flowbits, etc).