exclude (disable) ET DNS Query...



  • I've added the emerging-dns.rules (snort_browser-webkit.rules).
    Apart from the desired alerts, I'm also getting undesired blocks, for example:

    1:2027757 ET DNS Query for .to TLD

    I want to use SID mgmt. to disable this alert, so I need to add this entry to a SID Management Configuration list.

    My question(s)

    • What is the correct setting for SID state order?
    • Which List Assignment do I use (Enable, Disable, Modify SID list)?

    I've been trying (unsuccessfully) some combinations, failed...

    Thank you for your time and effort.



  • Let's start first with the List Assignment question.

    The drop-down selectors have names that match what the selected list will be used for. So the ENABLE selection means that when a list selected in that drop-down is read and parsed, all matching SIDs will be "enabled". Rules that are enabled can detect issues and trigger alerts. The DISABLE drop-down does the same basic thing except SIDs matching that list will be "disabled". Rules that are disabled are never even loaded into memory and thus can't detect any issues nor will they be able to trigger any alerts since they are not present. Lastly, the MODIFIED selection is a bit different. Here, the matching SIDs will have some portion of their rule text modified. Regular Expressions (regex) are used to do this. This is a quite advanced feature, and the majority of users will never want to use it. The ENABLE and DISABLE selections are very frequently used, though.

    Now let's talk about the SID State Order selections. This setting only matters when you have a list selected in the both the ENABLE and DISABLE drop-downs. This would be the case if you have SIDs you want to force enable and other SIDs you want to force disable. So what the SID State Order setting does is configure which list is going to be processed first: the ENABLE list or the DISABLE list. This really matters only in the event the same SID matches both lists. Maybe an example will help clarify.

    Suppose you put the ET-DNS rules in a list by category name and you select that list in the ENABLE list selector. That tells the IDS/IPS to enable the rules in that category. But what if you still want to disable a couple of rules in that category? To do that, you would put their SIDs in a list you select in the DISABLE list selector. Since you want to be sure those disabled rules stay disabled, you would want your list processing order done as "find and enable all rules matching SIDs from my ENABLE list", and then "find and disable all rules matching SIDs from my DISABLE list". So you would want SID State Order set to "ENABLE/DISABLE". If you set it to DISABLE/ENABLE instead, then the code would process the "disable SIDs list" first and disable those ET-DNS SIDs you want turned off, but then the "enable SIDs list" is processed next, and that list is going to enable all of the ET-DNS rules (including those you just turned off) because when you select by category name that matches all SIDs in the category.

    The SID state (enabled or disabled) is governed by the last match. So if the disable list ran last, and the SID matched that list, it will be disabled. However, if the enable list was processed last and the SID matched that list, it will be enabled. When a SID does not match a given list, nothing happens to the SID when that list is processed.

    Hopefully this cleared things up a bit.

    For your specific case, you state you have already enabled the DNS rules category, so I assume you've done that on the CATEGORIES tab. Now you are getting false positives from a particular rule and want to disable that one. You have three ways to do this.

    1. On the ALERTS tab, find an alert with that rule (SID 1:2027757) and then click the red X in the GID:SID column. That will permanently disable that rule.

    2. On the RULES tab for the Interface, select the category name in the Category drop-down. The rules from that category will populate the bottom table. Find the SID you want to disable and click the icon under the State column to disable that rule.

    3. On the SID MGMT tab, create a SID conf text file to hold the SIDs you want disabled. I like to name my files according to the function, so I would create a new list and call it disablesid.conf. But you can name it anything you want. The name does not matter. In that file create an entry for the GID:SID pair you want disabled on a single line -- so put 1:2027757 on a line and save the file. Now go down to the DISABLE selector and choose the file you just created. Save that change and you are done. If you want the IDS/IPS to immediately apply your change, check the box on the far left that says force rules reload (or something like that - I can't remember at the moment exactly how the caption reads) at the bottom where you choose the ENABLE, DISABLE and MODIFY list. Then click Save. If you don't click the force-reload checkbox, the SID MGMT changes won't be applied until you restart Suricata.



  • @bmeeks Thank you for your time, effort and very extensive answer.
    For some reason, step 2 (RULES tab) appears to be unnecessary, after I executed step one, I checked the RULES tab entries, they were already marked as 'user disabled'.
    The script, that runs overnight, and caused the alerts, did no longer cause any alerts, so the method explained above, has been successfully implemented.

    Thanks again.



  • @jpgpi250 said in exclude (disable) ET DNS Query...:

    @bmeeks Thank you for your time, effort and very extensive answer.
    For some reason, step 2 (RULES tab) appears to be unnecessary, after I executed step one, I checked the RULES tab entries, they were already marked as 'user disabled'.
    The script, that runs overnight, and caused the alerts, did no longer cause any alerts, so the method explained above, has been successfully implemented.

    Thanks again.

    I think you misunderstood my reply. I was showing you that there are three different ways to accomplish disabling that rule. Any single one of the three is all you need to do.


Log in to reply