Suricata / Drop rule



  • I am trying to block some websites by using a custom rule on my LAN interface. Here is a rule I am using to test with:

    drop ip any any -> any any (msg:"Drop Domain - www.facebook.com"; content:"GET"; http_method; content:"facebook"; http_uri; classtype:policy-violation; sid:4002010; rev:10;)

    Following all the things I have read and looking at some of the rules written by ET or PP, this looks like it should do the trick. It may not be the most efficient method but it should work. Unfortunately, it is not working in the slightest bit. Am I going about this completely wrong? The drop rules I have written based off of IPRep work just fine in my custom rules if that helps to know or not.

    I would appreciate anyone's point of view here so that I can continue learning how to use an IDS effectively or to my needs. Thanks.



  • Facebook traffic is typically HTTPS (encrypted), so when Suricata sees the packets the payload is encrypted and thus your content string of "facebook" will never match.  The packet is only decrypted in the client's browser and not in the firewall where Suricata lives.  Now this all assumes you have not put a MITM setup in place with pfSense getting a look at the un-encrypted traffic.

    Bill



  • I had a feeling that was the issue. So with https enabled sites, it comes down to blocking by known IP/IP Ranges. Or is there another method to achieve what I am looking that I haven't stumbled upon as of yet? After looking at some packets in WireShark, I am not seeing anything that I could key off of but I am on new territory learning how to use an IDS. Thanks again for your time. It is appreciated.

    –Thom



  • That's the whole idea behind encryption – the data is "invisible" and undecipherable to prying eyes.  So you can't use content matching like you might on the old HTTP sites.

    Snort has the OpenAppID detectors which do some Layer 7 inspection and can have very limited success with HTTPS sites by snooping on the very first part of the initial SSL cert setup.  Suricata currently does not provide an OpenAppID equivalent yet.

    By and large what you are trying to do can't be done well.  Success will be spotty and basically is not worth the effort in my view.  Blocking by IP is also a problem because the large and popular sites have a plethora of IP address pools where content might be served from.  So you wind up having to block pretty much most of the world's IP addresses, so then where are you?

    The only solution is a man-in-the-middle setup, but most of us admin types consider that "evil" as it breaks the whole concept of privacy.  You can research man-in-the-middle (MITM) to see what I am talking about.  It requires custom SSL certs on each client in your network such that the clients trust some proxy.  That proxy makes the HTTPS connection on behalf of your clients, and so while the data is traversing the proxy it is in the clear and can be inspected.

    Bill



  • You can use dns and tls keywords, heres some generic examples

    drop dns any any -> any any (msg:"DNS Facebook"; content:"facebook"; classtype:policy-violation; sid:39398144; rev:1;)
    drop tls any any -> any any (msg:"SSL Facebook"; tls.subject:"facebook"; classtype:policy-violation; sid:39398145; rev:1;)

    For more specific keywords, check Suricata Wiki
    https://redmine.openinfosecfoundation.org/projects/suricata/wiki

    F.



  • @fsansfil:

    You can use dns and tls keywords, heres some generic examples

    drop dns any any -> any any (msg:"DNS Facebook"; content:"facebook"; classtype:policy-violation; sid:39398144; rev:1;)
    drop tls any any -> any any (msg:"SSL Facebook"; tls.subject:"facebook"; classtype:policy-violation; sid:39398145; rev:1;)

    For more specific keywords, check Suricata Wiki
    https://redmine.openinfosecfoundation.org/projects/suricata/wiki

    F.

    Thanks @fsansfil!  I had not thought about those options.  The OP may find this other way will work to some extent.

    Bill



  • Bill, thank you for the additional information. It is helping my understanding click together. I am not interested in MITM attacks. I just want to shut down certain things not eavesdrop.

    fsansfil, thank you for showing a way to achieve what I was looking for. There is so much to Suricata to take in. As with anything, time and experience is what is needed along with some outside help.


Log in to reply