asked on

suricata drop unknown user agent

how should i be sure that suricata dropping that traffic or not useragent unknown

10/08/2015-17:08:55.167477 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.73.241:58668 -> 37.123.101.43:80
10/08/2015-17:08:55.212255 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.75.24:43520 -> 37.123.101.43:80
10/08/2015-17:08:55.386484 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.73.241:58770 -> 37.123.101.43:80
10/08/2015-17:08:55.652528 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.73.241:58830 -> 37.123.101.43:80
10/08/2015-17:08:56.105059 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.75.24:43825 -> 37.123.101.43:80
10/08/2015-17:08:56.145159 www.xxx.com [**] / [**] <useragent unknown> [**] 77.87.197.102:42975 -> 37.123.101.43:80
10/08/2015-17:08:56.477456 www.xxx.com [**] / [**] <useragent unknown> [**] 77.87.197.102:43199 -> 37.123.101.43:80
10/08/2015-17:08:56.544917 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.75.24:43983 -> 37.123.101.43:80

Open in new window

btan

Overall, packets that are being dropped are saved in the drop.log file, a Netfilter log format. those are all in the fast.log which is the name of the file in the default logging directory (e.g. default-log-dir: /var/log/suricata). But specific to HTTP traffic, you should look at http.log as it keeps track of all HTTP-traffic events. It contains the HTTP request, hostname, URI and the User-Agent.

Good to check inside your Suricata.yaml, which contains the configuration of Suricata that signature such as "useragent unknown" (or equivalent) should have the Action property that stated to have it "Drop".

See the action for information

>For Drop, it is only concern about the IPS/inline mode. If the program finds a signature that matches, containing drop, it stops immediately. So what we should observe in "Drop" is the receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.

>For Alert, it is when a signature matches and contains alert. Only the system administrator can notice this alert.

>For Reject, Both receiver and sender receive a reject packet. Slightly different from the "Drop" is that if the offending packet concerns TCP, it will be a Reset-packet. For all other protocols it will be an ICMP-error packet. But when it is in Inline/IPS mode, the offending packet will also be dropped like with the 'Drop' action.

Ref - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml

FireBall

ASKER

should i use suricata on a machine which is configured to bridge interfaces with no apache for to clean this type of traffic ? have you ever tried sth. like that ?

i want to do sth like that

Switch ---- SURICATA SERVER ----- Web hosting server

should it clean the traffic as given above ?

btan

as drawn it is inline, I do suggest you consider this placement which you can still function as bridge. The example uses br0, as the bridge interface and the need to add iptables rules for the FORWARD chain, for traffic traversing the bridge.
http://taosecurity.blogspot.sg/2014/01/suricata-20beta2-as-ips-on-ubuntu-1204.html

FireBall

ASKER

so we should succedd with a topology like added below.

FireBall

ASKER

Waf is suricata

First link on the left for out bound
Second link on the left is udp inbound
third link on the left is tcp inbound

under the srx 80 port is redirecting to the WAF

end ex 4500 keeping all gateways on it mx is just using for static routes.

So i think that should success to clean up illegal http traffic

btan

suricata is not waf per se, you should at least go for mod_security. Ips vs waf is very different. nonetheless, i see your intent is to inspect the inbound traffic only. the bridge is supposed to alright - I assuming your other traffic routing is fine.

you probably can run tcpdump for the suricata interfaces to see the traffic that is expected incoming but I am thinking does the tcp 3 way handshake actually is established with traffic of NEW, ESTABLISHED minimally...also note the example link is using NFQUEUE in iptables rules so that it will send packets to Suricata for processing. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux

FireBall

ASKER

Yes but our main aim point is to protect port 80 from botnet attacks. We have no other problem on our network .
Do you have a waf advice that works like squid proxy. I mean which does not require a config for each web site and apply owasp rules on this mode

btan

waf should be able to handle transparent bridge like layer 2 inspection too.
https://techlib.barracuda.com/waf/deploymentmode

FireBall

ASKER

yes we have talked the them but their software needs to create each site's config on the waf

btan

that is what it has to as t ogo into that L7 layer you need that specific handling. However, that there may means of lesser hassle though it is not a straight off like placing an ips. see F5 transparent mode, better to check with their technical team to drill into your use case...
https://devcentral.f5.com/questions/asm-transparent-bridge-mode-detect-capabilities

FireBall

ASKER

yes but squid + nginx is a good partner to worki without writing config on a server . Which can handle the traffic from wan and get responses from lan.

But i could not find 2 things

1. mod_security and nginx integration
2. showing the default proxy squid and redirecting all connections to the squid

ASKER CERTIFIED SOLUTION

btan

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

FireBall

ASKER

Thank you so much for this good conversation and for your time i will check deeper with this links

btan

thanks for sharing