Custom Rule to Allow only web browser traffic on port 80

Ryan_N · August 14, 2021, 9:39am

Hi

VM Version: Ubuntu Desktop 20.04.2
Suricata Version: 6.0.0 Release

I am running suricata in IPS mode with nfq and I have XAMPP server running. I’m trying to create a rule that allows http traffic on a web browser with port 80, while blocking all nmap traffic. Is there a signature or content i can specify to accomplish this? Right now I have

drop tcp any any -> $HOME_NET !80 (msg:"Possible Nmap TCP SYN Scan"; flow:from_client;flags:S; sid:5;rev:1;)

which blocks nmap from scanning all ports other than 80. However, this rule also block out ssh, which I want to do my testing with ssh bruteforcing (and not reveal the port at the same time).

Currently before turning on suricata, I get:

$ sudo nmap 192.168.233.196
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 
Nmap scan report for 192.168.233.196
Host is up (0.00046s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql
MAC Address: 00:0C:29:C9:25:D3 (VMware)

And after I turn it on, I get:

$ sudo nmap 192.168.233.196
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 
Nmap scan report for 192.168.233.196
Host is up (0.0012s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:C9:25:D3 (VMware)

Want to accomplish not having ports revealed whilst being able to access the services (i.e. 80/tcp and 21/tcp). Thanks!

IDSTower · August 14, 2021, 9:58am

Dear Ryan,

It is not possible to establish TCP connection without the 3-way handshake that starts with a syn packet.

The rule you provided drops the syn packet (except on port 80) and this prevents the connections from being established (including ssh).

The only way to accomplish what you are trying to do is either to create an allowlist of IPs that can access the services and the rest are blocked.

Or by implementing some network level authentication mechanism (eg: port knocking) which will again requires that you define/customize you clients.

Ryan_N · August 14, 2021, 10:00am

@IDSTower Got it. So there is no way of filtering which is Nmap traffic and which is web browsing if both use http (or 80/tcp) is that right? Thanks!

IDSTower · August 14, 2021, 10:07am

Yes, however this does not mean you can’t do anything

You can still block some of the nmap scanners by detecting ips that send many syn packet in a short period of time (indicating an ip scanning a full network/host)

Ryan_N · August 14, 2021, 10:10am

@IDSTower I see would you mind pointing me in the right direction for this (blocking differs from dropping packets, correct)? A link would be much appreciated. Thanks

IDSTower · August 14, 2021, 10:19am

Dropping and blocking is the same from my prospective.

Take a look here, this files contains rules to detect many scanners including some nmap scanning techniques.

Hope this helps

Ryan_N · August 14, 2021, 10:50am

ok got it thanks @IDSTower !

Topic		Replies	Views
Suricata-IDS and Nmap Rules community	8	9301	August 20, 2020
Outbound: Port Scanning & Brute Force detection Help	5	3370	March 22, 2022
Configure Suricata as IPS to prevent host from SYN Flood Help ips	24	8325	March 23, 2021
Suricata rules about network scan Rules rules	2	663	January 18, 2023
Nmap Detection via Suricata Rules suricata	1	4037	May 2, 2022

Custom Rule to Allow only web browser traffic on port 80

Related Topics