Difference in rule action when using "!" in destination IP field

Please include the following information with your help request:

  • Suricata version
  • Operating system and/or Linux distribution
  • How you installed Suricata (from source, packages, something else)
  • user trying curl -v -k -I https://1.1.1.1 and below are the scenarios that have different outcomes
  1. curl stuck at client hello meaning drop rule kicked in using below rules
pass tcp $HOME_NET any <> $EXTERNAL_NET $HTTPS_PORTS (flow:not_established; sid: 11111; rev:2;)
drop tcp $HOME_NET any <> [!10.0.0.0/16] $HTTPS_PORTS (sid: 44444; rev:2;)
pass tcp $HOME_NET any <> $EXTERNAL_NET $HTTPS_PORTS (flow:not_established; sid: 11111; rev:2;)
drop tcp $HOME_NET any <> [1.1.1.0/8] $HTTPS_PORTS (sid: 44444; rev:2;)
  1. User able to visit https://1.1.1.1 using below rules
pass tcp $HOME_NET any <> $EXTERNAL_NET $HTTPS_PORTS (flow:not_established; sid: 11111; rev:2;)
drop tcp $HOME_NET any <> $EXTERNAL_NET $HTTPS_PORTS (sid: 44444; rev:2;)
  1. Now if I add flow:established keyword in drop rule blocks the https traffic.
  • My question is why the first scenario worked even if we don’t specify the flow keyword?

Can you provide a copy of your host variable definitions from the suricata.yaml?

@bmurphy

  • Thanks for the response.
  • The issue remains the same even when I replace the $HOME_NET to any and $EXTERNAL_NET to any in the rules above.
    Note : I don’t have access to the configurations files.
$HOME_NET --------> any
$EXTERNAL_NET ----> any
  • When doing * curl -v -I -k https;//1.1.1.1 . below rule also blocks the TLS traffic, but if there is no “!” in the destination field drop action doesn’t enforced.
drop tcp any any <> !8.8.8.8 443 (sid: 44444; rev:2;)