Suricata not dropping packets even though log says it does

Help
1

We have a client-server setup (client is behind suricata) where the server sends an attack to the client targeting a specific CVE (CVE-2019-0752) - Suricata logs the attack correctly as a drop but does not drop the packet. How can this happen?

May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.480395+0000","flow_id":324203556447421,**"event_type":"drop"**,"src_ip":"SRC_IP","src_port":80,"dest_ip":"DST_PORT","dest_port":38969,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"drop":{"len":40,"tos":0,"ttl":125,"ipid":39595,"tcpseq":843166392,"tcpack":835071700,"tcpwin":32768,"syn":false,"ack":true,"psh":false,"rst":true,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":90000012,"rev":0,"signature":"IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)","category":"","severity":3},"tx_id":0}
2

Can you share what version of Suricata you’re running and the config file?

3

Version is 5.0.3 RELEASE

the configuration file is:

%YAML 1.1
---

# Suricata configuration file.
# reference conf available at:
#   https://raw.githubusercontent.com/OISF/suricata/suricata-5.0.3/suricata.yaml.in
# docs available at:
#   https://suricata.readthedocs.io/en/suricata-5.0.3/configuration/suricata-yaml.html

vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,205.160.55.0/24,205.160.50.0/24]"
    EXTERNAL_NET: "any"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "80,8080,8081"
    SHELLCODE_PORTS: "!80,!8080,!8081"
    ORACLE_PORTS: "1433,1521,3306"
    SSH_PORTS: "22,64295"
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
    VXLAN_PORTS: 4789

default-log-dir: /var/log/suricata/

outputs:
  - eve-log:
      enabled: yes
      filename: eve.log
      pcap-file: false
      community-id: false
      community-id-seed: 0
      types:
        - alert:
        - drop:
           alerts: yes
           flows: start
  - eve-log:
      enabled: yes
      filetype: unix_stream
      filename: /run/suricata/stats.sock
      types:
         - stats:
            threads: yes

logging:
  default-log-level: notice
  default-output-filter:
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      level: info
      filename: /var/log/suricata/suricata.log

af-packet:
  - interface: eth0
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
  - interface: default

app-layer:
  protocols:
    krb5:
      enabled: yes
    snmp:
      enabled: yes
    ikev2:
      enabled: yes
    tls:
      enabled: yes
      detection-ports:
        dp: 443
      ja3-fingerprints: yes
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    rdp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
      mime:
        decode-mime: yes
        decode-base64: yes
        decode-quoted-printable: yes
        header-value-depth: 2000
        extract-urls: yes
        body-md5: yes
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445
    nfs:
      enabled: yes
    tftp:
      enabled: yes
    dns:
      global-memcap: 16mb
      state-memcap: 512kb
      request-flood: 500
      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes
      libhtp:
         default-config:
           personality: IDS
           request-body-limit: 100kb
           response-body-limit: 100kb
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb
           response-body-decompress-layer-limit: 2
           http-body-inline: auto
           swf-decompression:
             enabled: yes
             type: both
             compress-depth: 0
             decompress-depth: 0
           double-decode-path: no
           double-decode-query: no
         server-config:
    modbus:
      enabled: yes
      detection-ports:
        dp: 502
      stream-depth: 0
    dnp3:
      enabled: yes
      detection-ports:
        dp: 20000
    enip:
      enabled: yes
      detection-ports:
        dp: 44818
        sp: 44818
    ntp:
      enabled: yes
    dhcp:
      enabled: yes
    sip:
      enabled: yes

asn1-max-frames: 256

coredump:
  max-dump: unlimited

host-mode: auto

unix-command:
  enabled: yes

magic-file: /usr/share/misc/magic.mgc

legacy:
  uricontent: enabled

engine-analysis:
  rules-fast-pattern: yes
  rules: yes

pcre:
  match-limit: 3500
  match-limit-recursion: 1500

host-os-policy:
  windows: []
  bsd: []
  bsd-right: []
  old-linux: []
  linux: [0.0.0.0/0]
  old-solaris: []
  solaris: []
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535
  max-frags: 65535
  prealloc: yes
  timeout: 60

flow:
  memcap: 128mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

vlan:
  use-for-tracking: true

flow-timeouts:
  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50

stream:
  memcap: 64mb
  checksum-validation: yes
  inline: auto
  reassembly:
    memcap: 256mb
    depth: 1mb
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes

host:
  hash-size: 4096
  prealloc: 1000
  memcap: 32mb

decoder:
  teredo:
    enabled: yes

detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000
  prefilter:
    default: mpm
  grouping:
  profiling:
    grouping:
      dump-to-disk: false
      include-rules: false
      include-mpm-stats: false

mpm-algo: auto

spm-algo: auto

threading:
  set-cpu-affinity: no
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]
    - receive-cpu-set:
        cpu: [ 0 ]
    - worker-cpu-set:
        cpu: [ "all" ]
        mode: "exclusive"
        prio:
          low: [ 0 ]
          medium: [ "1-2" ]
          high: [ 3 ]
          default: "medium"
  detect-thread-ratio: 1.0

luajit:
  states: 128

nflog:
  - group: 2
    buffer-size: 18432
  - group: default
    qthreshold: 1
    qtimeout: 100
    max-size: 20000

napatech:
    hba: -1
    use-all-streams: yes
    streams: ["0-3"]
    auto-config: yes
    ports: [all]
    hashmode: hash5tuplesorted

default-rule-path: /etc/suricata/rules/

stats:
   enabled: true
   interval: 8
   decoder-events-prefix: "decoder.event"

rule-files:
  - allrules.rules
  - bypass.rules
  - systembypass.rules

classification-file: /etc/suricata/rules/classification.config
4

And how do you run Suricata? Which command line arguments are used?

5

Suricata is running inside a container in the same network namespace as the host using the NFQ model 13. Setting up IPS/inline for Linux — Suricata 6.0.0 documentation

The command used to start suricata is:
suricata -c /etc/suricata/suricata.yaml

One important thing to note is that the client sent the same req twice, the reponse to this req is a malicious code that should be blocked by suricata.

6

you need to pass the correct runmode, especially if you want to run IPS mode.
So the commandline might not be enough.
Can you also post the suricata.log?

7

@Andreas_Herz This is the log from suricata of the blocking events:

May 26 13:51:15 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:15.442623+0000","flow_id":324203556447421,"event_type":"drop","src_ip":"205.160.55.100","src_port":38969,"dest_ip":"205.160.50.100","dest_port":80,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"drop":{"len":331,"tos":0,"ttl":126,"ipid":39593,"tcpseq":835071409,"tcpack":843165753,"tcpwin":32768,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2021068,"rev":4,"signature":"INFO Dotted Quad Host M2 (noalert)","category":"Potentially Bad Traffic","severity":2}}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.480395+0000","flow_id":324203556447421,"event_type":"alert","src_ip":"205.160.50.100","src_port":80,"dest_ip":"205.160.55.100","dest_port":38969,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":2034578,"rev":1,"signature":"EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)","category":"Attempted User Privilege Gain","severity":1,"metadata":{"updated_at":["2021_12_03"],"tag":["Exploit"],"signature_severity":["Major"],"performance_impact":["Significant"],"former_category":["EXPLOIT"],"deployment":["Perimeter"],"cve":["CVE_2019_0752"],"created_at":["2021_12_03"],"attack_target":["Client_Endpoint"]}},"http":{"hostname":"205.160.50.100","url":"\/tmp\/poc.html","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":321},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":746,"bytes_toclient":763,"start":"2022-05-26T13:51:13.402621+0000"}}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.480395+0000","flow_id":324203556447421,"event_type":"alert","src_ip":"205.160.50.100","src_port":80,"dest_ip":"205.160.55.100","dest_port":38969,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"http":{"hostname":"205.160.50.100","url":"\/tmp\/poc.html","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":321},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":746,"bytes_toclient":763,"start":"2022-05-26T13:51:13.402621+0000"},"tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":90000009,"rev":0,"signature":"IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)","category":"","severity":3}}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.480395+0000","flow_id":324203556447421,"event_type":"alert","src_ip":"205.160.50.100","src_port":80,"dest_ip":"205.160.55.100","dest_port":38969,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"http":{"hostname":"205.160.50.100","url":"\/tmp\/poc.html","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":321},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":746,"bytes_toclient":763,"start":"2022-05-26T13:51:13.402621+0000"},"tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":90000012,"rev":0,"signature":"IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)","category":"","severity":3}}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.480395+0000","flow_id":324203556447421,"event_type":"drop","src_ip":"205.160.50.100","src_port":80,"dest_ip":"205.160.55.100","dest_port":38969,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"drop":{"len":40,"tos":0,"ttl":125,"ipid":39595,"tcpseq":843166392,"tcpack":835071700,"tcpwin":32768,"syn":false,"ack":true,"psh":false,"rst":true,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":90000012,"rev":0,"signature":"IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)","category":"","severity":3},"tx_id":0}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.484260+0000","flow_id":324203556447421,"event_type":"drop","src_ip":"205.160.55.100","src_port":38969,"dest_ip":"205.160.50.100","dest_port":80,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"drop":{"len":40,"tos":0,"ttl":126,"ipid":39595,"tcpseq":835071700,"tcpack":843166392,"tcpwin":32768,"syn":false,"ack":true,"psh":false,"rst":true,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}

As you can tell the traffic is indicated as blocked by multiple signatures but is never actoually blocked.

8

This is the alert log, I’m takling about the “/var/log/suricata/suricata.log” which also shows how Suricata is running and might reveal the issue.
I guess the start command is not correct. If you run NFQUEUE you would have to set the queue number at least where it should attach to.

9

We were able to block a number of different attacks but simply not this specific one - any ideas?. I dont have access to the log right now. I will paste it later today.

Thanks a lot for you’re responses?