Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata > IDS/IPS >Policies > bind policy to set of domain names [whatsapp]
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata > IDS/IPS >Policies > bind policy to set of domain names [whatsapp] (Read 899 times)
dotgate
Newbie
Posts: 3
Karma: 0
Suricata > IDS/IPS >Policies > bind policy to set of domain names [whatsapp]
«
on:
June 23, 2024, 02:53:20 am »
I have IDS/IPS enabled with default and snort rule sets.
Assume that I have a policy which makes many signature ids which are alert only signature as drop.
Now that say I have a signature assumed number "123456" which says drop such traffic.
But for only specific set of domain names (either on receiving side or on caller side), do not drop traffic for signature "123456". Just alert only.
Is there a way to drive behavior of a rule based on set of domain names.
Real world scenario, why I posted above message: whatsapp being blocked on iPhone
I have "trojan-activity" class of ruleset marked for drop.
This makes whatsapp video and audio calls to not work.
Below rules complain:
2009205 : ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
2009206 : ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
2009207 : ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
2009208 : ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
Details (sampling):
Timestamp 2024-06-22T18:32:13.458996+0000
Alert ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
Alert sid 2009208
Protocol UDP
Source IP local ip of the iPhone
Destination IP 31.13.70.48
Source port 61200
Destination port 3478
Interface lan
Configured action Enabled
Timestamp 2024-06-22T18:31:33.751463+0000
Alert ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
Alert sid 2009207
Protocol UDP
Source IP local ip of the iPhone
Destination IP 157.240.249.62
Source port 61200
Destination port 3478
Interface lan
Timestamp 2024-06-22T18:31:33.752484+0000
Alert ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
Alert sid 2009206
Protocol UDP
Source IP local ip of the iPhone
Destination IP 157.240.249.62
Source port 61200
Destination port 3478
Interface lan
Configured action Enabled
Timestamp 2024-06-22T18:32:13.458243+0000
Alert ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
Alert sid 2009205
Protocol UDP
Source IP 192.168.52.14
Destination IP 157.240.26.52
Source port 61200
Destination port 3478
Interface lan
Unique destination ips in the numerous alerts:
157.240.241.62, 31.13.70.48, 157.240.3.52, 157.240.249.62, 57.144.33.48, 31.13.80.50
Is there a way in surricata service, to whitelist specific sids of the rules for specific ips or set of ips or domain names.
«
Last Edit: June 23, 2024, 04:31:22 am by dotgate
»
Logged
OPNsenseNewbee
Newbie
Posts: 1
Karma: 0
Re: Suricata > IDS/IPS >Policies > bind policy to set of domain names [whatsapp]
«
Reply #1 on:
July 08, 2024, 04:21:58 am »
HI, newbee to OPNsense guy here, I've seen this exact alert on my LAN alerts and I thought what the heck, new firewall and I got malware already, so I'm trying to figure it out as in is this the real conflicker/downup worm or is this a false positive from something else running. If anybody out there finds out if this is real or a false positive any input is much appreciated because I haven't been able to figure this one out.
Cheers.
Opnsense newbee guy
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata > IDS/IPS >Policies > bind policy to set of domain names [whatsapp]