SURICATA zero length padN option

1,875 views
Skip to first unread message

Einar

unread,
Jan 26, 2017, 2:25:23 AM1/26/17
to security-onion
Hello!
How can I disable SURICATA zero length padN option rule?
I keep getting this signature over 10000 times a day.

Source is 0.0.0.0 and destination is 0.0.0.0

I added 1:2200094 to sudo nano /etc/nsm/pulledpork/disablesid.conf
and did sudo rule-update but this signature keeps spamming.

How do I get rid of it?


Einar

Wes

unread,
Jan 26, 2017, 6:38:37 AM1/26/17
to security-onion

Einar,

Did you verify the rule is, in fact, disabled in /etc/nsm/rules/downloaded.rules?

Could it be possible that there is still a backlog of events waiting to be processed by barnyard2? You may want to try waiting a little while to see if it clears up.

You could check to see if unified2 files are piling up/lessening in /nsm/sensor_data/hostname-interface/

Thanks,
Wes

Einar

unread,
Jan 27, 2017, 6:58:20 AM1/27/17
to security-onion
Hello Wes,

thanks for the replay. =]
If I look into the rules then it's not commented out for some reason.

tuvastaja@SO:~$ grep "SURICATA zero length padN option" /etc/nsm/rules/downloaded.rules

alert ipv6 any any -> any any (msg:"SURICATA zero length padN option"; decode-event:ipv6.zero_len_padn; sid:2200094; rev:1;)

---
In /nsm/sensor_data/hostname-interface/ I can see 12 unifided2 files - what's the purpose of these files? Should I erase them?

Einar

Wes

unread,
Jan 27, 2017, 6:44:00 PM1/27/17
to security-onion

Einar,

Try running rule-update again to see if it ensures the rule is commented out (also check syntax in disablesid.conf).

In regard to the unified2 files, they are generated via Snort and processed by barnyard2. This is the backlog I was referring to in my earlier post. If you don't care about these, you can delete them and barnyard2 will process the future logs. After removing (or copying elsewhere) you may also need to restart barynard2 or the machine for good measure.

Thanks,
Wes

Wes

unread,
Jan 27, 2017, 6:49:24 PM1/27/17
to security-onion

In your case *Snort* = Suricata , of course.

Einar

unread,
Feb 3, 2017, 4:24:54 AM2/3/17
to security-onion
Hi Wes
Sorry for a delay - had to school workers here.

rule-update command didn't change anything. SURICATA zero length padN option rule wasn't commented out.
I removed all the unified2 files and restarted the machine.
in disabledsid it's written like that:
1:2200094


Wes

unread,
Feb 4, 2017, 8:36:47 AM2/4/17
to security-onion
Einar,

Try the following in disablesid.conf (and re-run rule-update):

pcre:SURICATA\ zero

Thank,
Wes

Einar

unread,
Feb 6, 2017, 1:18:19 AM2/6/17
to security-onion
neljapäev, 26. jaanuar 2017 9:25.23 UTC+2 kirjutas Einar:
Wes,

It worked!
Thank you very much. =]

Cheers

Andy

unread,
Oct 25, 2017, 3:28:19 PM10/25/17
to security-onion
On Friday, February 3, 2017 at 4:24:54 AM UTC-5, Einar wrote:
The sig ID should have been 0:2200094. That would have stopped it. I ran into the same issue but when I looked up the rule in the downloaded.rules file I scrolled up and saw that the GID was listed as 0. Once I changed that the disabledid worked fine.
Reply all
Reply to author
Forward
0 new messages