negative ip check flow option not working #104
Description
I'm trying to refine the following rule on my system to exclude logs from localhost:
https://github.com/quadrantsec/sagan-rules/blob/main/web-attack.rules#L73
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing Web Scan/er, Likely Web Scanner"; content: "User-Agent"; content: "web"; nocase;distance: 1; within: 100; content:"scan"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010088; xbits: set,recon,track ip_src,expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; content: !"scandal"; classtype:attempted-recon; sid:5001821; rev:4;)
to simplify, I'm just testing with these rules:
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "TEST alert"; content: "test message"; classtype: system-event; sid: 9000500; rev: 1;)
alert any 127.0.0.1 any -> $HOME_NET any (msg: "TEST alert 2"; content: "test message"; classtype: system-event; sid: 9000501; rev: 1;)
alert any !127.0.0.1 any -> $HOME_NET any (msg: "TEST alert"; content: "test message"; classtype: system-event; sid: 9000502; rev: 1;)
The first rule will trigger an alert, the second and third rules do not, even though the alerts are triggered locally and the syslog source ip is 127.0.0.1
why do the last two rules not work as expected?
Why is this check not working !127.0.0.1?
This is my sagan configuration:
sagan version: 3ac7bbb
vars:
sagan-groups:
FIFO: "<path>/logs/sagan.fifo"
RULE_PATH: "<path>/rules"
LOCKFILE: "<path>/logs/sagan.pid"
LOG_PATH: "<path>/logs"
address-groups:
HOME_NET: "any"
EXTERNAL_NET: "any"
port-groups:
SSH_PORT: 22
HTTP_PORT: 80
HTTPS_PORT: 443
TELNET_PORT: 23
DNS_PORT: 53
SNMP_PORT: 161
POP3_PORT: 110
IMAP_PORT: 143
SMTP_PORT: 25
MYSQL_PORT: 3306
MSSQL_PORT: 1433
NTP_PORT: 123
OPENVPN_PORT: 1194
PPTP_PORT: 1723
FTP_PORT: 21
RSYNC_PORT: 873
SQUID_PORT: 3128
geoip-groups:
HOME_COUNTRY: "US,CA"
aetas-groups:
SAGAN_HOURS: "0700-1800"
SAGAN_DAYS: "12345"
mmap-groups:
MMAP_DEFAULT: 10000
sagan-core:
core:
sensor-name: "sagan_i1"
default-host: 127.0.0.1
default-port: 514
default-proto: udp
dns-warnings: disabled
source-lookup: disabled
fifo-size: 1048576
max-threads: 10
classification: "/<path>/config/classification.config"
reference: "<path>/config/reference.config"
gen-msg-map: "<path>/config/gen-msg.map"
protocol-map: "<path>/config/protocol.map"
xbit-storage: mmap
input-type: json
json-map: <path>/config/json-input.map
json-software: syslog-ng
parse-json-message: disable
parse-json-program: disable
parse-ip:
ipv6: yes
ipv4-mapped-ipv6: yes
selector:
enabled: no
redis-server:
enabled: no
mmap-ipc:
ipc-directory: <path>/logs
xbit: $MMAP_DEFAULT
after: $MMAP_DEFAULT
threshold: $MMAP_DEFAULT
track-clients: $MMAP_DEFAULT
ignore_list:
enabled: yes
ignore_file: "<path>/config/sagan-ignore-list.txt"
geoip:
enabled: no
liblognorm:
enabled: yes
normalize_rulebase: "<path>/config/normalization.rulebase"
plog:
enabled: no
processors:
- track-clients:
enabled: no
- rule-tracking:
enabled: no
- perfmonitor:
enabled: no
- blacklist:
enabled: no
- bluedot:
enabled: no
- bro-intel:
enabled: no
- dynamic_load:
enabled: no
outputs:
- eve-log:
enabled: yes
interface: logs
alerts: yes
alert-base64: yes
logs: no
filename: "<path>/logs/eve.json"
- alert:
enabled: no
- fast:
enabled: no
- external:
enabled: no
- smtp:
enabled: no
- snortsam:
enabled: no
- syslog:
enabled: no
rules-files:
- $RULE_PATH/sagan.rules
I've confirmed that the last two rules mentioned fail here: https://github.com/quadrantsec/sagan/blob/main/src/processors/engine.c#L927
because Check_Flow did not pass because SaganProcSyslog_LOCAL->ip_src_bits did not match
what could be causing this?