0

I found too many events in Suricata after recent update regarding this rule:

alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; metadata: former_category EXPLOIT; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030388; rev:1; metadata:signature_severity Major, created_at 2020_06_22, performance_impact Significant, updated_at 2020_06_22;)

This is strange because it matches all packets with IPIP protocol (ip_proto:4)!! Also i found another rule from Carnegie Mellon University's CERT (link):

alert ip any any -> any any (msg:"VU#257161:CVE-2020-11900 IP-in-IP tunnel Double-Free https://kb.cert.org"; ip_proto:4; sid:1370257161; rev:1;)

But the same issue exists here!

I want to know if my understanding is right or not. Why Suricata has matched more than 100M events in the last 3 days? How can I fix it?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Giac
  • 175
  • 1
  • 6

1 Answers1

2

At first, I thought that ip_proto:4 was going to match on IPv4, but that's not correct.

IP protocol number 4 is IP-in-IP, which is what the rule is supposed to report on.

So, for both rules, it is inspecting all IP traffic, regardless of direction or destination for IP-in-IP traffic.

Suricata's documentation on ip_proto.

Why are you getting 100M alerts? Because, according to your comments, you are using IP-in-IP. So, this is not surprising in the least.

This one rule is only going useful in networks that do not use IP-in-IP. All the rest of the rules for Ripple20 can still be useful for you.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    Yes i'm using IPIP on MikroTik RouterOS. also i found some vpn services use ipip protocol and it used widely in my network by some users. i mean these traffics are not malicious! – Giac Jul 08 '20 at 14:57
  • 1
    ...ok... so that's your answer ... You applied a rule that is supposed to look for unusual traffic, but this type of traffic is normal in your environment. I'm not sure what you were expecting from the rule or what you were expecting from us. Use all the other rules in the ruleset to look for Ripple20 exploit traffic... – schroeder Jul 08 '20 at 15:00
  • But i think this rule should be accurate! for instance if i write a rule for SMB port to identify EternalBlue Explot without checking payload probably it will match with all SMB packets!!! Exactly like this case! these rules only check ip-protocol and will match with any ipip packets. but ipip is not malicious or vulnerable protocol. – Giac Jul 08 '20 at 15:10
  • But it is unusual, as I said. If it does not work for you, then use the other rules... – schroeder Jul 08 '20 at 15:11
  • Finally Emerging Threat disabled mentioned rule as i believed. you can check here: https://rules.emergingthreats.net/open/suricata-4.0/rules/emerging-exploit.rules – Giac Jul 18 '20 at 08:17