Suppress Rule Based on Destination URL

[jblackley]

I am new to Security Onion. I just got 2.3.240 running on a standalone system. Now I'm trying to refine alerts and I'm failing at the first one I picked out. A PC running Panda anti-virus is connecting to Panda every 20 minutes and triggering rule 2006380. I'm not concerned about this and would like to suppress future alerts for destination cloudav.updates.pandasecurity.com. I don't want to disable the rule altogether.

I have read documentation, github discussions, and watched a few videos. One of the options is to add the IP to global.sls thresholding. But I don't want to specify the IP. What if the destination is a pool of addresses or they change their DNS record? I realize I can make IP groups to take care of pools, but I still don't want to be that specific since I don't control the DNS record.

So I started looking into modifying the SID using regex. But all the examples I could find focused on IPs (i.e. - any, $HOME_NET, $EXTERNAL_NET, etc.). I want to modify based on URL.

Here is rule 2006380:

alert http $HOME_NET any -> any any (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; threshold: type both, count 1, seconds 300, track by_src; http.header; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; content:!"Proxy-Authorization|3a 20|Basic"; nocase; content:!"KG51bGwpOihudWxsKQ=="; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:15; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2022_06_14;)

The message and network.data.decoded show "Host: cloudav.updates.pandasecurity.com". But I don't see Host in the rule itself. So, is there a way to do what I want?

[InfosecGoon]

Unfortunately, this rule isn't specific to Panda -- it's just noting that there's a Base64 encoded password being sent as part of a plaintext HTTP header, which is often a sign of a misconfigured or insecure application on the network.

Is there an option in Panda to do these updates over HTTPS instead? That would address the root issue.

Another option might be to modify the rule to exclude network flows that contain that hostname - something like this should do the trick, in the standalone minion pillar file under idstools:sids:modify:

 - 2006380 'http.header' 'http.header; content:!"updates.pandasecurity.com"'

Put that entry in the minion file, then run so-idstools-restart and so-rule-update to put the modification in place.

[jblackley]

Yes, the fact that this rule isn't specific to Panda is exactly why I don't want to disable it altogether. I need it to alert us again in the future for other destinations. And yes, I agree that addressing Panda is the main takeaway from this alert. But I still needed to know how to suppress alerts based on destination domain.

I did what you said yesterday and it worked. Thanks! Just two more questions:

1 - I had to be explicit with "cloudav.updates.pandasecurity.com". Just "updates.pandasecurity.com" didn't work. And I found some alerts for "freeav.updates.pandasecurity.com". So, is there a way to do a wildcard for "*.pandasecurity.com"? I tried it and it didn't work.

2 - What if I wanted to do multiple entries? Would it look like:

- 2006380 'http.header' 'http.header; content:!"updates.pandasecurity.com"' 'http.header; content:!"second.website.com"'

or

- 2006380 'http.header' 'http.header; content:!"updates.pandasecurity.com"'
- 2006380 'http.header' 'http.header; content:!"second.website.com"'

Thanks for the help!

[jblackley]

It looks like I got it...
Wildcard:

- 2006380 'http.header' "http.header; content:!^(.+)\.updates\.pandasecurity\.com$"

Multiple domains:

- 2006380 'http.header' 'http.header; content:!"cloudav.updates.pandasecurity.com"'
- 2006380 'http.header' 'http.header; content:!"freeav.updates.pandasecurity.com"'