<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html><head><meta http-equiv="Content-Type" content="text/html;charset=us-ascii">
<style>BODY{font:10pt Tahoma,Verdana,sans-serif} .MsoNormal{line-height:120%;margin:0}</style></head><body>
<DIV>We have setup the $HOME_NET with our two internal ranges in the brackets with all the proper characters.</DIV>
<DIV> </DIV>
<DIV>The other variables, we have added the specific private IP addresses for servers.</DIV>
<DIV> </DIV>
<DIV>We have another system with Suricata 1.4 running perfectly ok.</DIV>
<DIV> </DIV>
<DIV>All of our units run on the outside of the firewall.</DIV>
<DIV> </DIV>
<DIV>We have not seen these event types.</DIV>
<DIV> </DIV>
<DIV>We have not tried putting our public IP range in the $HOME_NET.</DIV>
<DIV> </DIV>
<DIV>Thanks.</DIV>
<DIV><BR>Leonard<BR></DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<HR>
<B>From:</B> Peter Manev [mailto:petermanev@gmail.com]<BR><B>To:</B> Leonard Jacobs [mailto:ljacobs@netsecuris.com]<BR><B>Cc:</B> Matt Jonkman [mailto:jonkman@jonkmans.com], oisf-users [mailto:oisf-users@openinfosecfoundation.org], Eric Leblond [mailto:eric.leblond@gmail.com]<BR><B>Sent:</B> Mon, 01 Apr 2013 14:01:59 -0600<BR><B>Subject:</B> Re: [Oisf-users] Question<BR><BR>Hi,<BR><BR>With regards to OpenVAS specifically, there are 3 rules in the SCAN<BR>open ruleset:<BR><BR>> Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)<BR>> Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)<BR>> Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)<BR><BR><BR>So any of those should alert - on top of everything else that matches<BR>inside the SCAN rules set.<BR><BR>There are some scan rules that require correct variable set up inside<BR>the suricata.yaml ex:<BR>(alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS)<BR>I would recommend setting up all the variables below correctly -<BR><BR>> HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"<BR>><BR>> EXTERNAL_NET: "any"<BR>><BR>> HTTP_SERVERS: "$HOME_NET"<BR>><BR>> SMTP_SERVERS: "$HOME_NET"<BR>><BR>> SQL_SERVERS: "$HOME_NET"<BR>><BR>> DNS_SERVERS: "$HOME_NET"<BR>><BR>> TELNET_SERVERS: "$HOME_NET"<BR>><BR>> AIM_SERVERS: "$EXTERNAL_NET"<BR>><BR>> DNP3_SERVER: "$HOME_NET"<BR>><BR>> DNP3_CLIENT: "$HOME_NET"<BR>><BR>> MODBUS_CLIENT: "$HOME_NET"<BR>><BR>> MODBUS_SERVER: "$HOME_NET"<BR>><BR>> ENIP_CLIENT: "$HOME_NET"<BR>><BR>> ENIP_SERVER: "$HOME_NET"<BR><BR>Alongside with the port variables -<BR><BR>> HTTP_PORTS: "80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555"<BR>><BR>> SHELLCODE_PORTS: "!80"<BR>><BR>> ORACLE_PORTS: 1521<BR>><BR>> SSH_PORTS: 22<BR>><BR>> DNP3_PORTS: 20000<BR><BR>You could also enable some rules that are disabled in the ruleset<BR>(lines starting with "#alert...." make it -> "alert...").<BR><BR>Start Suricata only with the SCAN ruleset and confirm that you do not<BR>have some rules not loading because of wrong suricata.yaml variables.<BR><BR>Make sure Suricata sees all the traffic - there are no drops/gaps in<BR>your stats.log<BR><BR>Then I would suggest making sure the scan is coming from the<BR>$EXTERNAL_NET range (just to be sure).<BR><BR>... my suggestions<BR><BR>Thanks<BR><BR><BR><BR><BR><BR>On Mon, Apr 1, 2013 at 8:04 PM, Leonard Jacobs <<A href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</A>> wrote:<BR>> Inline from ISP router to one port on appliance out another port directly to<BR>> WAN connection of firewall.<BR>><BR>> When using AF-Packet, not using brctl bridging because that doubles the data<BR>> going through interfaces. But when just using IDS mode, we use brctl<BR>> bridging method.<BR>><BR>> We did notice during testing that we get a few more event. We tested with a<BR>> vulnerability scanning PC on one port and the other port directly into<BR>> internal network. There was one SCAN event that appeared in log during a<BR>> Nmap scan. Would have thought we would have seen more.<BR>><BR>> Thanks.<BR>><BR>> Leonard<BR>><BR>> ________________________________<BR>> rom: Matt Jonkman [mailto:<A href="mailto:jonkman@jonkmans.com">jonkman@jonkmans.com</A>]<BR>> To: Leonard Jacobs [mailto:<A href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</A>]<BR>> Cc: <A href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</A>, Eric Leblond<BR>> [mailto:<A href="mailto:eric.leblond@gmail.com">eric.leblond@gmail.com</A>]<BR>> Sent: Mon, 01 Apr 2013 12:31:44 -0600<BR>> Subject: Re: [Oisf-users] Question<BR>><BR>><BR>> Are you sure the box is seeing all traffic? Is it inline, or on a tap, etc?<BR>><BR>> Matt<BR>><BR>><BR>> On Sat, Mar 30, 2013 at 11:14 AM, Leonard Jacobs <<A href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</A>><BR>> wrote:<BR>>><BR>>> The only event I am getting is ET POLICY Unusual number of DNS No Such<BR>>> Name Responses.<BR>>><BR>>><BR>>><BR>>> From: <A href="mailto:mjonkman@emergingthreatspro.com">mjonkman@emergingthreatspro.com</A><BR>>> [mailto:<A href="mailto:mjonkman@emergingthreatspro.com">mjonkman@emergingthreatspro.com</A>] On Behalf Of Matt Jonkman<BR>>> Sent: Saturday, March 30, 2013 8:40 AM<BR>>> To: Leonard Jacobs<BR>>> Cc: <A href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</A>; Eric Leblond<BR>>> Subject: Re: [Oisf-users] Question<BR>>><BR>>><BR>>><BR>>> Definitely should have. What rules are you running? Just the ET Open?<BR>>><BR>>><BR>>><BR>>> Have your vars set right?<BR>>><BR>>><BR>>><BR>>> Are you seeing other events?<BR>>><BR>>><BR>>><BR>>> Matt<BR>>><BR>>><BR>>><BR>>> On Fri, Mar 29, 2013 at 5:04 PM, Leonard Jacobs <<A href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</A>><BR>>> wrote:<BR>>><BR>>> Why would Suricata events not be triggered when running a vulnerability<BR>>> scanner? I ran OpenVAS against a couple of public IP addresses on our<BR>>> network and not a single event was triggered. I would have thought that at<BR>>> least emerging-scan.rules would trigger.<BR>>><BR>>><BR>>><BR>>> Thanks.<BR>>><BR>>><BR>>><BR>>> Leonard Jacobs<BR>>><BR>>> President/CEO<BR>>><BR>>> Netsecuris Inc.<BR>>><BR>>> 9301 Bryant Avenue S<BR>>><BR>>> Suite 104<BR>>><BR>>> Minneapolis, MN 55420<BR>>><BR>>> (952) 641-1421 ext. 20<BR>>><BR>>><BR>>><BR>>> <A href="http://www.netsecuris.com" target=_blank>http://www.netsecuris.com</A><BR>>><BR>>><BR>>><BR>>><BR>>><BR>>><BR>>><BR>>><BR>>> _______________________________________________<BR>>> Suricata IDS Users mailing list: <A href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</A><BR>>> Site: <A href="http://suricata-ids.org" target=_blank>http://suricata-ids.org</A> | Support: <A href="http://suricata-ids.org/support/" target=_blank>http://suricata-ids.org/support/</A><BR>>> List: <A href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target=_blank>https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</A><BR>>> OISF: <A href="http://www.openinfosecfoundation.org/" target=_blank>http://www.openinfosecfoundation.org/</A><BR>>><BR>>><BR>>><BR>>><BR>>><BR>>> --<BR>>><BR>>><BR>>> ----------------------------------------------------<BR>>> Matt Jonkman<BR>>> Emerging Threats Pro<BR>>> Open Information Security Foundation (OISF)<BR>>> Phone 866-504-2523 x110<BR>>> <A href="http://www.emergingthreatspro.com" target=_blank>http://www.emergingthreatspro.com</A><BR>>> <A href="http://www.openinfosecfoundation.org" target=_blank>http://www.openinfosecfoundation.org</A><BR>>> ----------------------------------------------------<BR>>><BR>>><BR>>> _______________________________________________<BR>>> Suricata IDS Users mailing list: <A href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</A><BR>>> Site: <A href="http://suricata-ids.org" target=_blank>http://suricata-ids.org</A> | Support: <A href="http://suricata-ids.org/support/" target=_blank>http://suricata-ids.org/support/</A><BR>>> List: <A href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target=_blank>https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</A><BR>>> OISF: <A href="http://www.openinfosecfoundation.org/" target=_blank>http://www.openinfosecfoundation.org/</A><BR>><BR>><BR>><BR>><BR>> --<BR>><BR>><BR>> ----------------------------------------------------<BR>> Matt Jonkman<BR>> Emerging Threats Pro<BR>> Open Information Security Foundation (OISF)<BR>> Phone 866-504-2523 x110<BR>> <A href="http://www.emergingthreatspro.com" target=_blank>http://www.emergingthreatspro.com</A><BR>> <A href="http://www.openinfosecfoundation.org" target=_blank>http://www.openinfosecfoundation.org</A><BR>> ----------------------------------------------------<BR>><BR>><BR>><BR>><BR>> _______________________________________________<BR>> Suricata IDS Users mailing list: <A href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</A><BR>> Site: <A href="http://suricata-ids.org" target=_blank>http://suricata-ids.org</A> | Support: <A href="http://suricata-ids.org/support/" target=_blank>http://suricata-ids.org/support/</A><BR>> List: <A href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target=_blank>https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</A><BR>> OISF: <A href="http://www.openinfosecfoundation.org/" target=_blank>http://www.openinfosecfoundation.org/</A><BR><BR><BR><BR>-- <BR>Regards,<BR>Peter Manev<BR></BLOCKQUOTE>
<STYLE>
</STYLE>
<DIV> </DIV>
<DIV> </DIV></body></html>