<div dir="ltr">Hi, i have started to notice one thing on restarts. the RX-QN notices, <div><br></div><div><div>$> grep "(RX" /var/log/suricata/suricata.log</div><div>14/9/2017 -- 16:24:49 - <Notice> - (RX-Q0) Treated: Pkts 788124, Bytes 297444677, Errors 0</div><div>14/9/2017 -- 16:24:49 - <Notice> - (RX-Q0) Verdict: Accepted 787983, Dropped 141, Replaced 0</div><div>14/9/2017 -- 16:32:29 - <Notice> - (RX-Q0) Treated: Pkts 5552, Bytes 1534474, Errors 0</div><div>14/9/2017 -- 16:32:29 - <Notice> - (RX-Q0) Verdict: Accepted 5422, Dropped 129, Replaced 0</div><div>14/9/2017 -- 16:34:18 - <Notice> - (RX-Q0) Treated: Pkts 1658, Bytes 438573, Errors 0</div><div>14/9/2017 -- 16:34:18 - <Notice> - (RX-Q0) Verdict: Accepted 1633, Dropped 24, Replaced 0</div><div>14/9/2017 -- 20:45:51 - <Notice> - (RX-Q0) Treated: Pkts 176445, Bytes 62762358, Errors 0</div><div>14/9/2017 -- 20:45:51 - <Notice> - (RX-Q0) Verdict: Accepted 176220, Dropped 223, Replaced 0</div></div><div><br></div><div>Are these indeed properly dropped packets, hopefully from my rate_filter rules? If so, i'm not seeing logs of what has been dropped to confirm i'm dropping the correct packets, how would i enabled this. I have drop enabled in eve-ips.json, but since these are not drop rules i assume they would go elsewhere??? </div><div><br></div><div>Thanks,<br>Jeff</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 13, 2017 at 6:45 PM, Jeff Dyke <span dir="ltr"><<a href="mailto:jeff.dyke@gmail.com" target="_blank">jeff.dyke@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Amar. I could do this in sshd, but those rules are OK by me b/c i don't allow passwords, nor do i allow root login, you MUST have a valid key, so the defaults are OK, but you're correct i could reduce them to say 2 (at home, I accidentally ssh'd with the wrong/default key, then let me pass -i identity.foo for login). To me writing the iptables rules is the same as leaving drops in OSSEC b/c it will learn from its sid's and auth.log and prevent it from happening again, and do so on my time schedule (currently 4h, 12h, 1d, 1 week). I'm actually OK leaving them in OSSEC, but when i get a single ip trying to login and fail over a long period of time, i'd like to drop them, and my idea was to do so with suricata. <div><br></div><div>While this is not my question, i'm seeing these as event_type: "ssh", not event_type: "alert", my desire is to make this learn from repeated failed attempts that are outside the bounds of the alert sids, that i have tried to override in threshold.config. again, not my question, i can open a new thread.<div><br></div><div>Appreciate the comments, i hope the response points to what i am trying to accomplish with suricata, which i've really appreciated since taking the time to learn how to do most of it correctly. Its the drops and overrides i continue to struggle with.</div></div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Jeff</div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 13, 2017 at 6:02 PM, amar <a href="http://countersnipe.com" target="_blank">countersnipe.com</a> <span dir="ltr"><<a href="mailto:amar@countersnipe.com" target="_blank">amar@countersnipe.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><p>Hi Jeff<br></p><p>Just an initial thought. Most of the services can be controlled via the service daemons. For example ssh login frequency can be controlled via sshd_config using </p><p>MaxAuthTries <span style="background-color:#ffcc00">X</span>(number you are happy with) or using MaxStartups<br></p><p>Alternatively, since you are using iptables, an even better approach would be to use iptables with something like:<br></p><p><span style="font-family:Courier New" face="Courier New">iptables -A INPUT -p tcp --dport <span style="background-color:#ffcc00">22</span> -m state --state NEW -m recent --update --seconds <span style="background-color:#ffcc00">X</span> --hitcount <span style="background-color:#ffcc00">Y</span> --rttl --name <span style="background-color:#ffcc00">SSH</span> -j DROP</span></p><p><span style="font-family:helvetica,arial,sans-serif" face="Courier New">Once you have eliminated the basic problem then you could get Suricata to inspect deeper.</span></p><p><span style="font-family:helvetica,arial,sans-serif" face="Courier New">Hope I didn't just miss the requirement in the first place.</span></p><p><span style="font-family:helvetica,arial,sans-serif" face="Courier New"><br></span></p><p><span style="font-family:helvetica,arial,sans-serif" face="Courier New">regards</span></p><p><span style="font-family:helvetica,arial,sans-serif" face="Courier New">Amar Rathore<br>CounterSnipe - Suricata based IDS/IPS with so much more.<br></span></p><blockquote type="cite"><div><div class="m_8585347090140734342h5">On September 13, 2017 at 3:57 PM Jeff Dyke <<a href="mailto:jeff.dyke@gmail.com" target="_blank">jeff.dyke@gmail.com</a>> wrote:<br><br><div dir="ltr">I should have stated that i'm successfully attached to NFQUEUE in inline/IPS mode. <Info> - NFQ running in standard ACCEPT/DROP mode.</div><div class="m_8585347090140734342m_-6433856627409211935ox-6cb4c5b248-gmail_extra"><br><div class="m_8585347090140734342m_-6433856627409211935ox-6cb4c5b248-gmail_quote">On Wed, Sep 13, 2017 at 3:53 PM, Jeff Dyke <<a href="mailto:jeff.dyke@gmail.com" rel="noopener noreferrer" target="_blank">jeff.dyke@gmail.com</a>> wrote:<br><blockquote><div dir="ltr">i am running an array of servers on aws (EC2 instances), one server in both the staging and production environments has SSH open and 2 have 443/80 open (active/passive HAProxy instances)<div><br></div><div>I've been using OSSEC with active-response to block malicious ssh attacks, and while i like the software and the other things that it finds, I would like to move this type of logic to the edge servers, using suricata. i'll concentrate on SSH for now, from there i can apply my knowledge or other protocols.</div><div><br></div><div>If i'm understanding correctly (likely not) i could add a rate_filter into threshold.conf, or i could add drop rules. What is the best practice in this instance. I know the threshold.config is getting parsed as i see the warning </div><div>[ERRCODE: SC_ERR_EVENT_ENGINE(210)] - signature sid:2019876 has a threshold set. The signature event var is given precedence over the threshold.conf one. Bug #425. <br></div><div><br></div><div>I'm running suricata 4.0.0 RELEASE</div><div><br></div><div>Thanks, for any pointers. If rate_filter is correct, how do i convert it to a drop event when threshold is hit? The docs are great, but i seemed to have missed this piece.</div><div><br></div><div>Jeff</div><div><br></div><div>my 4 threshold.config entries.</div><div><div>rate_filter gen_id 1, sig_id 2019876, track by_rule, count 3, seconds 120, new_action drop, timeout 14400</div><div>rate_filter gen_id 1, sig_id 2101638, track by_rule, count 3, seconds 120, new_action drop, timeout 14400</div><div>rate_filter gen_id 1, sig_id 2001219, track by_rule, count 3, seconds 120, new_action drop, timeout 14400</div><div>rate_filter gen_id 1, sig_id 2006546, track by_rule, count 3, seconds 120, new_action drop, timeout 14400</div><div>suppress gen_id 1, sig_id 2221002, track by_src, ip <a href="http://10.0.0.0/16" rel="noopener noreferrer" target="_blank">10.0.0.0/16</a></div></div><div><br></div><div><br></div></div></blockquote></div><br></div></div></div>______________________________<wbr>_________________<br>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br><br>Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br>Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/train<wbr>ing/</a></blockquote><p><br></p><div class="m_8585347090140734342m_-6433856627409211935io-ox-signature"><p>Kind regards<br></p><p>Amar Rathore</p><p>CounterSnipe Systems LLC <br>Tel: <a href="tel:(617)%20701-7213" value="+16177017213" target="_blank">+1 617 701 7213</a> <br>Mobile: <a href="tel:+44%207876%20233333" value="+447876233333" target="_blank">+44 (0) 7876 233333</a> <br>Skype ID: amarrathore <br>Web: <a href="http://www.countersnipe.com" target="_blank">www.countersnipe.com</a> <<a href="http://www.countersnipe.com/" target="_blank">http://www.countersnipe.com/</a>> <br><br></p><p><span style="font-size:8pt">This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.</span></p><p><span style="font-size:8pt">E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.</span> <br></p></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>