<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Are you sure Suricata is seeing the exact same traffic as Snort?
And processing it? Perhaps it never gets processed because of
checksum offloading/invalid checksums. At the risk of sounding
obvious, if Snort (or Bro or a WAF or a proxy or whatever) is
blocking it before Suricata sees it, then the Suricata rule will
never alert.</p>
<p>Are your variables set the same (e.g. $HOME_NET, $EXTERNAL_NET)?
Are you running any IP reputation rules/lists that may be blocking
(that IP and host have been known bad for many years)?<br>
</p>
<p>Are you sure you are reading the Suricata alerts correctly?
Perhaps they are being sent somewhere you aren't expecting and/or
getting filtered somewhere.</p>
<p>Without a pcap from the Suricata box and Suricata config, it is
going to be hard to say what the cause of your issue is but likely
the Snort and Suricata boxes aren't seeing the same traffic.<br>
</p>
<p>-David<br>
</p>
<br>
<div class="moz-cite-prefix">On 10/03/2018 09:27 AM, fatema
bannatwala wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACX0rUTsH8YOJQDjuWJ2-Pg=jWz-up48=iHQoWVUvX8t+KvWzQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr">
<div dir="ltr">Yet another example where no alerts fired in
Suricata but in Snort for legit bad traffic for "Andromeda"
Trojan.
<div><br>
</div>
<div>Both the suri and snort signatures for sid:2809682 are
same, and yet only snort triggered the alert for an outbound
POST request to a domain related to Andromeda Trojan.</div>
<div>Bro detected those connections as http, hence the
application should be recognized by Suricata as http.</div>
<div><br>
</div>
<div>Bro http log for the connection that triggered snort
alert:<br>
10/2/18 7:06:46.734 PM CGOaPc2Kyn0xd3eGkd 128.x.x.x
58299 184.105.192.2 80 1 POST <a
href="http://atomictrivia.ru" moz-do-not-send="true">atomictrivia.ru</a>
/atomic.php - 1.1 Mozilla/4.0 64 0 200 OK - - (empty) - - -
FUR4T54aQNbHsxbG84</div>
<div><br>
</div>
<div>Snort alert for the same:<br>
Oct 2 19:06:47 snort[3664]: [1:2809682:3] ETPRO TROJAN
Andromeda/Gamarue Checkin [Classification: A Network Trojan
was Detected] [Priority: 1]: {TCP} 128.x.x.x:58299 -> <a
href="http://184.105.192.2:80" moz-do-not-send="true">184.105.192.2:80</a></div>
<div><br>
</div>
<div>No Suricata alerts fired for the same.</div>
<div><br>
</div>
<div>The notification of this activity was sent by a third
party to us today, hence we are sure that the host is
compromised as it was trying to resolve Andromeda domains.</div>
<div><br>
</div>
<div>I can't capture the pcap for the traffic that triggers
snort alerts but not Suri, as it is sporadic, and only
couple of minutes of traffic capture results in gigs of
traffic, hence I can't just keep running pcap capture for a
long period of time on the sensors.</div>
<div>If I can't figure out what is going on with Suri not
firing the alerts, then we just might have to drop Suricata
deployment in prod and keep working with Snort.</div>
<div><br>
</div>
<div>Any pointers/suggestions?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Fatema.</div>
<div>
<div class="gmail-shared-eventsviewer-shared-eventfields"
style="color:rgb(51,51,51);font-family:Roboto,Droid,"Helvetica
Neue",Helvetica,Arial,sans-serif;font-size:12px"><a
class="gmail-btn gmail-popdown-toggle event-actions"
href="https://setter.nss.udel.edu:8443/en-US/app/search/search?q=search%20index%3Dmalware%20128.4.73.143&sid=1538571855.42311&display.page.search.mode=smart&dispatch.sample_ratio=1&earliest=-24h%40h&latest=now#"
style="color:rgb(51,51,51);text-decoration-line:none;display:inline-block;padding:4px
12px;margin-bottom:0px;line-height:16px;text-align:center;vertical-align:middle;background-image:linear-gradient(rgb(247,247,247),rgb(238,238,238));background-color:rgb(238,238,238);border:1px
solid
rgb(191,191,191);border-radius:4px;background-repeat:repeat-x;margin-top:10px"
moz-do-not-send="true">Event Actions<span
class="gmail-caret"
style="display:inline-block;border:none;width:auto;height:auto;line-height:inherit;margin:0px;padding-left:0.3em;vertical-align:baseline;font-family:"Splunk
Icons";font-size:inherit"></span></a></div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Sep 25, 2018 at 12:05 PM fatema
bannatwala <<a href="mailto:fatema.bannatwala@gmail.com"
moz-do-not-send="true">fatema.bannatwala@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">I tried to capture some traffic,
but those pcaps aren't triggering any alerts
in both snort and suricata, have to work on
getting some pcap with some traffic that would
be malicious and could trigger alerts.
<div>Meanwhile, was looking into the alerts
that were triggered in Snort and not in
Suricata for last 15 minutes on live
servers, and did the following analysis:</div>
<div><br>
</div>
<div>Example of few alerts triggered in snort
but not in suricata: sid:
2022813, 2008974, 2009714</div>
<div>when I looked at the above alert rules
defined in ET ruleset for snort and ET
ruleset for suricata,</div>
<div>the only major difference found is in the
protocol defined in both alerts, i.e. :</div>
<div><br>
</div>
<div>suricata alert 2022813 definition: </div>
<div>
<div>alert <b>http</b> $HOME_NET any ->
$EXTERNAL_NET any (msg:"ET MALWARE
SearchProtect PUA User-Agent Observed";
flow:established,to_server;
content:"SearchProtect|3b|"; </div>
<div>depth:14; http_user_agent;
reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87;
classtype:trojan-activity; sid:2022813;
rev:2; metadata:created_at 2016_05_17,
updated_at 2016_05_17;)</div>
</div>
<div><br>
</div>
<div>snort alert 2022813 definition:</div>
<div>
<div>alert <b>tcp</b> $HOME_NET any ->
$EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
SearchProtect PUA User-Agent Observed";
flow:established,to_server;
content:"User-Agent|3a
20|SearchProtect|3b|"; </div>
<div>fast_pattern; http_header;
reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87;
classtype:trojan-activity; sid:2022813;
rev:1; metadata:created_at 2016_05_17,
updated_at 2016_05_17;)</div>
</div>
<div><br>
</div>
<div>And from snort alert logs, the packet
content that triggered that 2022813 alert:</div>
<div><br>
</div>
<div>
<div>[1:2022813:1] ET MALWARE SearchProtect
PUA User-Agent Observed</div>
<div>2018-09-25 11:09:39.337000-04:00 <a
href="http://128.164.63.89:51872"
target="_blank" moz-do-not-send="true">128.164.63.89:51872</a>
-> <a href="http://54.243.209.194:80"
target="_blank" moz-do-not-send="true">54.243.209.194:80</a></div>
<div>TCP: Data Triggering Snort Rule: POST /
HTTP/1.1::~~Content-Type:
application/json::~~Accept:
*/*::~~User-Agent:
SearchProtect;3.0.50.0;Microsoft Windows 7
Enterprise;SPC0AFF85F-9E31-44AC-8E1C-61C39CDE89DC::~~Host:
sp-alive-msg.databssint.com::~~Content-Length:
2157::~~Connection:
Keep-Alive::~~Cache-Control:
no-cache::~~::~~</div>
<div>[Xref => md5
34e2350c2ed6a9a9e9d444102ae4dd87]</div>
</div>
<div><br>
</div>
<div>Hence, looking at the contents of the
above data triggering log, looks like it
matches the Suricata rule signature as well,
except not sure if the protocol detected was
actually http or not, and hence Suricata
alert might not have trigged for the same
content.</div>
<div>Other alerts that weren't triggered in
Suricata were also having "http" in place of
"tcp" in the rule signatures, when compared
with snort rule signatures. Hence my guess
is Suricata isn't able to detect http
protocol for the same traffic and hence not
triggering the alerts.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Fatema.</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Sep 25, 2018 at 12:13 AM Michał
Purzyński <<a href="mailto:michalpurzynski1@gmail.com"
target="_blank" moz-do-not-send="true">michalpurzynski1@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">It would be really useful to have some data
we could work on. You can always share pcaps with
developers only, subject to your company's policy.
<div><br>
</div>
<div>One more thing you could do without sharing traffic
is to verify if these cases when snort matches a
signature A and Suricata does not, it is a false
positive or a true positive.</div>
<div><br>
</div>
<div>That would be a great start.</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Sep 24, 2018 at 2:59 PM fatema
bannatwala <<a
href="mailto:fatema.bannatwala@gmail.com"
target="_blank" moz-do-not-send="true">fatema.bannatwala@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hmm, makes sense, was just curious to
know what happens when snort ruleset was fed to
Suricata,
<div>and to produce a baseline for the initial test
environment to see if the important alerts are not
missed by Suricata once deployed in prod.</div>
<div>Hence was trying to keep the rulesets same for
both for an even comparison..</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Fatema. </div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Sep 24, 2018 at 4:29 PM
Michael Shirk <<a
href="mailto:shirkdog.bsd@gmail.com"
target="_blank" moz-do-not-send="true">shirkdog.bsd@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">The
issue is that the engines are different, so Snort
signatures from<br>
VRT/Talos, even ET-Pro written for the Snort
detection engine are only<br>
tested with Snort. There was a good presentation
by Dave Wharton at<br>
SuriCon 2016 about the subtle differences that can
cause signatures<br>
written for either engine to not work in the
other. Digging into the<br>
specifics of a signature that works in Snort but
does not work in<br>
Suricata may highlight a similar issue.<br>
<br>
At least from what I have seen, similar to the
issue you had with<br>
pulledpork using a Snort signature set with a
Suricata signature set,<br>
I believe the user base selects one detection
engine over the other.<br>
The community will send emails with new detections
that can end up in<br>
the emerging threats signatures, as well as the
community based Snort<br>
rules, but specific to one of the engines.<br>
On Mon, Sep 24, 2018 at 4:18 PM fatema bannatwala<br>
<<a href="mailto:fatema.bannatwala@gmail.com"
target="_blank" moz-do-not-send="true">fatema.bannatwala@gmail.com</a>>
wrote:<br>
><br>
> Hmm, don't want to start Suricata in IPS
mode, as it's configured to sniff traffic through
a tap and should really be running as an IDS.<br>
> Not sure if the triggering of alerts would
depend on mode though, but I might be wrong..<br>
><br>
> On Mon, Sep 24, 2018 at 3:41 PM Albert Whale
<<a
href="mailto:Albert.Whale@it-security-inc.com"
target="_blank" moz-do-not-send="true">Albert.Whale@it-security-inc.com</a>>
wrote:<br>
>><br>
>> So what happens if you start Suricata in
IPS Mode?<br>
>><br>
>><br>
>> On 9/24/18 2:17 PM, fatema bannatwala
wrote:<br>
>><br>
>> Hi Albert,<br>
>><br>
>> I am running Suricata in IDS mode.<br>
>><br>
>> Thanks,<br>
>> Fatema.<br>
>><br>
>> On Mon, Sep 24, 2018 at 2:11 PM Albert E
Whale <<a
href="mailto:Albert.Whale@it-security-inc.com"
target="_blank" moz-do-not-send="true">Albert.Whale@it-security-inc.com</a>>
wrote:<br>
>>><br>
>>> Hi Fatema,<br>
>>><br>
>>> I’m curious, are running Suricata in
IDS or IPS mode?<br>
>>><br>
>>> I am experiencing significant issues
with IPS on a small home office environment.<br>
>>><br>
>>> Sent from my iPhone<br>
>>><br>
>>> > On Sep 24, 2018, at 1:26 PM,
fatema bannatwala <<a
href="mailto:fatema.bannatwala@gmail.com"
target="_blank" moz-do-not-send="true">fatema.bannatwala@gmail.com</a>>
wrote:<br>
>>> ><br>
>>> > Hi All,<br>
>>> ><br>
>>> > I am working on getting Suricata
up and running with same rulesets as we have for
snort.<br>
>>> > Hence running Suricata with both
VRT open source free ruleset from Cisco as well as
with ET-PRO rule sets from Proofpoint for
suricatav4.0.4.<br>
>>> ><br>
>>> > When I start Suricata it gives
some errors for around 200 VRT rules concerning
Invalid_Signature/Unknown_Keyword, which make
sense as they are not designed to be run with
Suricata. But Suricata starts up correctly and
works fine inspite of those rule errors.<br>
>>> ><br>
>>> > My concern is, the number of
unique alerts that get triggered in Snort are more
than the unique alerts triggered in Suricata, even
though both are getting same traffic flow. The
difference is huge, i.e. 241 unique Snort alerts
compared to only 94 unique alerts in Suricata.<br>
>>> ><br>
>>> > When did an analysis, the
difference is between ETPRO alerts as well as VRT
alerts that are triggered in both. And confirmed
that the sids that are getting triggered in snort
are also enabled in suricata, but still no
suricata alerts for those sids.<br>
>>> ><br>
>>> > Hence, my question is why there
is this discrepancy in the alerts that get
triggered in snort and not in suricata even when
they both are seeing the same traffic and have
same sids enabled?<br>
>>> ><br>
>>> > P.S My initial thought was,
either it's because of capture loss in suricata
(which is <0.1%), or maybe because of some of
those incompatible VRT alerts that are enabled in
Suricata, and it is not able to work correctly
because of those.<br>
>>> ><br>
>>> > Has anyone tried this kind on
config before?<br>
>>> ><br>
>>> > Thanks,<br>
>>> > Fatema.<br>
>>> ><br>
>>> ><br>
>>> >
_______________________________________________<br>
>>> > Suricata IDS Users mailing list:
<a
href="mailto:oisf-users@openinfosecfoundation.org"
target="_blank" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a><br>
>>> > Site: <a
href="http://suricata-ids.org" rel="noreferrer"
target="_blank" moz-do-not-send="true">http://suricata-ids.org</a>
| Support: <a
href="http://suricata-ids.org/support/"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://suricata-ids.org/support/</a><br>
>>> > List: <a
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>> ><br>
>>> > Conference: <a
href="https://suricon.net" rel="noreferrer"
target="_blank" moz-do-not-send="true">https://suricon.net</a><br>
>>> > Trainings: <a
href="https://suricata-ids.org/training/"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://suricata-ids.org/training/</a><br>
>>><br>
>><br>
>> --<br>
>> --<br>
>><br>
>> Albert E. Whale, CEH CHS CISA CISSP<br>
>> President - Chief Security Officer<br>
>> IT Security, Inc. - A Service Disabled
Veteran Owned Company - (SDVOSB)<br>
>> HUBZone Certified<br>
>> LinkedIn Profile<br>
>><br>
>><br>
>> Phone: 412-515-3010 | Email:
<a class="moz-txt-link-abbreviated" href="mailto:Albert.Whale@IT-Security-inc.com">Albert.Whale@IT-Security-inc.com</a><br>
>> Cell: 412-889-6870<br>
>><br>
>
_______________________________________________<br>
> Suricata IDS Users mailing list: <a
href="mailto:oisf-users@openinfosecfoundation.org"
target="_blank" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://suricata-ids.org</a>
| Support: <a
href="http://suricata-ids.org/support/"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://suricata-ids.org/support/</a><br>
> List: <a
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://suricon.net</a><br>
> Trainings: <a
href="https://suricata-ids.org/training/"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://suricata-ids.org/training/</a><br>
<br>
<br>
<br>
-- <br>
Michael Shirk<br>
Daemon Security, Inc.<br>
<a href="https://www.daemon-security.com"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://www.daemon-security.com</a><br>
</blockquote>
</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a
href="mailto:oisf-users@openinfosecfoundation.org"
target="_blank" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://suricata-ids.org</a> |
Support: <a href="http://suricata-ids.org/support/"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://suricata-ids.org/support/</a><br>
List: <a
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://suricon.net</a><br>
Trainings: <a
href="https://suricata-ids.org/training/"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://suricata-ids.org/training/</a></blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>
</blockquote>
<br>
</body>
</html>