[Oisf-users] Fwd: IPS

Victor Julien victor at inliniac.net
Fri Jun 11 14:20:04 UTC 2010


If you shut down Suricata, it gives a few nfq stats. Does it report
"dropped" packets there?

Cheers,
Victor

Anas.B wrote:
> 
> Hello,
> 
> I've replaced "/alert/" by"/drop/"  where we have "Nmap" rules in
> *emerging-scan.rules *file ,
> 
> but I've the same result in Nmap:
> 
> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 14:49 Afr. centrale
> Ouest
> Nmap scan report for 192.168.44.135
> Host is up (0.00s latency).
> All 1000 scanned ports on 192.168.44.135 are filtered
> MAC Address: 00:0C:29:07:11:87 (VMware)
> as before !!!
> 
> why the packets aren't dropped ?
> 
> These are the commands applied :
> 
> *suricata -c /etc/suricata/suricata.yaml -q 0*
> 
> and this is the iptables :
> 
> NFQUEUE    all  --  anywhere             anywhere            NFQUEUE num 0
> 
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination        
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination        
> NFQUEUE    all  --  anywhere             anywhere            NFQUEUE num 0
> 
> 
> Kindest regards :)
> 
> Anas
> 
> Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds
> 
> 
> 2010/6/9 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
> 
>     All rules might be a bit much, but in essence, yes. But be careful that
>     some rules might false positive.
> 
>     Cheers,
>     Victor
> 
>     Anas.B wrote:
>     > I've just coppied the emerging rules ,
>     >
>     > should i copy snort rules also ?
>     > should i convert all the rules from alert to Drop ?
>     >
>     >
>     > Thxxx
>     >
>     >
>     > 2010/6/9 Victor Julien <victor at inliniac.net
>     <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
>     <mailto:victor at inliniac.net>>>
>     >
>     >     Making progress :)
>     >
>     >     Do you have drop rules? Normally a rule is "alert ip any any
>     -> any any
>     >     ... " etc. but you need "drop ip any any -> any ...." Did you
>     convert
>     >     your rules?
>     >
>     >     The TmqDebugList statements are debug stuff, you can ignore that.
>     >
>     >     Cheers,
>     >     Victor
>     >
>     >     Anas.B wrote:
>     >     > Thank you so much, for ur help :)
>     >     >
>     >     > this time I've these lines :
>     >     >
>     >     > 'pickup-queue', len 0
>     >     > TmqDebugList: id 1, name 'decode-queue1', len 0
>     >     > TmqDebugList: id 2, name 'stream-queue1', len 49
>     >     > TmqDebugList: id 3, name 'verdict-queue', len 0
>     >     > TmqDebugList: id 4, name 'respond-queue', len 1
>     >     > TmqDebugList: id 5, name 'alert-queue1', len 0
>     >     >
>     >     > after an Nmap scan
>     >     >
>     >     >
>     >     > after CTRL+C
>     >     >
>     >     > I've this :
>     >     >
>     >     > 4:33 - (suricata.c:1033) <Info> (main) -- signal received
>     >     > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069) <Info>
>     (main) -- time
>     >     > elapsed 176s
>     >     > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522) <Info>
>     >     > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts 6028, Bytes
>     256012,
>     >     > Errors 0
>     >     > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634) <Info>
>     >     > (StreamTcpExitPrintStats) -- (Stream1) Packets 6014
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts 6028,
>     Searched 0
>     >     (0.0).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts 6028,
>     Searched 4
>     >     (0.1).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts 6028,
>     Searched 0
>     >     (0.0).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts 6028,
>     Searched 0
>     >     (0.0).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts 6028,
>     Searched 0
>     >     (0.0).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) URI (1byte) Uri's 0,
>     Searched
>     >     0 (-nan).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) URI (2byte) Uri's 0,
>     Searched
>     >     0 (-nan).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) URI (3byte) Uri's 0,
>     Searched
>     >     0 (-nan).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) URI (4byte) Uri's 0,
>     Searched
>     >     0 (-nan).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200) <Info>
>     >     > (DetectExitPrintStats) -- (Detect1) URI (+byte) Uri's 0,
>     Searched
>     >     0 (-nan).
>     >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202) <Info>
>     >     > (DetectExitPrintStats) -- 4 sigs per mpm match on avg needed
>     >     inspection,
>     >     > total mpm searches 2, less than 25 sigs need inspect 2, more
>     than 100
>     >     > sigs need inspect 0, more than 1000 0 max 5
>     >     > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533) <Info>
>     >     > (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 6028,
>     dropped 0
>     >     > [8506] 9/6/2010 -- 16:04:33 - (alert-fastlog.c:256) <Info>
>     >     > (AlertFastLogExitPrintStats) -- (Outputs) Alerts 3792
>     >     > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-log.c:304) <Info>
>     >     > (AlertUnifiedLogThreadDeinit) -- Alert unified1 log module wrote
>     >     3792 alerts
>     >     > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-alert.c:281) <Info>
>     >     > (AlertUnifiedAlertThreadDeinit) -- Alert unified1 alert
>     module wrote
>     >     > 3792 alerts
>     >     > [8506] 9/6/2010 -- 16:04:33 - (alert-unified2-alert.c:582)
>     <Info>
>     >     > (Unified2AlertThreadDeinit) -- Alert unified2 module wrote
>     3792 alerts
>     >     > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391) <Info>
>     >     > (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0
>     >     > [8506] 9/6/2010 -- 16:04:33 - (alert-debuglog.c:254) <Info>
>     >     > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 3792
>     >     > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info>
>     >     (FlowManagerThread) --
>     >     > 6 new flows, 1000 established flows were timed out, 0 flows in
>     >     closed state
>     >     > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info>
>     (FlowPrintQueueInfo)
>     >     > -- flowbits added: 0, removed: 0, max memory usage: 0
>     >     > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365) <Info>
>     >     > (StreamTcpFreeConfig) -- Max memuse of stream engine
>     15021952 (in
>     >     use 0)
>     >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492) <Info>
>     >     > (SigAddressCleanupStage1) -- cleaning up signature grouping
>     >     structure...
>     >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509) <Info>
>     >     > (SigAddressCleanupStage1) -- cleaning up signature grouping
>     >     structure...
>     >     > done
>     >     >
>     >     >
>     >     > is this normal ?
>     >     > (just alerts no Dropped !!!!)
>     >     >
>     >     > I've done the Nmap scan from Windows
>     >     >
>     >     >
>     >     > Sorry for the inconvenience
>     >     > Cheers
>     >     >
>     >     >
>     >     >
>     >     > 2010/6/9 Victor Julien <victor at inliniac.net
>     <mailto:victor at inliniac.net>
>     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
>     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>
>     >     >
>     >     >     In the config below you only send outgoing HTTP traffic to
>     >     Suricata. To
>     >     >     inspect all do:
>     >     >
>     >     >     iptables -A INPUT -j NFQUEUE
>     >     >     iptables -A OUTPUT -j NFQUEUE
>     >     >
>     >     >     Cheers,
>     >     >     Victor
>     >     >
>     >     >     Anas.B wrote:
>     >     >     > I didn't configure Iptables,
>     >     >     >
>     >     >     > now i have the two lines
>     >     >     >
>     >     >     > Chain INPUT (policy ACCEPT)
>     >     >     > target     prot opt source               destination
>     >     >     > NFQUEUE    tcp  --  anywhere             anywhere    
>            tcp
>     >     >     spt:www
>     >     >     > NFQUEUE num 0
>     >     >     >
>     >     >     > Chain FORWARD (policy ACCEPT)
>     >     >     > target     prot opt source               destination
>     >     >     >
>     >     >     > Chain OUTPUT (policy ACCEPT)
>     >     >     > target     prot opt source               destination
>     >     >     > NFQUEUE    tcp  --  anywhere             anywhere    
>            tcp
>     >     >     dpt:www
>     >     >     > NFQUEUE num 0
>     >     >     >
>     >     >     > But still no alerts/Drop/reject  nmap scan
>     >     >     >
>     >     >     > Best Regards
>     >     >     >
>     >     >     > 2010/6/9 Victor Julien <victor at inliniac.net
>     <mailto:victor at inliniac.net>
>     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
>     >     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>
>     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
>     >     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>>
>     >     >     >
>     >     >     >     In that case you'd need:
>     >     >     >
>     >     >     >     iptables -A OUTPUT -p tcp --dport 80 -j NFQUEUE
>     >     >     >     iptables -A INPUT -p tcp --sport 80 -j NFQUEUE
>     >     >     >
>     >     >     >     This would send outgoing http traffic (the vm browsing
>     >     the web) to
>     >     >     >     Suricata.
>     >     >     >
>     >     >     >     Cheers,
>     >     >     >     Victor
>     >     >     >
>     >     >     >     Anas.B wrote:
>     >     >     >     > No, I'm just trying this in local Virtual
>     Machine Ubuntu).
>     >     >     >     >
>     >     >     >     > since there is no much Doc, i'm a little lost.
>     >     >     >     >
>     >     >     >     > thaks a lot
>     >     >     >     >
>     >     >     >     >
>     >     >     >     > 2010/6/9 Victor Julien <victor at inliniac.net
>     <mailto:victor at inliniac.net>
>     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
>     >     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>
>     >     >     >     <mailto:victor at inliniac.net
>     <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
>     <mailto:victor at inliniac.net>>
>     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>
>     >     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
>     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>
>     >     >     >     <mailto:victor at inliniac.net
>     <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
>     <mailto:victor at inliniac.net>>
>     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>>>
>     >     >     >     >
>     >     >     >     >     Did you add the appropriate iptables rules?
>     >     >     >     >
>     >     >     >     >     For example for getting port 80 to suricata:
>     >     >     >     >
>     >     >     >     >     iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE
>     >     >     >     >
>     >     >     >     >     Cheers,
>     >     >     >     >     Victor
>     >     >     >     >
>     >     >     >     >     Anas.B wrote:
>     >     >     >     >     >
>     >     >     >     >     > Hello,
>     >     >     >     >     >
>     >     >     >     >     > I've just tested a nmap,
>     >     >     >     >     >
>     >     >     >     >     >  I noticed more unified files
>     >     >     >     >     > and alerts in the file fast.log
>     >     >     >     >     > new values in  alert-debug.log and stats.log
>     >     >     >     >     >
>     >     >     >     >     > that means it works !!
>     >     >     >     >     >
>     >     >     >     >     > But with the command ==> *# suricata -c
>     >     >     >     >     /etc/suricata/suricata.yaml -q 0
>     >     >     >     >     >
>     >     >     >     >     > *I have no logs,
>     >     >     >     >     > any suggestions
>     >     >     >     >     >
>     >     >     >     >     > thanks :)
>     >     >     >     >     >
>     >     >     >     >     >
>     >     >     >     >     >
>     >     >     >     >
>     >     >     >
>     >     >
>     >    
>     ------------------------------------------------------------------------
>     >     >     >     >     >
>     >     >     >     >     >
>     _______________________________________________
>     >     >     >     >     > Oisf-users mailing list
>     >     >     >     >     > Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>>
>     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>>>
>     >     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>>
>     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>>>>
>     >     >     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>>
>     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>>>
>     >     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>>
>     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>>>>>
>     >     >     >     >     >
>     >     >     >
>     >     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     >     >     >     >
>     >     >     >     >
>     >     >     >     >     --
>     >     >     >     >     ---------------------------------------------
>     >     >     >     >     Victor Julien
>     >     >     >     >     http://www.inliniac.net/
>     >     >     >     >     PGP: http://www.inliniac.net/victorjulien.asc
>     >     >     >     >     ---------------------------------------------
>     >     >     >     >
>     >     >     >     >
>     >     >     >
>     >     >     >
>     >     >     >     --
>     >     >     >     ---------------------------------------------
>     >     >     >     Victor Julien
>     >     >     >     http://www.inliniac.net/
>     >     >     >     PGP: http://www.inliniac.net/victorjulien.asc
>     >     >     >     ---------------------------------------------
>     >     >     >
>     >     >     >
>     >     >
>     >     >
>     >     >     --
>     >     >     ---------------------------------------------
>     >     >     Victor Julien
>     >     >     http://www.inliniac.net/
>     >     >     PGP: http://www.inliniac.net/victorjulien.asc
>     >     >     ---------------------------------------------
>     >     >
>     >     >
>     >
>     >
>     >     --
>     >     ---------------------------------------------
>     >     Victor Julien
>     >     http://www.inliniac.net/
>     >     PGP: http://www.inliniac.net/victorjulien.asc
>     >     ---------------------------------------------
>     >
>     >
> 
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list