[Oisf-users] Fwd: IPS
Victor Julien
victor at inliniac.net
Fri Jun 11 14:20:04 UTC 2010
If you shut down Suricata, it gives a few nfq stats. Does it report
"dropped" packets there?
Cheers,
Victor
Anas.B wrote:
>
> Hello,
>
> I've replaced "/alert/" by"/drop/" where we have "Nmap" rules in
> *emerging-scan.rules *file ,
>
> but I've the same result in Nmap:
>
> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 14:49 Afr. centrale
> Ouest
> Nmap scan report for 192.168.44.135
> Host is up (0.00s latency).
> All 1000 scanned ports on 192.168.44.135 are filtered
> MAC Address: 00:0C:29:07:11:87 (VMware)
> as before !!!
>
> why the packets aren't dropped ?
>
> These are the commands applied :
>
> *suricata -c /etc/suricata/suricata.yaml -q 0*
>
> and this is the iptables :
>
> NFQUEUE all -- anywhere anywhere NFQUEUE num 0
>
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NFQUEUE all -- anywhere anywhere NFQUEUE num 0
>
>
> Kindest regards :)
>
> Anas
>
> Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds
>
>
> 2010/6/9 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
>
> All rules might be a bit much, but in essence, yes. But be careful that
> some rules might false positive.
>
> Cheers,
> Victor
>
> Anas.B wrote:
> > I've just coppied the emerging rules ,
> >
> > should i copy snort rules also ?
> > should i convert all the rules from alert to Drop ?
> >
> >
> > Thxxx
> >
> >
> > 2010/6/9 Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
> <mailto:victor at inliniac.net>>>
> >
> > Making progress :)
> >
> > Do you have drop rules? Normally a rule is "alert ip any any
> -> any any
> > ... " etc. but you need "drop ip any any -> any ...." Did you
> convert
> > your rules?
> >
> > The TmqDebugList statements are debug stuff, you can ignore that.
> >
> > Cheers,
> > Victor
> >
> > Anas.B wrote:
> > > Thank you so much, for ur help :)
> > >
> > > this time I've these lines :
> > >
> > > 'pickup-queue', len 0
> > > TmqDebugList: id 1, name 'decode-queue1', len 0
> > > TmqDebugList: id 2, name 'stream-queue1', len 49
> > > TmqDebugList: id 3, name 'verdict-queue', len 0
> > > TmqDebugList: id 4, name 'respond-queue', len 1
> > > TmqDebugList: id 5, name 'alert-queue1', len 0
> > >
> > > after an Nmap scan
> > >
> > >
> > > after CTRL+C
> > >
> > > I've this :
> > >
> > > 4:33 - (suricata.c:1033) <Info> (main) -- signal received
> > > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069) <Info>
> (main) -- time
> > > elapsed 176s
> > > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522) <Info>
> > > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts 6028, Bytes
> 256012,
> > > Errors 0
> > > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634) <Info>
> > > (StreamTcpExitPrintStats) -- (Stream1) Packets 6014
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172) <Info>
> > > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts 6028,
> Searched 0
> > (0.0).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175) <Info>
> > > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts 6028,
> Searched 4
> > (0.1).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178) <Info>
> > > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts 6028,
> Searched 0
> > (0.0).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181) <Info>
> > > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts 6028,
> Searched 0
> > (0.0).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184) <Info>
> > > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts 6028,
> Searched 0
> > (0.0).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188) <Info>
> > > (DetectExitPrintStats) -- (Detect1) URI (1byte) Uri's 0,
> Searched
> > 0 (-nan).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191) <Info>
> > > (DetectExitPrintStats) -- (Detect1) URI (2byte) Uri's 0,
> Searched
> > 0 (-nan).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194) <Info>
> > > (DetectExitPrintStats) -- (Detect1) URI (3byte) Uri's 0,
> Searched
> > 0 (-nan).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197) <Info>
> > > (DetectExitPrintStats) -- (Detect1) URI (4byte) Uri's 0,
> Searched
> > 0 (-nan).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200) <Info>
> > > (DetectExitPrintStats) -- (Detect1) URI (+byte) Uri's 0,
> Searched
> > 0 (-nan).
> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202) <Info>
> > > (DetectExitPrintStats) -- 4 sigs per mpm match on avg needed
> > inspection,
> > > total mpm searches 2, less than 25 sigs need inspect 2, more
> than 100
> > > sigs need inspect 0, more than 1000 0 max 5
> > > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533) <Info>
> > > (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 6028,
> dropped 0
> > > [8506] 9/6/2010 -- 16:04:33 - (alert-fastlog.c:256) <Info>
> > > (AlertFastLogExitPrintStats) -- (Outputs) Alerts 3792
> > > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-log.c:304) <Info>
> > > (AlertUnifiedLogThreadDeinit) -- Alert unified1 log module wrote
> > 3792 alerts
> > > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-alert.c:281) <Info>
> > > (AlertUnifiedAlertThreadDeinit) -- Alert unified1 alert
> module wrote
> > > 3792 alerts
> > > [8506] 9/6/2010 -- 16:04:33 - (alert-unified2-alert.c:582)
> <Info>
> > > (Unified2AlertThreadDeinit) -- Alert unified2 module wrote
> 3792 alerts
> > > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391) <Info>
> > > (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0
> > > [8506] 9/6/2010 -- 16:04:33 - (alert-debuglog.c:254) <Info>
> > > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 3792
> > > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info>
> > (FlowManagerThread) --
> > > 6 new flows, 1000 established flows were timed out, 0 flows in
> > closed state
> > > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info>
> (FlowPrintQueueInfo)
> > > -- flowbits added: 0, removed: 0, max memory usage: 0
> > > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365) <Info>
> > > (StreamTcpFreeConfig) -- Max memuse of stream engine
> 15021952 (in
> > use 0)
> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492) <Info>
> > > (SigAddressCleanupStage1) -- cleaning up signature grouping
> > structure...
> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509) <Info>
> > > (SigAddressCleanupStage1) -- cleaning up signature grouping
> > structure...
> > > done
> > >
> > >
> > > is this normal ?
> > > (just alerts no Dropped !!!!)
> > >
> > > I've done the Nmap scan from Windows
> > >
> > >
> > > Sorry for the inconvenience
> > > Cheers
> > >
> > >
> > >
> > > 2010/6/9 Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>
> > >
> > > In the config below you only send outgoing HTTP traffic to
> > Suricata. To
> > > inspect all do:
> > >
> > > iptables -A INPUT -j NFQUEUE
> > > iptables -A OUTPUT -j NFQUEUE
> > >
> > > Cheers,
> > > Victor
> > >
> > > Anas.B wrote:
> > > > I didn't configure Iptables,
> > > >
> > > > now i have the two lines
> > > >
> > > > Chain INPUT (policy ACCEPT)
> > > > target prot opt source destination
> > > > NFQUEUE tcp -- anywhere anywhere
> tcp
> > > spt:www
> > > > NFQUEUE num 0
> > > >
> > > > Chain FORWARD (policy ACCEPT)
> > > > target prot opt source destination
> > > >
> > > > Chain OUTPUT (policy ACCEPT)
> > > > target prot opt source destination
> > > > NFQUEUE tcp -- anywhere anywhere
> tcp
> > > dpt:www
> > > > NFQUEUE num 0
> > > >
> > > > But still no alerts/Drop/reject nmap scan
> > > >
> > > > Best Regards
> > > >
> > > > 2010/6/9 Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
> > > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
> > > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>>
> > > >
> > > > In that case you'd need:
> > > >
> > > > iptables -A OUTPUT -p tcp --dport 80 -j NFQUEUE
> > > > iptables -A INPUT -p tcp --sport 80 -j NFQUEUE
> > > >
> > > > This would send outgoing http traffic (the vm browsing
> > the web) to
> > > > Suricata.
> > > >
> > > > Cheers,
> > > > Victor
> > > >
> > > > Anas.B wrote:
> > > > > No, I'm just trying this in local Virtual
> Machine Ubuntu).
> > > > >
> > > > > since there is no much Doc, i'm a little lost.
> > > > >
> > > > > thaks a lot
> > > > >
> > > > >
> > > > > 2010/6/9 Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
> > > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>
> > > > <mailto:victor at inliniac.net
> <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
> <mailto:victor at inliniac.net>>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>
> > > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>
> > > > <mailto:victor at inliniac.net
> <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
> <mailto:victor at inliniac.net>>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
> <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>>>
> > > > >
> > > > > Did you add the appropriate iptables rules?
> > > > >
> > > > > For example for getting port 80 to suricata:
> > > > >
> > > > > iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE
> > > > >
> > > > > Cheers,
> > > > > Victor
> > > > >
> > > > > Anas.B wrote:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > I've just tested a nmap,
> > > > > >
> > > > > > I noticed more unified files
> > > > > > and alerts in the file fast.log
> > > > > > new values in alert-debug.log and stats.log
> > > > > >
> > > > > > that means it works !!
> > > > > >
> > > > > > But with the command ==> *# suricata -c
> > > > > /etc/suricata/suricata.yaml -q 0
> > > > > >
> > > > > > *I have no logs,
> > > > > > any suggestions
> > > > > >
> > > > > > thanks :)
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > > > >
> > > > > >
> _______________________________________________
> > > > > > Oisf-users mailing list
> > > > > > Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> > > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>>
> > > > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> > > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>>>
> > > > > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> > > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>>
> > > > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> > > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>>>>
> > > > > >
> > > >
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > > >
> > > > >
> > > > > --
> > > > > ---------------------------------------------
> > > > > Victor Julien
> > > > > http://www.inliniac.net/
> > > > > PGP: http://www.inliniac.net/victorjulien.asc
> > > > > ---------------------------------------------
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > ---------------------------------------------
> > > > Victor Julien
> > > > http://www.inliniac.net/
> > > > PGP: http://www.inliniac.net/victorjulien.asc
> > > > ---------------------------------------------
> > > >
> > > >
> > >
> > >
> > > --
> > > ---------------------------------------------
> > > Victor Julien
> > > http://www.inliniac.net/
> > > PGP: http://www.inliniac.net/victorjulien.asc
> > > ---------------------------------------------
> > >
> > >
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list