[Oisf-users] Fwd: IPS

Pablo pablo.rincon.crespo at gmail.com
Fri Jun 11 15:06:32 UTC 2010


And without suricata running what does nmap report? I mean, maybe it's
normal. nmap reports filtered ports when something is blocking the packets.
You can also try something like netcat or create a rule with
content:"google" and try to fetch it, any other test different to nmap.

2010/6/11 Anas.B <a.bouhsaina at gmail.com>

> After Ctrl+C
>
> 2810] 11/6/2010 -- 15:11:06 - (detect.c:202) <Info> (DetectExitPrintStats)
> -- 7 sigs per mpm match on avg needed inspection, total mpm searches 5, less
> than 25 sigs need inspect 5, more than 100 sigs need inspect 0, more than
> 1000 0 max 19
> [2811] 11/6/2010 -- 15:11:06 - (source-nfq.c:533) <Info>
> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 27, dropped 2000
> [2813] 11/6/2010 -- 15:11:06 - (alert-fastlog.c:256) <Info>
> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 2550
> [2813] 11/6/2010 -- 15:11:06 - (alert-unified-log.c:304) <Info>
> (AlertUnifiedLogThreadDeinit) -- Alert unified1 log module wrote 2550 alerts
> [2813] 11/6/2010 -- 15:11:06 - (alert-unified-alert.c:281) <Info>
> (AlertUnifiedAlertThreadDeinit) -- Alert unified1 alert module wrote 2550
> alerts
> [2813] 11/6/2010 -- 15:11:06 - (alert-unified2-alert.c:582) <Info>
> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 2550 alerts
> [2813] 11/6/2010 -- 15:11:06 - (log-httplog.c:391) <Info>
> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0
> [2813] 11/6/2010 -- 15:11:06 - (alert-debuglog.c:254) <Info>
> (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 2550
> [2814] 11/6/2010 -- 15:11:06 - (flow.c:767) <Info> (FlowManagerThread) --
> 2007 new flows, 2 established flows were timed out, 0 flows in closed state
> [2798] 11/6/2010 -- 15:11:06 - (flow.c:588) <Info> (FlowPrintQueueInfo) --
> flowbits added: 0, removed: 0, max memory usage: 0
> [2798] 11/6/2010 -- 15:11:06 - (stream-tcp.c:365) <Info>
> (StreamTcpFreeConfig) -- Max memuse of stream engine 15021952 (in use 0)
> [2798] 11/6/2010 -- 15:11:06 - (detect.c:2492) <Info>
> (SigAddressCleanupStage1) -- cleaning up signature grouping structure...
> [2798] 11/6/2010 -- 15:11:07 - (detect.c:2509) <Info>
> (SigAddressCleanupStage1) -- cleaning up signature grouping structure...
> done
>
>
> We can see 2000 "dropped"
>
>
>
> 2010/6/11 Anas.B <a.bouhsaina at gmail.com>
>
>> Bjr,
>> oui je crois que t'a raison,
>> quel genre de règle facile que je px bloquer ?
>>
>> Merciiiiii
>>
>> 2010/6/11 rmkml <rmkml at free.fr>
>>
>> Bonjour Anas,
>>> suite à l'email de Victor, et je crois que les scan nmap sont
>>> particulier, c-a-d que les scans ouvrent de multiples sessions, ce qui n'est
>>> pas un cas facile pour commencer...
>>> Essaye plus tot une attaque sur une regle, puis tu l'as bloque...
>>> attention au cache des navigatuers web...
>>> a+
>>> Rmkml
>>>
>>>
>>>
>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>
>>>
>>>> Hello,
>>>>
>>>> I've replaced "alert" by"drop"  where we have "Nmap" rules in
>>>> emerging-scan.rules file ,
>>>>
>>>> but I've the same result in Nmap:
>>>>
>>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 14:49 Afr.
>>>> centrale Ouest
>>>> Nmap scan report for 192.168.44.135
>>>> Host is up (0.00s latency).
>>>> All 1000 scanned ports on 192.168.44.135 are filtered
>>>> MAC Address: 00:0C:29:07:11:87 (VMware)
>>>> as before !!!
>>>>
>>>> why the packets aren't dropped ?
>>>>
>>>> These are the commands applied :
>>>> suricata -c /etc/suricata/suricata.yaml -q 0
>>>>
>>>> and this is the iptables :
>>>>
>>>> NFQUEUE    all  --  anywhere             anywhere            NFQUEUE num
>>>> 0
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> NFQUEUE    all  --  anywhere             anywhere            NFQUEUE num
>>>> 0
>>>>
>>>>
>>>> Kindest regards :)
>>>>
>>>> Anas
>>>>
>>>> Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds
>>>>
>>>>
>>>> 2010/6/9 Victor Julien <victor at inliniac.net>
>>>>      All rules might be a bit much, but in essence, yes. But be careful
>>>> that
>>>>      some rules might false positive.
>>>>
>>>>      Cheers,
>>>>      Victor
>>>>
>>>>      Anas.B wrote:
>>>> > I've just coppied the emerging rules ,
>>>> >
>>>> > should i copy snort rules also ?
>>>> > should i convert all the rules from alert to Drop ?
>>>> >
>>>> >
>>>> > Thxxx
>>>> >
>>>> >
>>>> > 2010/6/9 Victor Julien <victor at inliniac.net <mailto:
>>>> victor at inliniac.net>>
>>>> >
>>>> >     Making progress :)
>>>> >
>>>> >     Do you have drop rules? Normally a rule is "alert ip any any ->
>>>> any any
>>>> >     ... " etc. but you need "drop ip any any -> any ...." Did you
>>>> convert
>>>> >     your rules?
>>>> >
>>>> >     The TmqDebugList statements are debug stuff, you can ignore that.
>>>> >
>>>> >     Cheers,
>>>> >     Victor
>>>> >
>>>> >     Anas.B wrote:
>>>> >     > Thank you so much, for ur help :)
>>>> >     >
>>>> >     > this time I've these lines :
>>>> >     >
>>>> >     > 'pickup-queue', len 0
>>>> >     > TmqDebugList: id 1, name 'decode-queue1', len 0
>>>> >     > TmqDebugList: id 2, name 'stream-queue1', len 49
>>>> >     > TmqDebugList: id 3, name 'verdict-queue', len 0
>>>> >     > TmqDebugList: id 4, name 'respond-queue', len 1
>>>> >     > TmqDebugList: id 5, name 'alert-queue1', len 0
>>>> >     >
>>>> >     > after an Nmap scan
>>>> >     >
>>>> >     >
>>>> >     > after CTRL+C
>>>> >     >
>>>> >     > I've this :
>>>> >     >
>>>> >     > 4:33 - (suricata.c:1033) <Info> (main) -- signal received
>>>> >     > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069) <Info> (main) --
>>>> time
>>>> >     > elapsed 176s
>>>> >     > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522) <Info>
>>>> >     > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts 6028, Bytes
>>>> 256012,
>>>> >     > Errors 0
>>>> >     > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634) <Info>
>>>> >     > (StreamTcpExitPrintStats) -- (Stream1) Packets 6014
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts 6028, Searched
>>>> 0
>>>> >     (0.0).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts 6028, Searched
>>>> 4
>>>> >     (0.1).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts 6028, Searched
>>>> 0
>>>> >     (0.0).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts 6028, Searched
>>>> 0
>>>> >     (0.0).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts 6028, Searched
>>>> 0
>>>> >     (0.0).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) URI (1byte) Uri's 0,
>>>> Searched
>>>> >     0 (-nan).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) URI (2byte) Uri's 0,
>>>> Searched
>>>> >     0 (-nan).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) URI (3byte) Uri's 0,
>>>> Searched
>>>> >     0 (-nan).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) URI (4byte) Uri's 0,
>>>> Searched
>>>> >     0 (-nan).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200) <Info>
>>>> >     > (DetectExitPrintStats) -- (Detect1) URI (+byte) Uri's 0,
>>>> Searched
>>>> >     0 (-nan).
>>>> >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202) <Info>
>>>> >     > (DetectExitPrintStats) -- 4 sigs per mpm match on avg needed
>>>> >     inspection,
>>>> >     > total mpm searches 2, less than 25 sigs need inspect 2, more
>>>> than 100
>>>> >     > sigs need inspect 0, more than 1000 0 max 5
>>>> >     > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533) <Info>
>>>> >     > (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 6028,
>>>> dropped 0
>>>> >     > [8506] 9/6/2010 -- 16:04:33 - (alert-fastlog.c:256) <Info>
>>>> >     > (AlertFastLogExitPrintStats) -- (Outputs) Alerts 3792
>>>> >     > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-log.c:304) <Info>
>>>> >     > (AlertUnifiedLogThreadDeinit) -- Alert unified1 log module wrote
>>>> >     3792 alerts
>>>> >     > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-alert.c:281) <Info>
>>>> >     > (AlertUnifiedAlertThreadDeinit) -- Alert unified1 alert module
>>>> wrote
>>>> >     > 3792 alerts
>>>> >     > [8506] 9/6/2010 -- 16:04:33 - (alert-unified2-alert.c:582)
>>>> <Info>
>>>> >     > (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 3792
>>>> alerts
>>>> >     > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391) <Info>
>>>> >     > (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0
>>>> >     > [8506] 9/6/2010 -- 16:04:33 - (alert-debuglog.c:254) <Info>
>>>> >     > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 3792
>>>> >     > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info>
>>>> >     (FlowManagerThread) --
>>>> >     > 6 new flows, 1000 established flows were timed out, 0 flows in
>>>> >     closed state
>>>> >     > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info>
>>>> (FlowPrintQueueInfo)
>>>> >     > -- flowbits added: 0, removed: 0, max memory usage: 0
>>>> >     > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365) <Info>
>>>> >     > (StreamTcpFreeConfig) -- Max memuse of stream engine 15021952
>>>> (in
>>>> >     use 0)
>>>> >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492) <Info>
>>>> >     > (SigAddressCleanupStage1) -- cleaning up signature grouping
>>>> >     structure...
>>>> >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509) <Info>
>>>> >     > (SigAddressCleanupStage1) -- cleaning up signature grouping
>>>> >     structure...
>>>> >     > done
>>>> >     >
>>>> >     >
>>>> >     > is this normal ?
>>>> >     > (just alerts no Dropped !!!!)
>>>> >     >
>>>> >     > I've done the Nmap scan from Windows
>>>> >     >
>>>> >     >
>>>> >     > Sorry for the inconvenience
>>>> >     > Cheers
>>>> >     >
>>>> >     >
>>>> >     >
>>>> >     > 2010/6/9 Victor Julien <victor at inliniac.net
>>>> >     <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
>>>> >     <mailto:victor at inliniac.net>>>
>>>> >     >
>>>> >     >     In the config below you only send outgoing HTTP traffic to
>>>> >     Suricata. To
>>>> >     >     inspect all do:
>>>> >     >
>>>> >     >     iptables -A INPUT -j NFQUEUE
>>>> >     >     iptables -A OUTPUT -j NFQUEUE
>>>> >     >
>>>> >     >     Cheers,
>>>> >     >     Victor
>>>> >     >
>>>> >     >     Anas.B wrote:
>>>> >     >     > I didn't configure Iptables,
>>>> >     >     >
>>>> >     >     > now i have the two lines
>>>> >     >     >
>>>> >     >     > Chain INPUT (policy ACCEPT)
>>>> >     >     > target     prot opt source               destination
>>>> >     >     > NFQUEUE    tcp  --  anywhere             anywhere
>>>>    tcp
>>>> >     >     spt:www
>>>> >     >     > NFQUEUE num 0
>>>> >     >     >
>>>> >     >     > Chain FORWARD (policy ACCEPT)
>>>> >     >     > target     prot opt source               destination
>>>> >     >     >
>>>> >     >     > Chain OUTPUT (policy ACCEPT)
>>>> >     >     > target     prot opt source               destination
>>>> >     >     > NFQUEUE    tcp  --  anywhere             anywhere
>>>>    tcp
>>>> >     >     dpt:www
>>>> >     >     > NFQUEUE num 0
>>>> >     >     >
>>>> >     >     > But still no alerts/Drop/reject  nmap scan
>>>> >     >     >
>>>> >     >     > Best Regards
>>>> >     >     >
>>>> >     >     > 2010/6/9 Victor Julien <victor at inliniac.net
>>>> >     <mailto:victor at inliniac.net>
>>>> >     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
>>>> >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>>>> >     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>
>>>> >     >     >
>>>> >     >     >     In that case you'd need:
>>>> >     >     >
>>>> >     >     >     iptables -A OUTPUT -p tcp --dport 80 -j NFQUEUE
>>>> >     >     >     iptables -A INPUT -p tcp --sport 80 -j NFQUEUE
>>>> >     >     >
>>>> >     >     >     This would send outgoing http traffic (the vm browsing
>>>> >     the web) to
>>>> >     >     >     Suricata.
>>>> >     >     >
>>>> >     >     >     Cheers,
>>>> >     >     >     Victor
>>>> >     >     >
>>>> >     >     >     Anas.B wrote:
>>>> >     >     >     > No, I'm just trying this in local Virtual Machine
>>>> Ubuntu).
>>>> >     >     >     >
>>>> >     >     >     > since there is no much Doc, i'm a little lost.
>>>> >     >     >     >
>>>> >     >     >     > thaks a lot
>>>> >     >     >     >
>>>> >     >     >     >
>>>> >     >     >     > 2010/6/9 Victor Julien <victor at inliniac.net
>>>> >     <mailto:victor at inliniac.net>
>>>> >     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
>>>> >     >     >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>
>>>> >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>
>>>> >     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>>>> >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
>>>> >     >     >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>
>>>> >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>>
>>>> >     >     >     >
>>>> >     >     >     >     Did you add the appropriate iptables rules?
>>>> >     >     >     >
>>>> >     >     >     >     For example for getting port 80 to suricata:
>>>> >     >     >     >
>>>> >     >     >     >     iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE
>>>> >     >     >     >
>>>> >     >     >     >     Cheers,
>>>> >     >     >     >     Victor
>>>> >     >     >     >
>>>> >     >     >     >     Anas.B wrote:
>>>> >     >     >     >     >
>>>> >     >     >     >     > Hello,
>>>> >     >     >     >     >
>>>> >     >     >     >     > I've just tested a nmap,
>>>> >     >     >     >     >
>>>> >     >     >     >     >  I noticed more unified files
>>>> >     >     >     >     > and alerts in the file fast.log
>>>> >     >     >     >     > new values in  alert-debug.log and stats.log
>>>> >     >     >     >     >
>>>> >     >     >     >     > that means it works !!
>>>> >     >     >     >     >
>>>> >     >     >     >     > But with the command ==> *# suricata -c
>>>> >     >     >     >     /etc/suricata/suricata.yaml -q 0
>>>> >     >     >     >     >
>>>> >     >     >     >     > *I have no logs,
>>>> >     >     >     >     > any suggestions
>>>> >     >     >     >     >
>>>> >     >     >     >     > thanks :)
>>>> >     >     >     >     >
>>>> >     >     >     >     >
>>>> >     >     >     >     >
>>>> >     >     >     >
>>>> >     >     >
>>>> >     >
>>>> >
>>>> ------------------------------------------------------------------------
>>>> >     >     >     >     >
>>>> >     >     >     >     >
>>>> _______________________________________________
>>>> >     >     >     >     > Oisf-users mailing list
>>>> >     >     >     >     > Oisf-users at openinfosecfoundation.org
>>>> >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>> >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>> >     <mailto:Oisf-users at openinfosecfoundation.org>>
>>>> >     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>> >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>> >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>> >     <mailto:Oisf-users at openinfosecfoundation.org>>>
>>>> >     >     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>> >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>> >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>> >     <mailto:Oisf-users at openinfosecfoundation.org>>
>>>> >     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>> >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>> >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>> >     <mailto:Oisf-users at openinfosecfoundation.org>>>>
>>>> >     >     >     >     >
>>>> >     >     >
>>>> >
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> >     >     >     >
>>>> >     >     >     >
>>>> >     >     >     >     --
>>>> >     >     >     >     ---------------------------------------------
>>>> >     >     >     >     Victor Julien
>>>> >     >     >     >     http://www.inliniac.net/
>>>> >     >     >     >     PGP: http://www.inliniac.net/victorjulien.asc
>>>> >     >     >     >     ---------------------------------------------
>>>> >     >     >     >
>>>> >     >     >     >
>>>> >     >     >
>>>> >     >     >
>>>> >     >     >     --
>>>> >     >     >     ---------------------------------------------
>>>> >     >     >     Victor Julien
>>>> >     >     >     http://www.inliniac.net/
>>>> >     >     >     PGP: http://www.inliniac.net/victorjulien.asc
>>>> >     >     >     ---------------------------------------------
>>>> >     >     >
>>>> >     >     >
>>>> >     >
>>>> >     >
>>>> >     >     --
>>>> >     >     ---------------------------------------------
>>>> >     >     Victor Julien
>>>> >     >     http://www.inliniac.net/
>>>> >     >     PGP: http://www.inliniac.net/victorjulien.asc
>>>> >     >     ---------------------------------------------
>>>> >     >
>>>> >     >
>>>> >
>>>> >
>>>> >     --
>>>> >     ---------------------------------------------
>>>> >     Victor Julien
>>>> >     http://www.inliniac.net/
>>>> >     PGP: http://www.inliniac.net/victorjulien.asc
>>>> >     ---------------------------------------------
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> ---------------------------------------------
>>>> Victor Julien
>>>> http://www.inliniac.net/
>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>> ---------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>


-- 
Best regards,
--
Pablo Rincón Crespo
Security researcher and developer
Open Information Security Foundation (OISF)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100611/f4ad28e4/attachment-0002.html>


More information about the Oisf-users mailing list