[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS

Michiel van Es mve at pcintelligence.nl
Thu Mar 24 13:55:29 UTC 2011 

 On Thu, 24 Mar 2011 14:25:57 +0100, Victor Julien wrote:
> On 03/24/2011 02:04 PM, Michiel van Es wrote:
>>
>>  On Thu, 24 Mar 2011 12:27:02 +0100, Victor Julien wrote:
>>> On 03/24/2011 11:34 AM, Michiel van Es wrote:
>>>>  On Thu, 24 Mar 2011 10:30:38 +0000, Chris Wakelin wrote:
>>>>> On 24/03/11 10:19, Michiel van Es wrote:
>>>>>>  Hi,
>>>>>>

 <snip>
>
> Not sure actually, it should just work. Can you try with a pcap file 
> to
> make sure it's not something related to the network, our live pcap 
> code,
> etc?
>
 Hmm when I deinstall the 1.0.2 version with make uninstall and do an 
 install of the 1.0.1 version from ubuntu, the http.log is working 
 without any problems.
 Let me see what is going wrong.
 What can I do with the alerts that are found by suricata?
 I am now seeing them when I turn on the alert-debug.log:
 #############################################
 ==> alert-debug.log <==
 +================
 TIME:              03/24/11-13:50:14.709117
 ALERT CNT:         1
 ALERT MSG [00]:    NII Cross-site scripting attempt
 ALERT GID [00]:    1
 ALERT SID [00]:    9000
 ALERT REV [00]:    5
 ALERT CLASS [00]:  Web Application Attack
 ALERT PRIO [00]:   3
 SRC IP:            85.90.76.130
 DST IP:            194.145.200.17
 PROTO:             6
 SRC PORT:          43035
 DST PORT:          80
 TCP SEQ:           1354407881
 TCP ACK:           1967105398
 FLOW:              to_server: TRUE, to_client: FALSE
 FLOW Start TS:     03/24/11-13:50:14.378913
 FLOW PKTS TODST:   11
 FLOW PKTS TOSRC:   11
 FLOW Total Bytes:  7836
 FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
 FLOW ACTION:       DROP: FALSE, PASS FALSE
 FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
 FLOW APP_LAYER:    DETECTED: TRUE, PROTO 1
 PACKET LEN:        467
 PACKET:
  0000  00 16 3E 87 5B 20 00 30  48 94 D6 C4 08 00 45 00   ..>.[ .0 
 H.....E.
  0010  01 C5 1F B7 40 00 34 06  F8 FC 55 5A 4C 82 C2 91   .... at .4. 
 ..UZL...
  0020  C8 11 A8 1B 00 50 50 BA  9F C9 75 3F A5 76 80 18   .....PP. 
 ..u?.v..
  0030  00 69 BC 9B 00 00 01 01  08 0A 00 1B 8B F2 14 0A   .i...... 
 ........
  0040  C7 C5 47 45 54 20 2F 28  20 48 54 54 50 2F 31 2E   ..GET /(  
 HTTP/1.
  0050  31 0D 0A 48 6F 73 74 3A  20 77 77 77 77 77 77 2E   1..Host:  
 wwwwww.
  0060  70 63 69 6E 74 65 6C 6C  69 67 65 6E 63 65 2E 6E   pcintell 
 igence.n
  0070  6C 0D 0A 43 6F 6E 6E 65  63 74 69 6F 6E 3A 20 6B   l..Conne 
 ction: k
  0080  65 65 70 2D 61 6C 69 76  65 0D 0A 58 2D 57 65 62   eep-aliv 
 e..X-Web
  0090  73 65 63 75 72 69 66 79  4C 69 74 65 2D 52 65 71   securify 
 Lite-Req
  00A0  75 65 73 74 3A 20 74 72  75 65 0D 0A 55 73 65 72   uest: tr 
 ue..User
  00B0  2D 41 67 65 6E 74 3A 20  4D 6F 7A 69 6C 6C 61 2F   -Agent:  
 Mozilla/
  00C0  35 2E 30 20 28 58 31 31  3B 20 55 3B 20 4C 69 6E   5.0 (X11 ; U; 
 Lin
  00D0  75 78 20 78 38 36 5F 36  34 3B 20 65 6E 2D 55 53   ux x86_6 4; 
 en-US
  00E0  29 20 41 70 70 6C 65 57  65 62 4B 69 74 2F 35 33   ) AppleW 
 ebKit/53
  00F0  34 2E 31 36 20 28 4B 48  54 4D 4C 2C 20 6C 69 6B   4.16 (KH TML, 
 lik
  0100  65 20 47 65 63 6B 6F 29  20 55 62 75 6E 74 75 2F   e Gecko)  
 Ubuntu/
  0110  31 30 2E 31 30 20 43 68  72 6F 6D 69 75 6D 2F 31   10.10 Ch 
 romium/1
  0120  30 2E 30 2E 36 34 38 2E  31 33 33 20 43 68 72 6F   0.0.648. 133 
 Chro
  0130  6D 65 2F 31 30 2E 30 2E  36 34 38 2E 31 33 33 20   me/10.0. 
 648.133
  0140  53 61 66 61 72 69 2F 35  33 34 2E 31 36 0D 0A 41   Safari/5 
 34.16..A
  0150  63 63 65 70 74 3A 20 2A  2F 2A 0D 0A 41 63 63 65   ccept: * 
 /*..Acce
  0160  70 74 2D 45 6E 63 6F 64  69 6E 67 3A 20 67 7A 69   pt-Encod ing: 
 gzi
  0170  70 2C 64 65 66 6C 61 74  65 2C 73 64 63 68 0D 0A   p,deflat 
 e,sdch..
  0180  41 63 63 65 70 74 2D 4C  61 6E 67 75 61 67 65 3A   Accept-L 
 anguage:
  0190  20 65 6E 2D 55 53 2C 65  6E 3B 71 3D 30 2E 38 0D    en-US,e 
 n;q=0.8.
  01A0  0A 41 63 63 65 70 74 2D  43 68 61 72 73 65 74 3A   .Accept- 
 Charset:
  01B0  20 49 53 4F 2D 38 38 35  39 2D 31 2C 75 74 66 2D    ISO-885 
 9-1,utf-
  01C0  38 3B 71 3D 30 2E 37 2C  2A 3B 71 3D 30 2E 33 0D   8;q=0.7, 
 *;q=0.3.
  01D0  0A 0D 0A                                           ...
 +================
 TIME:              03/24/11-13:50:14.709507
 ALERT CNT:         2
 ALERT MSG [00]:    WEB-MISC http directory traversal
 ALERT GID [00]:    1
 ALERT SID [00]:    1113
 ALERT REV [00]:    5
 ALERT CLASS [00]:  Attempted Information Leak
 ALERT PRIO [00]:   3
 ALERT MSG [01]:    WEB-MISC /etc/passwd
 ALERT GID [01]:    1
 ALERT SID [01]:    1122
 ALERT REV [01]:    5
 ALERT CLASS [01]:  Attempted Information Leak
 ALERT PRIO [01]:   3
 SRC IP:            85.90.76.130
 DST IP:            194.145.200.17
 PROTO:             6
 SRC PORT:          59655
 DST PORT:          80
 TCP SEQ:           1352300079
 TCP ACK:           1961216133
 FLOW:              to_server: TRUE, to_client: FALSE
 FLOW Start TS:     03/24/11-13:50:14.378956
 FLOW PKTS TODST:   9
 FLOW PKTS TOSRC:   8
 FLOW Total Bytes:  5270
 FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
 FLOW ACTION:       DROP: FALSE, PASS FALSE
 FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
 FLOW APP_LAYER:    DETECTED: TRUE, PROTO 1
 PACKET LEN:        66
 PACKET:
  0000  00 16 3E 87 5B 20 00 30  48 94 D6 C4 08 00 45 00   ..>.[ .0 
 H.....E.
  0010  00 34 E6 14 40 00 34 06  34 30 55 5A 4C 82 C2 91   .4.. at .4. 
 40UZL...
  0020  C8 11 E9 07 00 50 50 9A  76 2F 74 E5 C8 85 80 10   .....PP. 
 v/t.....
  0030  00 58 F4 92 00 00 01 01  08 0A 00 1B 8B F3 14 0A   .X...... 
 ........
  0040  C7 AD
 ############################################################

 Can I disable the alert-debug.log and have a more INFO alert.log 
 logfile?
 And can I use something like ACID or an other tool to provide daily 
 reports or a web interface to see how many XSS and SQL injection attacks 
 have been detected?


> Cheers,
> Victor

 Cheers,

 Michiel

More information about the Oisf-users mailing list