[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS
Michiel van Es
mve at pcintelligence.nl
Thu Mar 24 14:26:30 UTC 2011
On Thu, 24 Mar 2011 14:55:29 +0100, Michiel van Es wrote:
> On Thu, 24 Mar 2011 14:25:57 +0100, Victor Julien wrote:
>> On 03/24/2011 02:04 PM, Michiel van Es wrote:
>>>
>>> On Thu, 24 Mar 2011 12:27:02 +0100, Victor Julien wrote:
>>>> On 03/24/2011 11:34 AM, Michiel van Es wrote:
>>>>> On Thu, 24 Mar 2011 10:30:38 +0000, Chris Wakelin wrote:
>>>>>> On 24/03/11 10:19, Michiel van Es wrote:
>>>>>>> Hi,
>>>>>>>
>
> <snip>
>>
>> Not sure actually, it should just work. Can you try with a pcap file
>> to
>> make sure it's not something related to the network, our live pcap
>> code,
>> etc?
>>
> Hmm when I deinstall the 1.0.2 version with make uninstall and do an
> install of the 1.0.1 version from ubuntu, the http.log is working
> without any problems.
> Let me see what is going wrong.
> What can I do with the alerts that are found by suricata?
> I am now seeing them when I turn on the alert-debug.log:
> #############################################
> ==> alert-debug.log <==
> +================
> TIME: 03/24/11-13:50:14.709117
> ALERT CNT: 1
> ALERT MSG [00]: NII Cross-site scripting attempt
> ALERT GID [00]: 1
> ALERT SID [00]: 9000
> ALERT REV [00]: 5
> ALERT CLASS [00]: Web Application Attack
> ALERT PRIO [00]: 3
> SRC IP: 85.90.76.130
> DST IP: 194.145.200.17
> PROTO: 6
> SRC PORT: 43035
> DST PORT: 80
> TCP SEQ: 1354407881
> TCP ACK: 1967105398
> FLOW: to_server: TRUE, to_client: FALSE
> FLOW Start TS: 03/24/11-13:50:14.378913
> FLOW PKTS TODST: 11
> FLOW PKTS TOSRC: 11
> FLOW Total Bytes: 7836
> FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
> FLOW ACTION: DROP: FALSE, PASS FALSE
> FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
> FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
> PACKET LEN: 467
> PACKET:
> 0000 00 16 3E 87 5B 20 00 30 48 94 D6 C4 08 00 45 00 ..>.[ .0
> H.....E.
> 0010 01 C5 1F B7 40 00 34 06 F8 FC 55 5A 4C 82 C2 91 .... at .4.
> ..UZL...
> 0020 C8 11 A8 1B 00 50 50 BA 9F C9 75 3F A5 76 80 18 .....PP.
> ..u?.v..
> 0030 00 69 BC 9B 00 00 01 01 08 0A 00 1B 8B F2 14 0A .i......
> ........
> 0040 C7 C5 47 45 54 20 2F 28 20 48 54 54 50 2F 31 2E ..GET /(
> HTTP/1.
> 0050 31 0D 0A 48 6F 73 74 3A 20 77 77 77 77 77 77 2E 1..Host:
> wwwwww.
> 0060 70 63 69 6E 74 65 6C 6C 69 67 65 6E 63 65 2E 6E pcintell
> igence.n
> 0070 6C 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B l..Conne
> ction: k
> 0080 65 65 70 2D 61 6C 69 76 65 0D 0A 58 2D 57 65 62 eep-aliv
> e..X-Web
> 0090 73 65 63 75 72 69 66 79 4C 69 74 65 2D 52 65 71 securify
> Lite-Req
> 00A0 75 65 73 74 3A 20 74 72 75 65 0D 0A 55 73 65 72 uest: tr
> ue..User
> 00B0 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F -Agent:
> Mozilla/
> 00C0 35 2E 30 20 28 58 31 31 3B 20 55 3B 20 4C 69 6E 5.0 (X11 ;
> U; Lin
> 00D0 75 78 20 78 38 36 5F 36 34 3B 20 65 6E 2D 55 53 ux x86_6 4;
> en-US
> 00E0 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 35 33 ) AppleW
> ebKit/53
> 00F0 34 2E 31 36 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 4.16 (KH
> TML, lik
> 0100 65 20 47 65 63 6B 6F 29 20 55 62 75 6E 74 75 2F e Gecko)
> Ubuntu/
> 0110 31 30 2E 31 30 20 43 68 72 6F 6D 69 75 6D 2F 31 10.10 Ch
> romium/1
> 0120 30 2E 30 2E 36 34 38 2E 31 33 33 20 43 68 72 6F 0.0.648.
> 133 Chro
> 0130 6D 65 2F 31 30 2E 30 2E 36 34 38 2E 31 33 33 20 me/10.0.
> 648.133
> 0140 53 61 66 61 72 69 2F 35 33 34 2E 31 36 0D 0A 41 Safari/5
> 34.16..A
> 0150 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 ccept: *
> /*..Acce
> 0160 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 pt-Encod
> ing: gzi
> 0170 70 2C 64 65 66 6C 61 74 65 2C 73 64 63 68 0D 0A p,deflat
> e,sdch..
> 0180 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A Accept-L
> anguage:
> 0190 20 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 38 0D en-US,e
> n;q=0.8.
> 01A0 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65 74 3A .Accept-
> Charset:
> 01B0 20 49 53 4F 2D 38 38 35 39 2D 31 2C 75 74 66 2D ISO-885
> 9-1,utf-
> 01C0 38 3B 71 3D 30 2E 37 2C 2A 3B 71 3D 30 2E 33 0D 8;q=0.7,
> *;q=0.3.
> 01D0 0A 0D 0A ...
> +================
> TIME: 03/24/11-13:50:14.709507
> ALERT CNT: 2
> ALERT MSG [00]: WEB-MISC http directory traversal
> ALERT GID [00]: 1
> ALERT SID [00]: 1113
> ALERT REV [00]: 5
> ALERT CLASS [00]: Attempted Information Leak
> ALERT PRIO [00]: 3
> ALERT MSG [01]: WEB-MISC /etc/passwd
> ALERT GID [01]: 1
> ALERT SID [01]: 1122
> ALERT REV [01]: 5
> ALERT CLASS [01]: Attempted Information Leak
> ALERT PRIO [01]: 3
> SRC IP: 85.90.76.130
> DST IP: 194.145.200.17
> PROTO: 6
> SRC PORT: 59655
> DST PORT: 80
> TCP SEQ: 1352300079
> TCP ACK: 1961216133
> FLOW: to_server: TRUE, to_client: FALSE
> FLOW Start TS: 03/24/11-13:50:14.378956
> FLOW PKTS TODST: 9
> FLOW PKTS TOSRC: 8
> FLOW Total Bytes: 5270
> FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
> FLOW ACTION: DROP: FALSE, PASS FALSE
> FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
> FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
> PACKET LEN: 66
> PACKET:
> 0000 00 16 3E 87 5B 20 00 30 48 94 D6 C4 08 00 45 00 ..>.[ .0
> H.....E.
> 0010 00 34 E6 14 40 00 34 06 34 30 55 5A 4C 82 C2 91 .4.. at .4.
> 40UZL...
> 0020 C8 11 E9 07 00 50 50 9A 76 2F 74 E5 C8 85 80 10 .....PP.
> v/t.....
> 0030 00 58 F4 92 00 00 01 01 08 0A 00 1B 8B F3 14 0A .X......
> ........
> 0040 C7 AD
> ############################################################
>
> Can I disable the alert-debug.log and have a more INFO alert.log
> logfile?
> And can I use something like ACID or an other tool to provide daily
> reports or a web interface to see how many XSS and SQL injection
> attacks have been detected?
>
To reply to my own question: the fast.log is working now with the 1.0.2
version :)
Still trying to minimise the cpu load, memory usage is pretty low now.
>
> Cheers,
>
> Michiel
Michiel
More information about the Oisf-users
mailing list