[Oisf-users] Question

Peter Manev petermanev at gmail.com
Mon Apr 1 19:01:59 UTC 2013 

Hi,

With regards to OpenVAS specifically, there are 3 rules in the SCAN
open ruleset:

> Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)
>     Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)
>     Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)


So any of those should alert - on top of everything else that matches
inside the SCAN rules set.

There are some scan rules that require correct variable set up inside
the suricata.yaml ex:
(alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS)
I would recommend setting up all the variables below correctly -

>     HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
>
>     EXTERNAL_NET: "any"
>
>     HTTP_SERVERS: "$HOME_NET"
>
>     SMTP_SERVERS: "$HOME_NET"
>
>     SQL_SERVERS: "$HOME_NET"
>
>     DNS_SERVERS: "$HOME_NET"
>
>     TELNET_SERVERS: "$HOME_NET"
>
>     AIM_SERVERS: "$EXTERNAL_NET"
>
>     DNP3_SERVER: "$HOME_NET"
>
>     DNP3_CLIENT: "$HOME_NET"
>
>     MODBUS_CLIENT: "$HOME_NET"
>
>     MODBUS_SERVER: "$HOME_NET"
>
>     ENIP_CLIENT: "$HOME_NET"
>
>     ENIP_SERVER: "$HOME_NET"

Alongside with the port variables -

> HTTP_PORTS: "80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555"
>
>     SHELLCODE_PORTS: "!80"
>
>     ORACLE_PORTS: 1521
>
>     SSH_PORTS: 22
>
>     DNP3_PORTS: 20000

You could also enable some rules that are disabled in the ruleset
(lines starting with "#alert...." make it -> "alert...").

Start Suricata only with the SCAN ruleset  and confirm that you do not
have some rules not loading because of  wrong suricata.yaml variables.

Make sure Suricata sees all the traffic - there are no drops/gaps in
your stats.log

Then I would suggest making sure the scan is coming from the
$EXTERNAL_NET range (just to be  sure).

... my suggestions

Thanks





On Mon, Apr 1, 2013 at 8:04 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> Inline from ISP router to one port on appliance out another port directly to
> WAN connection of firewall.
>
> When using AF-Packet, not using brctl bridging because that doubles the data
> going through interfaces. But when just using IDS mode, we use brctl
> bridging method.
>
> We did notice during testing that we get a few more event.  We tested with a
> vulnerability scanning PC on one port and the other port directly into
> internal network.  There was one SCAN event that appeared in log during a
> Nmap scan.  Would have thought we would have seen more.
>
> Thanks.
>
> Leonard
>
> ________________________________
> rom: Matt Jonkman [mailto:jonkman at jonkmans.com]
> To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
> Cc: oisf-users at openinfosecfoundation.org, Eric Leblond
> [mailto:eric.leblond at gmail.com]
> Sent: Mon, 01 Apr 2013 12:31:44 -0600
> Subject: Re: [Oisf-users] Question
>
>
> Are you sure the box is seeing all traffic? Is it inline, or on a tap, etc?
>
> Matt
>
>
> On Sat, Mar 30, 2013 at 11:14 AM, Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
>>
>> The only event I am getting is ET POLICY Unusual number of DNS No Such
>> Name Responses.
>>
>>
>>
>> From: mjonkman at emergingthreatspro.com
>> [mailto:mjonkman at emergingthreatspro.com] On Behalf Of Matt Jonkman
>> Sent: Saturday, March 30, 2013 8:40 AM
>> To: Leonard Jacobs
>> Cc: oisf-users at openinfosecfoundation.org; Eric Leblond
>> Subject: Re: [Oisf-users] Question
>>
>>
>>
>> Definitely should have. What rules are you running? Just the ET Open?
>>
>>
>>
>> Have your vars set right?
>>
>>
>>
>> Are you seeing other events?
>>
>>
>>
>> Matt
>>
>>
>>
>> On Fri, Mar 29, 2013 at 5:04 PM, Leonard Jacobs <ljacobs at netsecuris.com>
>> wrote:
>>
>> Why would Suricata events not be triggered when running a vulnerability
>> scanner?  I ran OpenVAS against a couple of public IP addresses on our
>> network and not a single event was triggered.  I would have thought that at
>> least emerging-scan.rules would trigger.
>>
>>
>>
>> Thanks.
>>
>>
>>
>> Leonard Jacobs
>>
>> President/CEO
>>
>> Netsecuris Inc.
>>
>> 9301 Bryant Avenue S
>>
>> Suite 104
>>
>> Minneapolis, MN 55420
>>
>> (952) 641-1421 ext. 20
>>
>>
>>
>> http://www.netsecuris.com
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>>
>>
>>
>>
>> --
>>
>>
>> ----------------------------------------------------
>> Matt Jonkman
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>
>
>
> --
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list