[Oisf-users] Question

Leonard Jacobs ljacobs at netsecuris.com
Mon Apr 1 20:00:57 UTC 2013 

We have setup the $HOME_NET with our two internal ranges in the brackets with all the proper characters.  
   
The other variables, we have added the specific private IP addresses for servers.  
   
We have another system with Suricata 1.4 running perfectly ok.  
   
All of our units run on the outside of the firewall.  
   
We have not seen these event types.  
   
We have not tried putting our public IP range in the $HOME_NET.  
   
Thanks.  

Leonard
      _____  

  From: Peter Manev [mailto:petermanev at gmail.com]
To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
Cc: Matt Jonkman [mailto:jonkman at jonkmans.com], oisf-users [mailto:oisf-users at openinfosecfoundation.org], Eric Leblond [mailto:eric.leblond at gmail.com]
Sent: Mon, 01 Apr 2013 14:01:59 -0600
Subject: Re: [Oisf-users] Question

Hi,

With regards to OpenVAS specifically, there are 3 rules in the SCAN
open ruleset:

> Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)
> Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)
> Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)


So any of those should alert - on top of everything else that matches
inside the SCAN rules set.

There are some scan rules that require correct variable set up inside
the suricata.yaml ex:
(alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS)
I would recommend setting up all the variables below correctly -

> HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
>
> EXTERNAL_NET: "any"
>
> HTTP_SERVERS: "$HOME_NET"
>
> SMTP_SERVERS: "$HOME_NET"
>
> SQL_SERVERS: "$HOME_NET"
>
> DNS_SERVERS: "$HOME_NET"
>
> TELNET_SERVERS: "$HOME_NET"
>
> AIM_SERVERS: "$EXTERNAL_NET"
>
> DNP3_SERVER: "$HOME_NET"
>
> DNP3_CLIENT: "$HOME_NET"
>
> MODBUS_CLIENT: "$HOME_NET"
>
> MODBUS_SERVER: "$HOME_NET"
>
> ENIP_CLIENT: "$HOME_NET"
>
> ENIP_SERVER: "$HOME_NET"

Alongside with the port variables -

> HTTP_PORTS: "80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555"
>
> SHELLCODE_PORTS: "!80"
>
> ORACLE_PORTS: 1521
>
> SSH_PORTS: 22
>
> DNP3_PORTS: 20000

You could also enable some rules that are disabled in the ruleset
(lines starting with "#alert...." make it -> "alert...").

Start Suricata only with the SCAN ruleset and confirm that you do not
have some rules not loading because of wrong suricata.yaml variables.

Make sure Suricata sees all the traffic - there are no drops/gaps in
your stats.log

Then I would suggest making sure the scan is coming from the
$EXTERNAL_NET range (just to be sure).

... my suggestions

Thanks





On Mon, Apr 1, 2013 at 8:04 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> Inline from ISP router to one port on appliance out another port directly to
> WAN connection of firewall.
>
> When using AF-Packet, not using brctl bridging because that doubles the data
> going through interfaces. But when just using IDS mode, we use brctl
> bridging method.
>
> We did notice during testing that we get a few more event. We tested with a
> vulnerability scanning PC on one port and the other port directly into
> internal network. There was one SCAN event that appeared in log during a
> Nmap scan. Would have thought we would have seen more.
>
> Thanks.
>
> Leonard
>
> ________________________________
> rom: Matt Jonkman [mailto:jonkman at jonkmans.com]
> To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
> Cc: oisf-users at openinfosecfoundation.org, Eric Leblond
> [mailto:eric.leblond at gmail.com]
> Sent: Mon, 01 Apr 2013 12:31:44 -0600
> Subject: Re: [Oisf-users] Question
>
>
> Are you sure the box is seeing all traffic? Is it inline, or on a tap, etc?
>
> Matt
>
>
> On Sat, Mar 30, 2013 at 11:14 AM, Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
>>
>> The only event I am getting is ET POLICY Unusual number of DNS No Such
>> Name Responses.
>>
>>
>>
>> From: mjonkman at emergingthreatspro.com
>> [mailto:mjonkman at emergingthreatspro.com] On Behalf Of Matt Jonkman
>> Sent: Saturday, March 30, 2013 8:40 AM
>> To: Leonard Jacobs
>> Cc: oisf-users at openinfosecfoundation.org; Eric Leblond
>> Subject: Re: [Oisf-users] Question
>>
>>
>>
>> Definitely should have. What rules are you running? Just the ET Open?
>>
>>
>>
>> Have your vars set right?
>>
>>
>>
>> Are you seeing other events?
>>
>>
>>
>> Matt
>>
>>
>>
>> On Fri, Mar 29, 2013 at 5:04 PM, Leonard Jacobs <ljacobs at netsecuris.com>
>> wrote:
>>
>> Why would Suricata events not be triggered when running a vulnerability
>> scanner? I ran OpenVAS against a couple of public IP addresses on our
>> network and not a single event was triggered. I would have thought that at
>> least emerging-scan.rules would trigger.
>>
>>
>>
>> Thanks.
>>
>>
>>
>> Leonard Jacobs
>>
>> President/CEO
>>
>> Netsecuris Inc.
>>
>> 9301 Bryant Avenue S
>>
>> Suite 104
>>
>> Minneapolis, MN 55420
>>
>> (952) 641-1421 ext. 20
>>
>>
>>
>> http://www.netsecuris.com
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>>
>>
>>
>>
>> --
>>
>>
>> ----------------------------------------------------
>> Matt Jonkman
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>
>
>
> --
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
Regards,
Peter Manev
      
   
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130401/6b7cc29b/attachment-0002.html>

More information about the Oisf-users mailing list