[Oisf-users] Question

rmkml rmkml at yahoo.fr
Mon Apr 1 19:10:39 UTC 2013 

Hi Leonard,
Can you try with disabling cksum please? (stream: checksum-validation: no)
Regards
Rmkml


On Mon, 1 Apr 2013, Leonard Jacobs wrote:

> We have setup the $HOME_NET with our two internal ranges in the brackets with all the proper characters.
>  
> The other variables, we have added the specific private IP addresses for servers.
>  
> We have another system with Suricata 1.4 running perfectly ok.
>  
> All of our units run on the outside of the firewall.
>  
> We have not seen these event types.
>  
> We have not tried putting our public IP range in the $HOME_NET.
>  
> Thanks.
> 
> Leonard
> 
> _______________________________________________________________________________________________________________________________________________________________________________________________________________
>       From: Peter Manev [mailto:petermanev at gmail.com]
>       To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
>       Cc: Matt Jonkman [mailto:jonkman at jonkmans.com], oisf-users [mailto:oisf-users at openinfosecfoundation.org], Eric Leblond [mailto:eric.leblond at gmail.com]
>       Sent: Mon, 01 Apr 2013 14:01:59 -0600
>       Subject: Re: [Oisf-users] Question
>
>       Hi,
>
>       With regards to OpenVAS specifically, there are 3 rules in the SCAN
>       open ruleset:
>
>       > Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS";
>       fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)
>       > Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS";
>       fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)
>       > Line 924: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS";
>       fast_pattern; http_header; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;)
> 
>
>       So any of those should alert - on top of everything else that matches
>       inside the SCAN rules set.
>
>       There are some scan rules that require correct variable set up inside
>       the suricata.yaml ex:
>       (alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS)
>       I would recommend setting up all the variables below correctly -
>
>       > HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
>       >
>       > EXTERNAL_NET: "any"
>       >
>       > HTTP_SERVERS: "$HOME_NET"
>       >
>       > SMTP_SERVERS: "$HOME_NET"
>       >
>       > SQL_SERVERS: "$HOME_NET"
>       >
>       > DNS_SERVERS: "$HOME_NET"
>       >
>       > TELNET_SERVERS: "$HOME_NET"
>       >
>       > AIM_SERVERS: "$EXTERNAL_NET"
>       >
>       > DNP3_SERVER: "$HOME_NET"
>       >
>       > DNP3_CLIENT: "$HOME_NET"
>       >
>       > MODBUS_CLIENT: "$HOME_NET"
>       >
>       > MODBUS_SERVER: "$HOME_NET"
>       >
>       > ENIP_CLIENT: "$HOME_NET"
>       >
>       > ENIP_SERVER: "$HOME_NET"
>
>       Alongside with the port variables -
>
>       > HTTP_PORTS:"80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55
>       555"
>       >
>       > SHELLCODE_PORTS: "!80"
>       >
>       > ORACLE_PORTS: 1521
>       >
>       > SSH_PORTS: 22
>       >
>       > DNP3_PORTS: 20000
>
>       You could also enable some rules that are disabled in the ruleset
>       (lines starting with "#alert...." make it -> "alert...").
>
>       Start Suricata only with the SCAN ruleset and confirm that you do not
>       have some rules not loading because of wrong suricata.yaml variables.
>
>       Make sure Suricata sees all the traffic - there are no drops/gaps in
>       your stats.log
>
>       Then I would suggest making sure the scan is coming from the
>       $EXTERNAL_NET range (just to be sure).
>
>       ... my suggestions
>
>       Thanks
> 
> 
> 
> 
>
>       On Mon, Apr 1, 2013 at 8:04 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
>       > Inline from ISP router to one port on appliance out another port directly to
>       > WAN connection of firewall.
>       >
>       > When using AF-Packet, not using brctl bridging because that doubles the data
>       > going through interfaces. But when just using IDS mode, we use brctl
>       > bridging method.
>       >
>       > We did notice during testing that we get a few more event. We tested with a
>       > vulnerability scanning PC on one port and the other port directly into
>       > internal network. There was one SCAN event that appeared in log during a
>       > Nmap scan. Would have thought we would have seen more.
>       >
>       > Thanks.
>       >
>       > Leonard
>       >
>       > ________________________________
>       > rom: Matt Jonkman [mailto:jonkman at jonkmans.com]
>       > To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
>       > Cc: oisf-users at openinfosecfoundation.org, Eric Leblond
>       > [mailto:eric.leblond at gmail.com]
>       > Sent: Mon, 01 Apr 2013 12:31:44 -0600
>       > Subject: Re: [Oisf-users] Question
>       >
>       >
>       > Are you sure the box is seeing all traffic? Is it inline, or on a tap, etc?
>       >
>       > Matt
>       >
>       >
>       > On Sat, Mar 30, 2013 at 11:14 AM, Leonard Jacobs <ljacobs at netsecuris.com>
>       > wrote:
>       >>
>       >> The only event I am getting is ET POLICY Unusual number of DNS No Such
>       >> Name Responses.
>       >>
>       >>
>       >>
>       >> From: mjonkman at emergingthreatspro.com
>       >> [mailto:mjonkman at emergingthreatspro.com] On Behalf Of Matt Jonkman
>       >> Sent: Saturday, March 30, 2013 8:40 AM
>       >> To: Leonard Jacobs
>       >> Cc: oisf-users at openinfosecfoundation.org; Eric Leblond
>       >> Subject: Re: [Oisf-users] Question
>       >>
>       >>
>       >>
>       >> Definitely should have. What rules are you running? Just the ET Open?
>       >>
>       >>
>       >>
>       >> Have your vars set right?
>       >>
>       >>
>       >>
>       >> Are you seeing other events?
>       >>
>       >>
>       >>
>       >> Matt
>       >>
>       >>
>       >>
>       >> On Fri, Mar 29, 2013 at 5:04 PM, Leonard Jacobs <ljacobs at netsecuris.com>
>       >> wrote:
>       >>
>       >> Why would Suricata events not be triggered when running a vulnerability
>       >> scanner? I ran OpenVAS against a couple of public IP addresses on our
>       >> network and not a single event was triggered. I would have thought that at
>       >> least emerging-scan.rules would trigger.
>       >>
>       >>
>       >>
>       >> Thanks.
>       >>
>       >>
>       >>
>       >> Leonard Jacobs
>       >>
>       >> President/CEO
>       >>
>       >> Netsecuris Inc.
>       >>
>       >> 9301 Bryant Avenue S
>       >>
>       >> Suite 104
>       >>
>       >> Minneapolis, MN 55420
>       >>
>       >> (952) 641-1421 ext. 20
>       >>
>       >>
>       >>
>       >> http://www.netsecuris.com
>       >>
>       >>
>       >>
>       >>
>       >>
>       >>
>       >>
>       >>
>       >> _______________________________________________
>       >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>       >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>       >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>       >> OISF: http://www.openinfosecfoundation.org/
>       >>
>       >>
>       >>
>       >>
>       >>
>       >> --
>       >>
>       >>
>       >> ----------------------------------------------------
>       >> Matt Jonkman
>       >> Emerging Threats Pro
>       >> Open Information Security Foundation (OISF)
>       >> Phone 866-504-2523 x110
>       >> http://www.emergingthreatspro.com
>       >> http://www.openinfosecfoundation.org
>       >> ----------------------------------------------------
>       >>
>       >>
>       >> _______________________________________________
>       >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>       >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>       >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>       >> OISF: http://www.openinfosecfoundation.org/
>       >
>       >
>       >
>       >
>       > --
>       >
>       >
>       > ----------------------------------------------------
>       > Matt Jonkman
>       > Emerging Threats Pro
>       > Open Information Security Foundation (OISF)
>       > Phone 866-504-2523 x110
>       > http://www.emergingthreatspro.com
>       > http://www.openinfosecfoundation.org
>       > ----------------------------------------------------
>       >
>       >
>       >
>       >
>       > _______________________________________________
>       > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>       > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>       > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>       > OISF: http://www.openinfosecfoundation.org/
> 
> 
>
>       --
>       Regards,
>       Peter Manev
> 
>  
>  
> 
>

More information about the Oisf-users mailing list