[Oisf-users] Drop request depending on priority in fast.log

장대찬 jang9129 at gmail.com
Tue Mar 12 02:37:11 UTC 2013 

Hi
I'm using suricata 1.4.1 in IPS mode (drop-yes, NFQUEUE-yes).
It remains logs (fast.log, drop.log) and i think it works well.

When i open fast.log, i can see many attempts to find security
vulnerabilities.

Here is my server log(fast.log)

....
     19 03/01/2013-16:44:03.329046  [**] [1:2001219:18] ET SCAN Potential
SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2]
{TCP} 117.79.91.214:57586 -> 172.2.80.66:22
     20 03/01/2013-16:44:03.498013  [**] [1:2006546:6] ET SCAN LibSSH Based
Frequent SSH Connections Likely BruteForce Attack! [**] [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {TCP}
117.79.91.214:57586 -> 172.2.80.66:22
     21 03/01/2013-19:30:05.265391  [**] [1:2006435:7] ET SCAN LibSSH Based
SSH Connection - Often used as a BruteForce Tool [**] [Classification: Misc
activity] [Priority: 3] {TCP} 114.255.20.151:49483 -> 172
 .27.83.61:22
     22 03/02/2013-00:45:23.066206  [**] [1:2006435:7] ET SCAN LibSSH Based
SSH Connection - Often used as a BruteForce Tool [**] [Classification: Misc
activity] [Priority: 3] {TCP} 117.103.67.72:52492 -> 172.        27.83.61:22
     23 03/02/2013-01:19:58.716823  [**] [1:2500064:2794] ET COMPROMISED
Known Compromised or Hostile Host Traffic (33) [**] [Classification: Misc
Attack] [Priority: 2] {TCP} 211.155.230.219:58799 -> 172.27.83        .61:22
     24 03/02/2013-08:10:52.060195  [**] [1:2006435:7] ET SCAN LibSSH Based
SSH Connection - Often used as a BruteForce Tool [**] [Classification: Misc
activity] [Priority: 3] {TCP} 61.234.104.209:41930 -> 172
 .27.83.61:22
     25 03/02/2013-08:11:10.595974  [**] [1:2001219:18] ET SCAN Potential
SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2]
{TCP} 61.234.104.209:44426 -> 172.2.80.66:22
     26 03/02/2013-08:11:10.994625  [**] [1:2006546:6] ET SCAN LibSSH Based
Frequent SSH Connections Likely BruteForce Attack! [**] [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {TCP}
61.234.104.209:44426 -> 172.2.80.66:22
     27 03/02/2013-08:12:10.291186  [**] [1:2006435:7] ET SCAN LibSSH Based
SSH Connection - Often used as a BruteForce Tool [**] [Classification: Misc
activity] [Priority: 3] {TCP} 218.7.204.194:58009 -> 172.        27.83.61:22
     28 03/02/2013-08:12:20.918412  [**] [1:2001219:18] ET SCAN Potential
SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2]
{TCP} 218.7.204.194:35566 -> 172.2.80.66:22
     29 03/02/2013-08:12:21.075942  [**] [1:2006546:6] ET SCAN LibSSH Based
Frequent SSH Connections Likely BruteForce Attack! [**] [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {TCP}
218.7.204.194:35566 -> 172.2.80.66:22
     30 03/02/2013-09:23:13.147405  [**] [1:2006435:7] ET SCAN LibSSH Based
SSH Connection - Often used as a BruteForce Tool [**] [Classification: Misc
activity] [Priority: 3] {TCP} 64.237.99.107:48374 -> 172.        27.83.61:22
     31 03/02/2013-11:43:28.208922  [**] [1:2006435:7] ET SCAN LibSSH Based
SSH Connection - Often used as a BruteForce Tool [**] [Classification: Misc
activity] [Priority: 3] {TCP} 64.237.99.107:58287 -> 172.        27.83.61:22
     32 03/02/2013-15:59:08.792464  [**] [1:2101145:10] GPL WEB_SERVER
/~root access [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP} 59.9.204.222:5120 -> 172.2.80.66:80
     33 03/02/2013-15:59:08.799788  [**] [1:2101145:10] GPL WEB_SERVER
/~root access [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP} 59.9.204.222:5120 -> 172.2.80.66:80
     34 03/02/2013-15:59:09.235837  [**] [1:2221020:1] SURICATA HTTP
response field missing colon [**] [Classification: Generic Protocol Command
Decode] [Priority: 3] {TCP} 172.2.80.66:80 -> 59.9.204.222:5119
     35 03/02/2013-15:59:09.242015  [**] [1:2221020:1] SURICATA HTTP
response field missing colon [**] [Classification: Generic Protocol Command
Decode] [Priority: 3] {TCP} 172.2.80.66:80 -> 59.9.204.222:5121
     36 03/02/2013-15:59:10.465212  [**] [1:2001343:22] ET WEB_SERVER IIS
ASP.net Auth Bypass / Canonicalization % 5 C [**] [Classification: Web
Application Attack] [Priority: 1] {TCP} 59.9.204.222:5145 -> 172
 .27.83.61:80
     37 03/02/2013-15:59:10.913370  [**] [1:2002997:9] ET WEB_SERVER PHP
Remote File Inclusion (monster list http) [**] [Classification: Web
Application Attack] [Priority: 1] {TCP} 59.9.204.222:5144 -> 172.27.
 83.61:80
....

But when open drop.log, only partially blocked.

(drop.log)
....
     16 03/01/2013-04:00:43.144465: IN= OUT= SRC=59.9.204.222
DST=172.2.80.66 LEN=40 TOS=0x00 TTL=118 ID=28385 PROTO=TCP SPT=7918 DPT=22
SEQ=3927115279 ACK=3927115279 WINDOW=0 RST RES=0x00 URGP=0
     17 03/01/2013-04:01:58.343710: IN= OUT= SRC=172.2.80.66
DST=59.9.204.222 LEN=40 TOS=0x16 TTL=64 ID=63576 PROTO=TCP SPT=22 DPT=7918
SEQ=1805184753 ACK=3927115279 WINDOW=19832 ACK RST RES=0x00 URGP=0
     18 03/02/2013-13:21:15.178478: IN= OUT= SRC=121.156.121.93
DST=172.2.80.66 LEN=64 TOS=0x00 TTL=56 ID=24632 PROTO=TCP SPT=59922 DPT=80
SEQ=2302589101 ACK=1980197093 WINDOW=46 ACK RES=0x00 URGP=0
     19 03/04/2013-01:24:50.061315: IN= OUT= SRC=14.63.160.92
DST=172.2.80.66 LEN=40 TOS=0x00 TTL=59 ID=0 PROTO=TCP SPT=53882 DPT=22
SEQ=1794077933 ACK=0 WINDOW=0 RST RES=0x00 URGP=0
....

So what should i do to drop those requests that depending on priority in
fast.log? (ex. drop requests when priority > 2)
Thanks for taking a look and helping me out - any pointers appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130312/9a8834c4/attachment.html>

More information about the Oisf-users mailing list