[Oisf-users] Drop request depending on priority in fast.log

Victor Julien lists at inliniac.net
Tue Mar 12 05:41:22 UTC 2013 

On 03/12/2013 03:37 AM, 장대찬 wrote:
> Hi
> I'm using suricata 1.4.1 in IPS mode (drop-yes, NFQUEUE-yes).
> It remains logs (fast.log, drop.log) and i think it works well.
> 
> When i open fast.log, i can see many attempts to find security
> vulnerabilities.
> 
> Here is my server log(fast.log)
> 
> ....
>      19 03/01/2013-16:44:03.329046  [**] [1:2001219:18] ET SCAN
> Potential SSH Scan [**] [Classification: Attempted Information Leak]
> [Priority: 2] {TCP} 117.79.91.214:57586 <http://117.79.91.214:57586> ->
> 172.2.80.66:22 <http://172.2.80.66:22>
>      20 03/01/2013-16:44:03.498013  [**] [1:2006546:6] ET SCAN LibSSH
> Based Frequent SSH Connections Likely BruteForce Attack! [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> {TCP}         117.79.91.214:57586 <http://117.79.91.214:57586> ->
> 172.2.80.66:22 <http://172.2.80.66:22>
>      21 03/01/2013-19:30:05.265391  [**] [1:2006435:7] ET SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [**]
> [Classification: Misc activity] [Priority: 3] {TCP} 114.255.20.151:49483
> <http://114.255.20.151:49483> -> 172        .27.83.61:22
>      22 03/02/2013-00:45:23.066206  [**] [1:2006435:7] ET SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [**]
> [Classification: Misc activity] [Priority: 3] {TCP} 117.103.67.72:52492
> <http://117.103.67.72:52492> -> 172.        27.83.61:22
>      23 03/02/2013-01:19:58.716823  [**] [1:2500064:2794] ET COMPROMISED
> Known Compromised or Hostile Host Traffic (33) [**] [Classification:
> Misc Attack] [Priority: 2] {TCP} 211.155.230.219:58799
> <http://211.155.230.219:58799> -> 172.27.83        .61:22
>      24 03/02/2013-08:10:52.060195  [**] [1:2006435:7] ET SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [**]
> [Classification: Misc activity] [Priority: 3] {TCP} 61.234.104.209:41930
> <http://61.234.104.209:41930> -> 172        .27.83.61:22
>      25 03/02/2013-08:11:10.595974  [**] [1:2001219:18] ET SCAN
> Potential SSH Scan [**] [Classification: Attempted Information Leak]
> [Priority: 2] {TCP} 61.234.104.209:44426 <http://61.234.104.209:44426>
> -> 172.2.80.66:22 <http://172.2.80.66:22>
>      26 03/02/2013-08:11:10.994625  [**] [1:2006546:6] ET SCAN LibSSH
> Based Frequent SSH Connections Likely BruteForce Attack! [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> {TCP}         61.234.104.209:44426 <http://61.234.104.209:44426> ->
> 172.2.80.66:22 <http://172.2.80.66:22>
>      27 03/02/2013-08:12:10.291186  [**] [1:2006435:7] ET SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [**]
> [Classification: Misc activity] [Priority: 3] {TCP} 218.7.204.194:58009
> <http://218.7.204.194:58009> -> 172.        27.83.61:22
>      28 03/02/2013-08:12:20.918412  [**] [1:2001219:18] ET SCAN
> Potential SSH Scan [**] [Classification: Attempted Information Leak]
> [Priority: 2] {TCP} 218.7.204.194:35566 <http://218.7.204.194:35566> ->
> 172.2.80.66:22 <http://172.2.80.66:22>
>      29 03/02/2013-08:12:21.075942  [**] [1:2006546:6] ET SCAN LibSSH
> Based Frequent SSH Connections Likely BruteForce Attack! [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> {TCP}         218.7.204.194:35566 <http://218.7.204.194:35566> ->
> 172.2.80.66:22 <http://172.2.80.66:22>
>      30 03/02/2013-09:23:13.147405  [**] [1:2006435:7] ET SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [**]
> [Classification: Misc activity] [Priority: 3] {TCP} 64.237.99.107:48374
> <http://64.237.99.107:48374> -> 172.        27.83.61:22
>      31 03/02/2013-11:43:28.208922  [**] [1:2006435:7] ET SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [**]
> [Classification: Misc activity] [Priority: 3] {TCP} 64.237.99.107:58287
> <http://64.237.99.107:58287> -> 172.        27.83.61:22
>      32 03/02/2013-15:59:08.792464  [**] [1:2101145:10] GPL WEB_SERVER
> /~root access [**] [Classification: Attempted Information Leak]
> [Priority: 2] {TCP} 59.9.204.222:5120 <http://59.9.204.222:5120> ->
> 172.2.80.66:80 <http://172.2.80.66:80>
>      33 03/02/2013-15:59:08.799788  [**] [1:2101145:10] GPL WEB_SERVER
> /~root access [**] [Classification: Attempted Information Leak]
> [Priority: 2] {TCP} 59.9.204.222:5120 <http://59.9.204.222:5120> ->
> 172.2.80.66:80 <http://172.2.80.66:80>
>      34 03/02/2013-15:59:09.235837  [**] [1:2221020:1] SURICATA HTTP
> response field missing colon [**] [Classification: Generic Protocol
> Command Decode] [Priority: 3] {TCP} 172.2.80.66:80
> <http://172.2.80.66:80> -> 59.9.204.222:5119 <http://59.9.204.222:5119>
>      35 03/02/2013-15:59:09.242015  [**] [1:2221020:1] SURICATA HTTP
> response field missing colon [**] [Classification: Generic Protocol
> Command Decode] [Priority: 3] {TCP} 172.2.80.66:80
> <http://172.2.80.66:80> -> 59.9.204.222:5121 <http://59.9.204.222:5121>
>      36 03/02/2013-15:59:10.465212  [**] [1:2001343:22] ET WEB_SERVER
> IIS ASP.net Auth Bypass / Canonicalization % 5 C [**] [Classification:
> Web Application Attack] [Priority: 1] {TCP} 59.9.204.222:5145
> <http://59.9.204.222:5145> -> 172        .27.83.61:80
>      37 03/02/2013-15:59:10.913370  [**] [1:2002997:9] ET WEB_SERVER PHP
> Remote File Inclusion (monster list http) [**] [Classification: Web
> Application Attack] [Priority: 1] {TCP} 59.9.204.222:5144
> <http://59.9.204.222:5144> -> 172.27.        83.61:80
> ....
> 
> But when open drop.log, only partially blocked.
> 
> (drop.log)
> ....
>      16 03/01/2013-04:00:43.144465: IN= OUT= SRC=59.9.204.222
> DST=172.2.80.66 LEN=40 TOS=0x00 TTL=118 ID=28385 PROTO=TCP SPT=7918
> DPT=22 SEQ=3927115279 ACK=3927115279 WINDOW=0 RST RES=0x00 URGP=0
>      17 03/01/2013-04:01:58.343710: IN= OUT= SRC=172.2.80.66
> DST=59.9.204.222 LEN=40 TOS=0x16 TTL=64 ID=63576 PROTO=TCP SPT=22
> DPT=7918 SEQ=1805184753 ACK=3927115279 WINDOW=19832 ACK RST RES=0x00 URGP=0
>      18 03/02/2013-13:21:15.178478: IN= OUT= SRC=121.156.121.93
> DST=172.2.80.66 LEN=64 TOS=0x00 TTL=56 ID=24632 PROTO=TCP SPT=59922
> DPT=80 SEQ=2302589101 ACK=1980197093 WINDOW=46 ACK RES=0x00 URGP=0
>      19 03/04/2013-01:24:50.061315: IN= OUT= SRC=14.63.160.92
> DST=172.2.80.66 LEN=40 TOS=0x00 TTL=59 ID=0 PROTO=TCP SPT=53882 DPT=22
> SEQ=1794077933 ACK=0 WINDOW=0 RST RES=0x00 URGP=0
> ....
> 
> So what should i do to drop those requests that depending on priority in
> fast.log? (ex. drop requests when priority > 2)
> Thanks for taking a look and helping me out - any pointers appreciated.

It seems you didn't actually change the rules to use the "drop" action.
If you do, the fast.log will add a "[drop]" string. The drops you see in
the drop.log file are probably generated by the stream engine.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list