[Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

Rovnov Pavel provnov at solidex.by
Thu Apr 2 10:04:30 UTC 2015 

Brian,

 

Can you try scenario with distant server? I suppose that suricata is too
late with RST.

 

Pavel

 

From: Brian Hennigar [mailto:bhennigar at gmail.com] 
Sent: Thursday, April 02, 2015 1:03 PM
To: Rovnov Pavel
Cc: Victor Julien; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

 

The client and server appear to be receiving the RST packets. There is
one switch between my PC and the suricata server. 1Gb connection.
There's almost no other traffic on the network so suricata has lots of
resources available.  I have a web interface that displays the events
and it shows up almost instantly so I know that the event is triggering.


 

On Thu, Apr 2, 2015 at 6:44 AM, Rovnov Pavel <provnov at solidex.by> wrote:

Brian,

 

1)      Don't you know if suricata sends RST to user, to server or both?

 

2)      How close to the user is your server? I think we have more
chances to break communication if suricata  is placed closer to RST
target.

 

Pavel

 

From: Brian Hennigar [mailto:bhennigar at gmail.com] 
Sent: Thursday, April 02, 2015 10:00 AM


To: Rovnov Pavel
Cc: Victor Julien; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

 

Hi Pavel,

 

I'm very interested in what you're able to find out.  I've been testing
out-of-band rejects on and off for the past couple months and can't get
satisfactory results. I'll be sure to post back if I find anything.

 

HTTP/HTTPs and SSH have been the main communications I've been trying to
break.  There's obvious connection slow down in the browser for loading
pages but they do eventually work. The browser is persistent!  SSH fails
a little easier but not reliably. Sometimes it'll fail within a few
seconds of the connection and other times it's 5/10/30 minutes before it
gets disconnected or not at all.  I do see the suricata events being
triggered.

 

Thanks,

Brian

 

On Thu, Apr 2, 2015 at 3:46 AM, Rovnov Pavel <provnov at solidex.by> wrote:

Hello Brian,

 

1)      I'm in planning phase at the moment. I didn't come to testing
yet. 

 

But as far as I understand reject must be fast enough to interrupt
communication with valid sequence numbers for this mechanism to work. If
it's not so fast you can see that some data "leaks" to the protected
asset (whatever you are protecting server or user).

 

2)      I'm interested whether we can break communication that matches
the rule and give a sort of message to the user? The scenario is a user
browsing wrong web page (http or https) and sensor (suricata)
out-of-band.

 

Pavel 

 

From: Brian Hennigar [mailto:bhennigar at gmail.com] 
Sent: Thursday, April 02, 2015 5:52 AM
To: Rovnov Pavel
Cc: Victor Julien; oisf-users at lists.openinfosecfoundation.org


Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

 

Did you have any success with libnet for rejects? 

I've been trying to get it working and the results haven't been
promising. Occasionally the connection will break on a reject rule but
never fast enough. 

 

On Fri, Mar 27, 2015 at 11:21 AM, Rovnov Pavel <provnov at solidex.by>
wrote:

Victor,

Thanks a lot for information!

Pavel

-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org
[mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of

Victor Julien
Sent: Friday, March 27, 2015 1:50 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/23/2015 08:09 PM, Rovnov Pavel wrote:
> Hello Coop, Anthony,
>
> I don't control neither users nor web servers. So I can't instruct
> users to use proxy or run all web applications through reverse-proxy.
>
> Inline mode is not acceptable in my scenario (let me say the guy who
> owns infrastructure doesn't allow me to be inline).
>
> What I can is to use mirrored traffic to do my analysis. So the
> question remains the same:
>
> 1)    Can I use reject when out-of-band?

Yeah.

> 2)    How can I specify interface to send rejects from? I can't use
> 2-way SPAN port on my switch.

Not sure here. I think you'd need another nic thats on your switch. We
use libnet, not sure how it selects the nic to use. Might use the nic
that has a valid route to the destination? Think you'll need to
experiment here.

Cheers,
Victor


>
> Thanks!
>
> -----Original Message----- From: Cooper F. Nelson
> [mailto:cnelson at ucsd.edu] Sent: Monday, March 23, 2015 9:59 PM To:
> Rodgers, Anthony (DTMB); Rovnov Pavel;
> oisf-users at lists.openinfosecfoundation.org Subject: Re:
> [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
>
> +1 to using a web proxy.  Squid is free.
>
> You can even run suricata inline on a squid proxy and create a robust,

> next-generation proxy-firewall with Layer-7 intrusion
> detection/prevention.
>
> -Coop
>
> On 3/23/2015 9:17 AM, Rodgers, Anthony (DTMB) wrote:
>> Why not use a web proxy like squid for this?
>
>
>
>> --
>
>> Anthony Rodgers
>
>> Security Analyst
>
>> Michigan Security Operations Center (MiSOC)
>
>> DTMB, Michigan Cyber Security
>
>
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
Training now available: http://suricata-ids.org/training/
>

- --
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVFTXIAAoJEMH0leOSaFa0mO8H/05kirfk52HYTIOwVmqFytqG
XseeP3BYaLPL6W/f9/+XCU+gqpZn+BbaBG3znot1pXKeEAuNrVzjrT228ASpbIsV
6ymTBuyOwgTXYvofW47sCEpRlcc5fukAqWYTxmmrLQJpfMMjUfq9v74IqJBeL0x2
Cu9VHICY9RxDyYUBYSakGX4DeVmTIYNdEYw5qe0jdw+2Ikv4v27ef1Sm5cpknKLG
AWGeflIEiQWWuMkRxw1HMMdbc3mmniA3tbzuktvp88o6vsKBlgoa45SsX0EvfjeL
rn5Q7q46ehOblJp+94pfHC20dbZUGmcO7Ax9VFGhDeeuxn1baPahuTcuoRsuyz4=
=YRJv
-----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support:
http://suricata-ids.org/support/
List:
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support:
http://suricata-ids.org/support/
List:
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150402/16e2313e/attachment-0002.html>

More information about the Oisf-users mailing list