[Oisf-users] suricata IPS and drop.log

Vieri rentorbuy at yahoo.com
Mon Dec 19 22:10:45 UTC 2016





----- Original Message -----
> From: Andreas Herz <andi at geekosphere.org>
> You want:
>
> /usr/bin/suricata --pidfile /var/run/suricata/suricata.pid -vv

> --simulate-ips -r dump.pcap -c /etc/suricata/suricata.yaml>
> But you need to reproduce that so you can dump it in a .pcap file (use

> tcpdump for example).

Here's the result:

# tcpdump -s 0 port ssh -i enp0s13 -w dump.pcap

# /usr/bin/suricata --pidfile /var/run/suricata/suricata.pid -vv --simulate-ips -r dump.pcap -c /etc/suricata/suricata.yaml
19/12/2016 -- 23:02:33 - <Info> - Setting IPS mode
19/12/2016 -- 23:02:33 - <Notice> - This is Suricata version 3.2 RELEASE
19/12/2016 -- 23:02:33 - <Info> - CPUs/cores online: 1
19/12/2016 -- 23:02:35 - <Info> - Running in live mode, activating unix socket
19/12/2016 -- 23:03:29 - <Info> - 39 rule files processed. 13140 rules successfully loaded, 0 rules failed
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for tcp-packet
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for tcp-stream
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for udp-packet
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for other-ip
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_uri
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_request_line
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_client_body
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_response_line
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_header
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_header
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_raw_header
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_raw_header
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_method
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_cookie
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_cookie
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_raw_uri
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_user_agent
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_host
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_raw_host
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_stat_msg
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_stat_code
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for dns_query
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for tls_sni
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for tls_cert_issuer
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for tls_cert_subject
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for file_data
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for file_data
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_request_line
19/12/2016 -- 23:03:31 - <Perf> - using shared mpm ctx' for http_response_line
19/12/2016 -- 23:03:31 - <Info> - 13148 signatures processed. 1306 are IP-only rules, 5379 are inspecting packet payload, 8149 inspect application layer, 0 are decoder event only
19/12/2016 -- 23:03:32 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
19/12/2016 -- 23:03:32 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
19/12/2016 -- 23:03:32 - <Perf> - UDP toserver: 41 port groups, 32 unique SGH's, 9 copies
19/12/2016 -- 23:03:32 - <Perf> - UDP toclient: 21 port groups, 13 unique SGH's, 8 copies
19/12/2016 -- 23:03:32 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
19/12/2016 -- 23:03:32 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
19/12/2016 -- 23:03:49 - <Perf> - Unique rule groups: 106
19/12/2016 -- 23:03:49 - <Perf> - Builtin MPM "toserver TCP packet": 27
19/12/2016 -- 23:03:49 - <Perf> - Builtin MPM "toclient TCP packet": 20
19/12/2016 -- 23:03:49 - <Perf> - Builtin MPM "toserver TCP stream": 32
19/12/2016 -- 23:03:49 - <Perf> - Builtin MPM "toclient TCP stream": 21
19/12/2016 -- 23:03:49 - <Perf> - Builtin MPM "toserver UDP packet": 31
19/12/2016 -- 23:03:49 - <Perf> - Builtin MPM "toclient UDP packet": 12
19/12/2016 -- 23:03:49 - <Perf> - Builtin MPM "other IP packet": 2
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toserver http_uri": 6
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toserver http_client_body": 5
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toserver http_header": 7
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toclient http_header": 3
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toserver http_method": 4
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toserver http_cookie": 1
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toclient http_cookie": 2
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toserver http_raw_uri": 2
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toserver http_user_agent": 3
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toserver file_data": 1
19/12/2016 -- 23:03:49 - <Perf> - AppLayer MPM "toclient file_data": 5
19/12/2016 -- 23:03:57 - <Info> - Threshold config parsed: 0 rule(s) found
19/12/2016 -- 23:03:57 - <Info> - fast output device (regular) initialized: fast.log
19/12/2016 -- 23:03:57 - <Info> - eve-log output device (regular) initialized: eve.json
19/12/2016 -- 23:03:57 - <Info> - stats output device (regular) initialized: stats.log
19/12/2016 -- 23:03:57 - <Info> - drop output device (regular) initialized: drop.log
19/12/2016 -- 23:03:58 - <Info> - reading pcap file dump.pcap
19/12/2016 -- 23:03:58 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
19/12/2016 -- 23:03:58 - <Info> - pcap file end of file reached (pcap err code 0)
19/12/2016 -- 23:03:58 - <Notice> - Signal Received.  Stopping engine.
19/12/2016 -- 23:03:58 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
19/12/2016 -- 23:03:58 - <Info> - time elapsed 0.646s
19/12/2016 -- 23:03:58 - <Perf> - 68 flows processed
19/12/2016 -- 23:03:58 - <Notice> - Pcap-file module read 407 packets, 24760 bytes
19/12/2016 -- 23:03:58 - <Perf> - AutoFP - Total flow handler queues - 1
19/12/2016 -- 23:03:58 - <Info> - (W#01) Dropped Packets 0
19/12/2016 -- 23:03:59 - <Perf> - ippair memory usage: 354144 bytes, maximum: 16777216
19/12/2016 -- 23:03:59 - <Perf> - host memory usage: 346144 bytes, maximum: 33554432
19/12/2016 -- 23:04:00 - <Info> - cleaning up signature grouping structure... complete

# cat /var/log/suricata/drop.log 
# cat /var/log/suricata/fast.log 
12/19/2016-22:58:46.153123  [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 116.31.116.48:37413 -> 192.168.101.2:22
12/19/2016-23:00:30.469474  [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 116.31.116.48:29172 -> 192.168.101.2:22
12/19/2016-23:00:34.482569  [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 116.31.116.48:13895 -> 192.168.101.2:22

# grep '"ET SCAN Potential SSH Scan"' /etc/suricata/rules/*.rules
/etc/suricata/rules/emerging-scan.rules:drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20;)


Vieri



More information about the Oisf-users mailing list