Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

To be clear, are you running the Merlin FW version of suricata on an Asus Merlin router?

No longer. I use OpenBSD. System with its own configuration.
Suricata 5.0.3 and Talos rules

 

[Smokey613]

But isn't mmap required for IPS?

For AF_PACKET IPS mode:

use-mmap: yes breaks all kinds of stuff for me so that is NOT an option I can use.

 

[Smokey613]

No longer. I use OpenBSD. System with its own configuration.
Suricata 5.0.3 and Talos rules

As much as I do not want to spend extra money for an IPS, it seems like a stand alone system is my only option.

 

[Smokey613]

I changed the af-packet entries back to the original settings. At least I can easily view the suricata logs from the uiScribe log menu to check if it alerts on suspicious activity. I still have no confidence it will block malicious traffic.

 

[Smokey613]

I just got these alerts In my suricata log. At least something is working.

Aug 7 05:50:21 RT-AC86U suricata[16099]: [1:2019284:3] ET ATTACK_RESPONSE Output of id command from HTTP server [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.1:80 -> 192.168.2.224:50104
Aug 7 05:50:21 RT-AC86U suricata[16099]: [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.1:80 -> 192.168.2.224:50104

 

[juched]

Latest config entry for IPS

af-packet:
- interface: eth0
cluster-id: 98
copy-mode: ips
copy-iface: br0
use-mmap: no
tpacket-v3: no
- interface: br0
cluster-id: 97
copy-mode: ips
copy-iface: eth0
use-mmap: no
tpacket-v3: no

Curious, what does your suricata log file show during startup? Does it still show IPS is enabled? Can you paste your log file during startup to share?

 

[juched]

I changed the af-packet entries back to the original settings. At least I can easily view the suricata logs from the uiScribe log menu to check if it alerts on suspicious activity. I still have no confidence it will block malicious traffic.

Agree, the IDS is good. I am considering creating a log scrapper to a DB, and then making a UI page to show a table of items and the associated IP. Just need to find the time to do this.

I am currently running in the standard IDS mode. with AF_packet mode it gets a copy, and I do not believe it is updating iptables currently to block, so not even a hybrid IPS, just an IDS, which I think is good enough. Just need a way to see the hits and to get notified, that would be ideal.

 

[Smokey613]

Curious, what does your suricata log file show during startup? Does it still show IPS is enabled? Can you paste your log file during startup to share?

No, it no longer indicates IPS mode once I went back to the default config.

Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Notice> - This is Suricata version 4.1.8 RELEASE
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - CPUs/cores online: 2
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - stats output device (regular) initialized: stats.log
Aug 7 05:26:37 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:37 - <Info> - Syslog output initialized
Aug 7 05:26:38 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:38 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
Aug 7 05:26:38 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:38 - <Info> - Threshold config parsed: 1 rule(s) found
Aug 7 05:26:38 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:38 - <Info> - 3117 signatures processed. 223 are IP-only rules, 567 are inspecting packet payload, 2466 inspect application layer, 0 are decoder event only
Aug 7 05:26:42 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:42 - <Info> - Going to use 2 thread(s)
Aug 7 05:26:42 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:42 - <Info> - Going to use 2 thread(s)
Aug 7 05:26:42 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:42 - <Notice> - all 4 packet processing threads, 2 management threads initialized, engine started.
Aug 7 05:26:42 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:42 - <Info> - All AFP capture threads are running.
Aug 7 05:50:21 RT-AC86U suricata[16099]: [1:2019284:3] ET ATTACK_RESPONSE Output of id command from HTTP server [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.1:80 -> 192.168.2.224:50104
Aug 7 05:50:21 RT-AC86U suricata[16099]: [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.1:80 -> 192.168.2.224:50104
Aug 7 08:41:47 RT-AC86U suricata[16099]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.201:57562 -> 45.60.27.121:80


This is what it reported in my prior config using use-mmap: no


Aug 7 05:18:00 RT-AC86U suricata[15140]: 7/8/2020 -- 05:18:00 - <Info> - cleaning up signature grouping structure... complete
Aug 7 05:19:06 RT-AC86U S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Notice> - This is Suricata version 4.1.8 RELEASE
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - CPUs/cores online: 2
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - AF_PACKET: Setting IPS mode
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - stats output device (regular) initialized: stats.log
Aug 7 05:19:06 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:06 - <Info> - Syslog output initialized
Aug 7 05:19:06 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:06 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
Aug 7 05:19:06 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:06 - <Info> - Threshold config parsed: 1 rule(s) found
Aug 7 05:19:06 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:06 - <Info> - 3117 signatures processed. 223 are IP-only rules, 567 are inspecting packet payload, 2466 inspect application layer, 0 are decoder event only
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Info> - Copy mode activated but use-mmap set to no. Disabling feature
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Info> - Going to use 2 thread(s)
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Info> - Copy mode activated but use-mmap set to no. Disabling feature
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Info> - Going to use 2 thread(s)
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Notice> - all 4 packet processing threads, 2 management threads initialized, engine started.
Aug 7 05:19:11 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:11 - <Info> - All AFP capture threads are running.

 

[juched]

No, it no longer indicates IPS mode once I went back to the default config.

Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Notice> - This is Suricata version 4.1.8 RELEASE
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - CPUs/cores online: 2
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 05:26:37 RT-AC86U suricata: 7/8/2020 -- 05:26:37 - <Info> - stats output device (regular) initialized: stats.log
Aug 7 05:26:37 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:37 - <Info> - Syslog output initialized
Aug 7 05:26:38 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:38 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
Aug 7 05:26:38 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:38 - <Info> - Threshold config parsed: 1 rule(s) found
Aug 7 05:26:38 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:38 - <Info> - 3117 signatures processed. 223 are IP-only rules, 567 are inspecting packet payload, 2466 inspect application layer, 0 are decoder event only
Aug 7 05:26:42 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:42 - <Info> - Going to use 2 thread(s)
Aug 7 05:26:42 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:42 - <Info> - Going to use 2 thread(s)
Aug 7 05:26:42 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:42 - <Notice> - all 4 packet processing threads, 2 management threads initialized, engine started.
Aug 7 05:26:42 RT-AC86U suricata[16099]: 7/8/2020 -- 05:26:42 - <Info> - All AFP capture threads are running.
Aug 7 05:50:21 RT-AC86U suricata[16099]: [1:2019284:3] ET ATTACK_RESPONSE Output of id command from HTTP server [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.1:80 -> 192.168.2.224:50104
Aug 7 05:50:21 RT-AC86U suricata[16099]: [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.1:80 -> 192.168.2.224:50104
Aug 7 08:41:47 RT-AC86U suricata[16099]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.201:57562 -> 45.60.27.121:80


This is what it reported in my prior config using use-mmap: no


Aug 7 05:18:00 RT-AC86U suricata[15140]: 7/8/2020 -- 05:18:00 - <Info> - cleaning up signature grouping structure... complete
Aug 7 05:19:06 RT-AC86U S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Notice> - This is Suricata version 4.1.8 RELEASE
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - CPUs/cores online: 2
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - AF_PACKET: Setting IPS mode
Aug 7 05:19:06 RT-AC86U suricata: 7/8/2020 -- 05:19:06 - <Info> - stats output device (regular) initialized: stats.log
Aug 7 05:19:06 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:06 - <Info> - Syslog output initialized
Aug 7 05:19:06 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:06 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
Aug 7 05:19:06 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:06 - <Info> - Threshold config parsed: 1 rule(s) found
Aug 7 05:19:06 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:06 - <Info> - 3117 signatures processed. 223 are IP-only rules, 567 are inspecting packet payload, 2466 inspect application layer, 0 are decoder event only
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Info> - Copy mode activated but use-mmap set to no. Disabling feature
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Info> - Going to use 2 thread(s)
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Info> - Copy mode activated but use-mmap set to no. Disabling feature
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Info> - Going to use 2 thread(s)
Aug 7 05:19:10 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:10 - <Notice> - all 4 packet processing threads, 2 management threads initialized, engine started.
Aug 7 05:19:11 RT-AC86U suricata[15279]: 7/8/2020 -- 05:19:11 - <Info> - All AFP capture threads are running.

As I figured:

Copy mode activated but use-mmap set to no. Disabling feature

I do think using it for detection is still good.

 

[Smokey613]

As I figured:

Copy mode activated but use-mmap set to no. Disabling feature

I do think using it for detection is still good.

What do you think would be the harm using it with my previous config with use-mmap: no settings? Would it still alert only or actually provide reject/drop functions?

 

[juched]

What do you think would be the harm using it with my previous config with use-mmap: no settings? Would it still alert only or actually provide reject/drop functions?

I don't think it makes a difference. With the config you shared, the copy command is ignored and it runs like your current config, so no difference.

 

[Smokey613]

This my current config portion I just loaded. As long as it does not prevent alerting I guess it will not hurt to just run it. What do you think?

# Linux high speed capture support
af-packet:
- interface: eth0
- interface: br0
# IPS Mode Configuration
af-packet:
- interface: eth0
cluster-id: 97
copy-mode: ips
copy-iface: br0
use-mmap: no
tpacket-v3: no
- interface: br0
cluster-id: 98
copy-mode: ips
copy-iface: eth0
use-mmap: no
tpacket-v3: no
# PCAP
pcap:
- interface: auto
checksum-checks: auto
promisc: yes

This is the output from the log:

Aug 7 10:35:54 RT-AC86U suricata: 7/8/2020 -- 10:35:54 - <Notice> - This is Suricata version 4.1.8 RELEASE
Aug 7 10:35:54 RT-AC86U suricata: 7/8/2020 -- 10:35:54 - <Info> - CPUs/cores online: 2
Aug 7 10:35:54 RT-AC86U suricata: 7/8/2020 -- 10:35:54 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 10:35:54 RT-AC86U suricata: 7/8/2020 -- 10:35:54 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 10:35:54 RT-AC86U suricata: 7/8/2020 -- 10:35:54 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 10:35:54 RT-AC86U suricata: 7/8/2020 -- 10:35:54 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 10:35:54 RT-AC86U suricata: 7/8/2020 -- 10:35:54 - <Info> - AF_PACKET: Setting IPS mode
Aug 7 10:35:54 RT-AC86U suricata: 7/8/2020 -- 10:35:54 - <Info> - stats output device (regular) initialized: stats.log
Aug 7 10:35:54 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:54 - <Info> - Syslog output initialized
Aug 7 10:35:54 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:54 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
Aug 7 10:35:54 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:54 - <Info> - Threshold config parsed: 1 rule(s) found
Aug 7 10:35:54 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:54 - <Info> - 3117 signatures processed. 223 are IP-only rules, 567 are inspecting packet payload, 2466 inspect application layer, 0 are decoder event only
Aug 7 10:35:58 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:58 - <Info> - Copy mode activated but use-mmap set to no. Disabling feature
Aug 7 10:35:58 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:58 - <Info> - Going to use 2 thread(s)
Aug 7 10:35:58 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:58 - <Info> - Copy mode activated but use-mmap set to no. Disabling feature
Aug 7 10:35:59 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:59 - <Info> - Going to use 2 thread(s)
Aug 7 10:35:59 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:59 - <Notice> - all 4 packet processing threads, 2 management threads initialized, engine started.
Aug 7 10:35:59 RT-AC86U suricata[24287]: 7/8/2020 -- 10:35:59 - <Info> - All AFP capture threads are running.

 

[Smokey613]

I removed my suppress rule and my little Govee hub is back to creating alerts with the IPS configuration. I guess I will just let it run in this config and see what happens.

Aug 7 11:16:10 RT-AC86U suricata: 7/8/2020 -- 11:16:10 - <Notice> - This is Suricata version 4.1.8 RELEASE
Aug 7 11:16:10 RT-AC86U suricata: 7/8/2020 -- 11:16:10 - <Info> - CPUs/cores online: 2
Aug 7 11:16:10 RT-AC86U suricata: 7/8/2020 -- 11:16:10 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 11:16:10 RT-AC86U suricata: 7/8/2020 -- 11:16:10 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 7 11:16:10 RT-AC86U suricata: 7/8/2020 -- 11:16:10 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 11:16:10 RT-AC86U suricata: 7/8/2020 -- 11:16:10 - <Info> - Found an MTU of 1500 for 'br0'
Aug 7 11:16:10 RT-AC86U suricata: 7/8/2020 -- 11:16:10 - <Info> - AF_PACKET: Setting IPS mode
Aug 7 11:16:10 RT-AC86U suricata: 7/8/2020 -- 11:16:10 - <Info> - stats output device (regular) initialized: stats.log
Aug 7 11:16:10 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:10 - <Info> - Syslog output initialized
Aug 7 11:16:11 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:11 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
Aug 7 11:16:11 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:11 - <Info> - Threshold config parsed: 0 rule(s) found
Aug 7 11:16:11 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:11 - <Info> - 3117 signatures processed. 223 are IP-only rules, 567 are inspecting packet payload, 2466 inspect application layer, 0 are decoder event only
Aug 7 11:16:15 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:15 - <Info> - Copy mode activated but use-mmap set to no. Disabling feature
Aug 7 11:16:15 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:15 - <Info> - Going to use 2 thread(s)
Aug 7 11:16:15 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:15 - <Info> - Copy mode activated but use-mmap set to no. Disabling feature
Aug 7 11:16:15 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:15 - <Info> - Going to use 2 thread(s)
Aug 7 11:16:15 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:15 - <Notice> - all 4 packet processing threads, 2 management threads initialized, engine started.
Aug 7 11:16:15 RT-AC86U suricata[29990]: 7/8/2020 -- 11:16:15 - <Info> - All AFP capture threads are running.
Aug 7 11:16:17 RT-AC86U suricata[29990]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:17329 -> 54.86.73.173:80
Aug 7 11:16:51 RT-AC86U suricata[29990]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:31477 -> 54.86.73.173:80

 

[mike37]

.
.
Has anyone actually tested the IPS mode? (Reading rose-colored logs doesn't count).

ISTM that if you can get any one rule to work (actually drops a connection and reports a "drop"), then they all likely work.

http://wrs49.winshipway.com/ (34.211.233.68 52.36.140.135 ) is blocked by aiprotect. Activate aiprotect and try to go there and you'll be blocked; deactivate aiprotect and you can get there - test works.

Do the same test with suricata (obviously after deactivating aiprotect).

Here is a draft suricata "drop" rule for winshipway. Perhaps one of you could create a ruleset folder titled "winshipwaytest"; put this rule in it; activate that folder in the config; and try to browse to http://wrs49.winshipway.com/ . I tried this months ago when I had time to play with suricata and it didn't work - I received an "alert", but the "drop" action had been changed to "alert" despite my specific rule.

Seems that some of you have made good progress and may be able to get this test to work!!

rule:

drop ip [34.211.233.68,52.36.140.135] any <> $HOME_NET any (msg:"test IPS rule connect with wrs49.winshipway.com"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:5517; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2020_08_06

Note: that last smiley face is actually a "semi-colon close paren" - part of the rule

NOTE: rgnldo had the following observation about this rule:

"DROP only INLINE mode
Suricata will REJECT according to the rules."

 

[XIII]

I wanted to give that a try (just out of curiosity; I don't think I have IPS working), but NextDNS already blocked the domain name (blocked by "threat-intelligent-feeds").

 

[Jack Yaz]

.
.
Has anyone actually tested the IPS mode? (Reading rose-colored logs doesn't count).

ISTM that if you can get any one rule to work (actually drops a connection and reports a "drop"), then they all likely work.

http://wrs49.winshipway.com/ (34.211.233.68 52.36.140.135 ) is blocked by aiprotect. Activate aiprotect and try to go there and you'll be blocked; deactivate aiprotect and you can get there - test works.

Do the same test with suricata (obviously after deactivating aiprotect).

Here is a draft suricata "drop" rule for winshipway. Perhaps one of you could create a ruleset folder titled "winshipwaytest"; put this rule in it; activate that folder in the config; and try to browse to http://wrs49.winshipway.com/ . I tried this months ago when I had time to play with suricata and it didn't work - I received an "alert", but the "drop" action had been changed to "alert" despite my specific rule.

Seems that some of you have made good progress and may be able to get this test to work!!

rule:

drop ip [34.211.233.68,52.36.140.135] any <> $HOME_NET any (msg:"test IPS rule connect with wrs49.winshipway.com"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:5517; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2020_08_06

Note: that last smiley face is actually a "semi-colon close paren" - part of the rule

I recommend posting the output in a "code" block

 

[mike37]

I wanted to give that a try (just out of curiosity; I don't think I have IPS working), but NextDNS already blocked the domain name (blocked by "thread-intelligent-feeds").

.
Then deactivate the NextDNS block with a whitelist entry, or deactivate NextDNS entirely, or change the blocked destination within the rule to a different site acceptable to NextDNS.

The purpose here is not to block http://wrs49.winshipway.com/ , but to get suricata "drops" to work.

 

[XIII]

I thought I could try your rule by using a different IP, but somehow I don't even get an alert for the IP I use (and the web page just opens).

However, when I changed this test rule:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)

into:

drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)

I no longer get

Aug  7 22:41:29 ac86u suricata[17126]: [1:1000002:1] ICMP connection attempt [Classification: (null)] [Priority: 3] {ICMP} <ip1>:771 -> <ip2>:0

but

Aug  7 22:42:43 ac86u suricata[17260]: [wDrop] [1:1000002:1] ICMP connection attempt [Classification: (null)] [Priority: 3] {ICMP} <ip1>:771 -> <ip2>:0

with config

af-packet:
- interface: eth0
- interface: br0

and

Aug  7 22:43:29 ac86u suricata[17369]: [Drop] [1:1000002:1] ICMP connection attempt [Classification: (null)] [Priority: 3] {ICMP} <ip1>:771 -> <ip2>:0

with config

af-packet:
- interface: eth0
  copy-mode: ips
  copy-iface: br0
  use-mmap: yes
  tpacket-v3: no
- interface: br0
  copy-mode: ips
  copy-iface: eth0
  use-mmap: yes
  tpacket-v3: no

EDIT: Is "wDrop" indeed "would drop"?

 

[mike37]

I recommend posting the output in a "code" block

.

1. Ahhh.... I'm guessing a "code" block will not be reformated!? TU; I'll look into it.

2. Glad to see you're monitoring this thread!

 

[mike37]

I thought I could try your rule by using a different IP, but somehow I don't even get an alert for the IP I use (and the web page just opens).

However, when I changed this test rule:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)

into:

drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)

I no longer get

Aug  7 22:41:29 ac86u suricata[17126]: [1:1000002:1] ICMP connection attempt [Classification: (null)] [Priority: 3] {ICMP} <ip1>:771 -> <ip2>:0

but

Aug  7 22:42:43 ac86u suricata[17260]: [wDrop] [1:1000002:1] ICMP connection attempt [Classification: (null)] [Priority: 3] {ICMP} <ip1>:771 -> <ip2>:0

with config

af-packet:
- interface: eth0
- interface: br0

and

Aug  7 22:43:29 ac86u suricata[17369]: [Drop] [1:1000002:1] ICMP connection attempt [Classification: (null)] [Priority: 3] {ICMP} <ip1>:771 -> <ip2>:0

with config

af-packet:
- interface: eth0
  copy-mode: ips
  copy-iface: br0
  use-mmap: yes
  tpacket-v3: no
- interface: br0
  copy-mode: ips
  copy-iface: eth0
  use-mmap: yes
  tpacket-v3: no

EDIT: Is "wDrop" indeed "would drop"?

.

1. I don't know what wDrop means; it appears that suricata changed the rule from drop to wdrop - irritating. Couldn't find it in the doc; maybe it has something to do with ICMP which could only be actually dropped in inline mode!?

If you're handy with iptables, you might dump them and see what the disposition is with icmp. I'm guessing icmp doesn't appear in syslog.

2. TBH, I wouldn't dwell on this ICMP rule - the original test is straight-forward enough; either you can block a web site or you can't. So far it doesn't drop.

Looking at your log, was the original rule error-free and actually used? (This was a "reconstruction" of the rule I tested months ago, and I may have made a typo; or the rules format may have changed - either causing the rule to be ignored)

If you didn't get an alert, it sounds like the rule didn't make it.