WSUS and IPS, port range

Jclendineng · December 15, 2017, 5:01pm

you do not need to open ports to use skype…

Edit: skype would use ports on your computer, not ports on the gateway.

federico.ballarini · December 15, 2017, 5:03pm

ah ok, perfect. thanks…
and about windows update and IPS can you give me some news?

Jclendineng · December 15, 2017, 5:05pm

IPS does not block windows update. Its something else. Make sure “Policy” category is set to “Alert” not “Block” because that may block some things. I doubt it would block windows update but make sure it is set on “Alert”

federico.ballarini · December 15, 2017, 5:07pm

yes, it’s on alert

Jclendineng · December 15, 2017, 5:11pm

What happens when you try and search for windows updates?

mrmarkuz · December 15, 2017, 5:18pm

It’s the POLICY category as @Jclendineng already pointed out:

Jclendineng · December 15, 2017, 5:20pm

I had him make sure “Policy” was “Alert” max, its not blocking. I run Policy on alert as well for the same reason, it blocks updates/yum/my nextcloud??

federico.ballarini · December 15, 2017, 5:21pm

My problem is on Windows Server Update Services… it downloads files from a microsoft server and client of my lan download updates from my server, but when IPS is on the server can’t finish to downlaod files.

Jclendineng · December 15, 2017, 5:25pm

I understand that but the issue is still the same, it seems like policy is blocking it but its not. go to /var/log/suricata and post the contents of eve.json and fast.log and suricata.log, if they are really big just post the relevant part. Use this and post the link.

Edit: use https://winscp.net/download/WinSCP-5.11.3-Setup.exe as a ssh file manager if you do not have one already or if you are comfortable with SSH, use putty or another program to ssh in and get the logs.

https://gist.github.com/

mrmarkuz · December 15, 2017, 5:27pm

I am afraid POLICY may also block windows updates or wsus but I didn’t try, just set it to alert instead of block…

[root@server ~]# cat /etc/suricata/rules/ET-emerging-policy.rules | grep microsoft
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; content:"SOGOU_UPDATER"; nocase; http_user_agent; depth:13; isdataat:!1,relative; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:5; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
alert http $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:established,to_server; content:" MSIE 5."; http_user_agent; fast_pattern; nocase; content:!".microsoft.com"; http_host; isdataat:!1,relative; content:!".trendmicro.com"; http_host; isdataat:!1,relative; content:!".sony.net"; http_host; isdataat:!1,relative; content:!".weather.com"; http_host; isdataat:!1,relative; content:!".yahoo.com"; http_host; isdataat:!1,relative; content:!".dellfix.com"; http_host; isdataat:!1,relative; content:!"GeoVision"; http_header; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016870; rev:12; metadata:created_at 2013_05_20, updated_at 2013_05_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Application Crash Report Sent to Microsoft"; flow:to_server,established; content:"MSDW"; depth:4; http_user_agent; content:"Host|3a 20|watson.microsoft.com|0d 0a|"; http_header; classtype:policy-violation; sid:2018170; rev:4; metadata:created_at 2014_02_24, updated_at 2014_02_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:3; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert http $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

Jclendineng · December 15, 2017, 5:30pm

Its possible to modify the policy file, Ill test some things this afternoon. He already set it to alert and it is still blocking, maybe we can see the logs and figure it out.

mrmarkuz · December 15, 2017, 5:39pm

I am afraid changed policy files may be overwritten on next update…

Possible suricata problem rules:

[root@server rules]# grep -ioRl "microsoft.com"
ET-emerging-activex.rules
ET-emerging-current_events.rules
ET-emerging-dos.rules
ET-emerging-exploit.rules
ET-emerging-info.rules
ET-emerging-malware.rules
ET-emerging-netbios.rules
ET-emerging-p2p.rules
ET-emerging-policy.rules
ET-emerging-trojan.rules
ET-emerging-user_agents.rules
ET-emerging-web_client.rules
ET-emerging-web_server.rules
ET-emerging-worm.rules

federico.ballarini · December 15, 2017, 5:40pm

gist.github.com

https://gist.github.com/anonymous/f742a6557cbcf2d16ff090b50d4c2120

eve.json

{"timestamp":"2017-12-15T03:22:06.528874+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":2,"ttl":117,"ipid":21293,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:06.600535+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21399,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:06.710387+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21475,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:06.910388+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21476,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:07.310889+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21480,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:08.110359+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21481,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:09.710805+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21482,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:12.910363+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21486,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:19.310884+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21488,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:44:52.456362+0100","flow_id":560122641323399,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64761,"proto":"TCP","drop":{"len":1492,"tos":2,"ttl":117,"ipid":10714,"tcpseq":4175636607,"tcpack":561001110,"tcpwin":1023,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}

This file has been truncated. show original

fast.log

suricata.log

Jclendineng · December 15, 2017, 5:44pm

They are overwritten, i would still like to try it

Jclendineng · December 15, 2017, 5:46pm

Ok:
[1:2000419:22] ET POLICY PE EXE or DLL Windows file download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 13.107.4.50:80 -> 192.168.8.4:64788

There is the issue, it is policy. Go back to IPS and double check Policy, go ahead and disable it, and make sure to click Submit.

federico.ballarini · December 15, 2017, 5:50pm

I’ve disabled policy category.
Now my server is downloading new update… i will update you

Jclendineng · December 15, 2017, 5:51pm

Oops Im sorry, I made a mistake

{“timestamp”:“2017-12-15T04:19:44.400496+0100”,“flow_id”:1104509884243081,“event_type”:“drop”,“src_ip”:“192.168.1.2”,“src_port”:46830,“dest_ip”:“95.101.114.82”,“dest_port”:80,“proto”:“TCP”,“drop”:{“len”:469,“tos”:0,“ttl”:64,“ipid”:48528,“tcpseq”:3802572041,“tcpack”:511017362,“tcpwin”:237,“syn”:false,“ack”:true,“psh”:true,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0},“alert”:{“action”:“blocked”,“gid”:1,“signature_id”:2020573,“rev”:2,“signature”:“ET CURRENT_EVENTS INFO .exe download with no referer (noalert)”,“category”:“Potentially Bad Traffic”,“severity”:2}}

Disable Potentially Bad Traffic

Edit: Im reading through the log and Policy alerts like it should, but the block comes in because is sees the executable coming from a server that it thinks may be bad.

federico.ballarini · December 15, 2017, 5:53pm

which category is it?

Jclendineng · December 15, 2017, 5:54pm

Current events

mrmarkuz · December 15, 2017, 5:54pm

ET CURRENT EVENTS, try to alert instead of block…

[root@server ~]# cat eve.json | grep -Ei "block.*et .*microsoft"
{"timestamp":"2017-12-15T07:54:18.914806+0100","flow_id":346184857006454,"event_type":"alert","src_ip":"192.168.1.2","src_port":41172,"dest_ip":"151.99.72.114","dest_port":80,"proto":"TCP","tx_id":5,"alert":{"action":"blocked","gid":1,"signature_id":2022858,"rev":2,"signature":"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign","category":"Misc activity","severity":3},"http":{"hostname":"151.99.72.114","url":"\/data\/045851f375c4acfe\/r16---sn-nx5cvox-hpae7.gvt1.com\/edgedl\/release2\/chrome\/AJFa9NIwPYkE_63.0.3239.84\/63.0.3239.84_62.0.3202.94_chrome_updater.exe?cms_redirect=yes&expire=1513335258&ip=79.7.253.77&ipbits=0&mm=28&mn=sn-nx5cvox-hpae7&ms=nvh&mt=1513320798&mv=m&nh=EAI&pl=16&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl,shardbypass&signature=42A353606DF23C906F355F753FEA7C8454709DED.0498AF57BB30B9C2AF4DEC160C69A5394D7BF699&key=cms1","http_user_agent":"Microsoft BITS\/7.8","xff":"192.168.9.96","http_method":"GET","protocol":"HTTP\/1.1","length":0}}
{"timestamp":"2017-12-15T07:54:52.775104+0100","flow_id":1494459401042213,"event_type":"alert","src_ip":"192.168.1.2","src_port":44612,"dest_ip":"151.99.72.106","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"blocked","gid":1,"signature_id":2022858,"rev":2,"signature":"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign","category":"Misc activity","severity":3},"http":{"hostname":"151.99.72.106","url":"\/data\/0458eaf464495f29\/r16---sn-nx5cvox-hpae7.gvt1.com\/edgedl\/release2\/chrome\/AJFa9NIwPYkE_63.0.3239.84\/63.0.3239.84_62.0.3202.94_chrome_updater.exe?cms_redirect=yes&expire=1513335291&ip=79.7.253.77&ipbits=0&mm=28&mn=sn-nx5cvox-hpae7&ms=nvh&mt=1513320798&mv=m&nh=EAI&pl=16&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl,shardbypass&signature=28EDD40C2540FBDCFE5843AE11A6BDC70CBA4DC5.12AB9B09648572F2F4FB1DC6A63B9CDE81757109&key=cms1","http_user_agent":"Microsoft BITS\/7.8","xff":"192.168.9.18","http_method":"GET","protocol":"HTTP\/1.1","length":0}}
{"timestamp":"2017-12-15T07:56:05.288240+0100","flow_id":67714219861372,"event_type":"alert","src_ip":"192.168.1.2","src_port":45210,"dest_ip":"151.99.72.106","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":2022858,"rev":2,"signature":"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign","category":"Misc activity","severity":3},"http":{"hostname":"151.99.72.106","url":"\/data\/0458eaf464495f29\/r16---sn-nx5cvox-hpae7.gvt1.com\/edgedl\/release2\/chrome\/AJFa9NIwPYkE_63.0.3239.84\/63.0.3239.84_62.0.3202.94_chrome_updater.exe?cms_redirect=yes&expire=1513335291&ip=79.7.253.77&ipbits=0&mm=28&mn=sn-nx5cvox-hpae7&ms=nvh&mt=1513320798&mv=m&nh=EAI&pl=16&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl,shardbypass&signature=28EDD40C2540FBDCFE5843AE11A6BDC70CBA4DC5.12AB9B09648572F2F4FB1DC6A63B9CDE81757109&key=cms1","http_user_agent":"Microsoft BITS\/7.8","xff":"192.168.9.18","http_method":"GET","protocol":"HTTP\/1.1","length":0}}