How do you test basic functionality of suricata / evebox?

mark_nl · July 26, 2018, 10:46am

Not having much knowledge about internet security feeling a bit shaky if my homebrew evebox for arm works.

So started to find out how you could test and ids and could not find a lot I understand. The only tool found so far that makes to me besides NMAP is SPARTA.

Started test trails on x86_64 without success. The ids is activated and all rules are set to alert accept scan its set to block. The red interface is not connected to the internet, it gets it’s IP (10.0.1.xxx) from the internet router.

#config getprop suricata AlertCategories
ET-botcc.portgrouped,ET-botcc,ET-ciarmy,ET-compromised,ET-drop,ET-dshield,ET-emerging-activex,ET-emerging-attack_response,ET-emerging-chat,ET-emerging-current_events,ET-emerging-deleted,ET-emerging-dns,ET-emerging-dos,ET-emerging-exploit,ET-emerging-ftp,ET-emerging-games,ET-emerging-inappropriate,ET-emerging-info,ET-emerging-malware,ET-emerging-misc,ET-emerging-mobile_malware,ET-emerging-netbios,ET-emerging-p2p,ET-emerging-policy,ET-emerging-scada,ET-emerging-shellcode,ET-emerging-smtp,ET-emerging-snmp,ET-emerging-sql,ET-emerging-telnet,ET-emerging-tftp,ET-emerging-trojan,ET-emerging-user_agents,ET-emerging-voip,ET-emerging-web_client,ET-emerging-web_server,ET-emerging-web_specific_apps,ET-emerging-worm,ET-tor
#
# config getprop suricata BlockCategories
ET-emerging-scan

If the red interface is scanned ( nmap, nikto) nothing shows up in evebox nor in /var/log/suricata/fast.log.

What is my wrong thinking?
How can to conduct some tests?

Thanx Mark

filippo_carletti · July 26, 2018, 11:00am

Scan rules need an established connection, you have to “open” port 22 to trigger an ssh scan, for example.

You could add

alert icmp any any -> any any (msg: "ICMP Packet found";)

to an enabled rule file (/etc/suricata/rules/ET-xxx.rules) and ping some hosts.

/bin/pkill -USR2 -f suricata
to reload rules (btw, systemctl restart suricata works too but I won’t use it in production).

mark_nl · July 26, 2018, 11:24am

thank you!

On myRaspberry pi:

I’ll leave the real testing up to the pro’s, established prove of basic functionality.

Edit, blurred out ip’s

mark_nl · July 26, 2018, 11:41am

I am happy with the solution still do not get my wrong thinking,
as said ill leave it up to the pro’s

Just one page of the scan results of SPARTA, i have thought this scan would trigger some alerts…

filippo_carletti · July 26, 2018, 11:55am

And connect successfully 5 times in two minutes, like when you try to brute force the password.

mark_nl · July 26, 2018, 12:13pm

To the x86_64 logged in / out in to ssh over the red interface 10 times within 5 seconds with right credentials; after this started an brute force with well known user/password list, note no fail2ban installed. Get no alert.

Maybe my test-attack host is already trusted…

However happy evebox worked and was looking for that prove.

Thanx again!

filippo_carletti · July 26, 2018, 12:19pm

Live from my firewall:

07/26/2018-12:13:29.472372  [**] [1:2006546:9] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.144.156.187:25353 -> 192.168.5.11:22
07/26/2018-12:53:47.036034  [**] [1:2006546:9] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 140.143.251.251:9480 -> 192.168.5.11:22
07/26/2018-13:21:52.554401  [**] [1:2006546:9] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 121.40.161.104:36617 -> 192.168.5.11:22

mark_nl · July 26, 2018, 12:25pm

I will test it again, in a more real live situation by connecting it to the internet and scan it form “outside”.
As said it’s a test lab running on private IP’s

filippo_carletti · July 26, 2018, 12:27pm

All scan rules fire from external_net to home_net. e.g.

alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src;

mark_nl · July 26, 2018, 12:33pm

for testing: Can i set an private ip range (ie 10.0.1.xxx) range to be an $EXTERNAL_NET net?

filippo_carletti · July 26, 2018, 12:39pm

Probably useless, given that
EXTERNAL_NET: "!$HOME_NET"

mark_nl · July 26, 2018, 12:41pm

yes, just found it in suricata.yaml…

mark_nl · July 27, 2018, 12:19pm

Just a heads up: it works as expected scanning from “outside”

on the rpi: