How do you test basic functionality of suricata / evebox?

Not having much knowledge about internet security feeling a bit shaky if my homebrew evebox for arm works.

So started to find out how you could test and ids and could not find a lot I understand. The only tool found so far that makes to me besides NMAP is SPARTA.

Started test trails on x86_64 without success. The ids is activated and all rules are set to alert accept scan its set to block. The red interface is not connected to the internet, it gets it’s IP ( from the internet router.

#config getprop suricata AlertCategories
# config getprop suricata BlockCategories

If the red interface is scanned ( nmap, nikto) nothing shows up in evebox nor in /var/log/suricata/fast.log.

What is my wrong thinking?
How can to conduct some tests?

Thanx Mark

Scan rules need an established connection, you have to “open” port 22 to trigger an ssh scan, for example.

You could add

alert icmp any any -> any any (msg: "ICMP Packet found";)

to an enabled rule file (/etc/suricata/rules/ET-xxx.rules) and ping some hosts.

/bin/pkill -USR2 -f suricata
to reload rules (btw, systemctl restart suricata works too but I won’t use it in production).

1 Like

thank you!

On myRaspberry pi:

I’ll leave the real testing up to the pro’s, established prove of basic functionality. :smiley:

Edit, blurred out ip’s

I am happy with the solution still do not get my wrong thinking,
as said ill leave it up to the pro’s

Just one page of the scan results of SPARTA, i have thought this scan would trigger some alerts…

And connect successfully 5 times in two minutes, like when you try to brute force the password.

To the x86_64 logged in / out in to ssh over the red interface 10 times within 5 seconds with right credentials; after this started an brute force with well known user/password list, note no fail2ban installed. Get no alert.

Maybe my test-attack host is already trusted…

However happy evebox worked and was looking for that prove.

Thanx again!

Live from my firewall:

07/26/2018-12:13:29.472372  [**] [1:2006546:9] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} ->
07/26/2018-12:53:47.036034  [**] [1:2006546:9] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} ->
07/26/2018-13:21:52.554401  [**] [1:2006546:9] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} ->
1 Like

I will test it again, in a more real live situation by connecting it to the internet and scan it form “outside”.
As said it’s a test lab running on private IP’s

All scan rules fire from external_net to home_net. e.g.

alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src;

for testing: Can i set an private ip range (ie range to be an $EXTERNAL_NET net?

Probably useless, given that

yes, just found it in suricata.yaml…

Just a heads up: it works as expected scanning from “outside”

on the rpi:

1 Like