How do you test basic functionality of suricata / evebox?

ips
suricata

(Mark Verlinde) #1

Not having much knowledge about internet security feeling a bit shaky if my homebrew evebox for arm works.

So started to find out how you could test and ids and could not find a lot I understand. The only tool found so far that makes to me besides NMAP is SPARTA.

Started test trails on x86_64 without success. The ids is activated and all rules are set to alert accept scan its set to block. The red interface is not connected to the internet, it gets it’s IP (10.0.1.xxx) from the internet router.

#config getprop suricata AlertCategories
ET-botcc.portgrouped,ET-botcc,ET-ciarmy,ET-compromised,ET-drop,ET-dshield,ET-emerging-activex,ET-emerging-attack_response,ET-emerging-chat,ET-emerging-current_events,ET-emerging-deleted,ET-emerging-dns,ET-emerging-dos,ET-emerging-exploit,ET-emerging-ftp,ET-emerging-games,ET-emerging-inappropriate,ET-emerging-info,ET-emerging-malware,ET-emerging-misc,ET-emerging-mobile_malware,ET-emerging-netbios,ET-emerging-p2p,ET-emerging-policy,ET-emerging-scada,ET-emerging-shellcode,ET-emerging-smtp,ET-emerging-snmp,ET-emerging-sql,ET-emerging-telnet,ET-emerging-tftp,ET-emerging-trojan,ET-emerging-user_agents,ET-emerging-voip,ET-emerging-web_client,ET-emerging-web_server,ET-emerging-web_specific_apps,ET-emerging-worm,ET-tor
#
# config getprop suricata BlockCategories
ET-emerging-scan

If the red interface is scanned ( nmap, nikto) nothing shows up in evebox nor in /var/log/suricata/fast.log.

What is my wrong thinking?
How can to conduct some tests?

Thanx Mark


(Filippo Carletti) #2

Scan rules need an established connection, you have to “open” port 22 to trigger an ssh scan, for example.

You could add

alert icmp any any -> any any (msg: "ICMP Packet found";)

to an enabled rule file (/etc/suricata/rules/ET-xxx.rules) and ping some hosts.

/bin/pkill -USR2 -f suricata
to reload rules (btw, systemctl restart suricata works too but I won’t use it in production).


(Mark Verlinde) #3

thank you!

On myRaspberry pi:

I’ll leave the real testing up to the pro’s, established prove of basic functionality. :smiley:

Edit, blurred out ip’s


(Mark Verlinde) #4

I am happy with the solution still do not get my wrong thinking,
as said ill leave it up to the pro’s

Just one page of the scan results of SPARTA, i have thought this scan would trigger some alerts…


(Filippo Carletti) #5

And connect successfully 5 times in two minutes, like when you try to brute force the password.


(Mark Verlinde) #6

To the x86_64 logged in / out in to ssh over the red interface 10 times within 5 seconds with right credentials; after this started an brute force with well known user/password list, note no fail2ban installed. Get no alert.

Maybe my test-attack host is already trusted…

However happy evebox worked and was looking for that prove.

Thanx again!


(Filippo Carletti) #7

Live from my firewall:

07/26/2018-12:13:29.472372  [**] [1:2006546:9] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.144.156.187:25353 -> 192.168.5.11:22
07/26/2018-12:53:47.036034  [**] [1:2006546:9] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 140.143.251.251:9480 -> 192.168.5.11:22
07/26/2018-13:21:52.554401  [**] [1:2006546:9] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 121.40.161.104:36617 -> 192.168.5.11:22

(Mark Verlinde) #8

I will test it again, in a more real live situation by connecting it to the internet and scan it form “outside”.
As said it’s a test lab running on private IP’s


(Filippo Carletti) #9

All scan rules fire from external_net to home_net. e.g.

alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src;


(Mark Verlinde) #10

for testing: Can i set an private ip range (ie 10.0.1.xxx) range to be an $EXTERNAL_NET net?


(Filippo Carletti) #11

Probably useless, given that
EXTERNAL_NET: "!$HOME_NET"


(Mark Verlinde) #12

yes, just found it in suricata.yaml…


(Mark Verlinde) #13

Just a heads up: it works as expected scanning from “outside”

on the rpi: