IPS Network Problem

suricata
v7
ips

(Pasquale Inglese) #23

The problem immobilizes NS. After the update, if I keep setting the rule blocks on trojan when I try to access the VPS the system goes to lock and doesn’t work even on the server-manager side. Web pages do not load. Everything returns normally if I disconnect the client.

Set to the alarm is an invalid solution in terms of security. It’s useful only for a buffer solution.

The rule that blocks OpenVPN client is this: http://doc.emergingthreats.net/2009206


(Federico Ballarini) #24

Anyone has got a solution?
I have to set rules (DNS,DELETED,USER_AGENT) on Alarm?


(Federico Ballarini) #25

This is my log.
Category DNS, DELETED, USER_AGENT are already set on Alarm.

01/15/2018-09:24:05.005962 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.27:80 -> 192.168.1.2:36478
01/15/2018-09:24:05.350406 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 212.73.221.199:80 -> 192.168.1.2:37762
01/15/2018-09:24:05.606746 [Drop] [] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.106.86.135:443 -> 192.168.1.2:33380
01/15/2018-09:24:06.172086 [Drop] [] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.16.207.165:443 -> 192.168.1.2:52072
01/15/2018-09:24:06.177960 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 172.217.23.78:80 -> 192.168.8.251:9130
01/15/2018-09:24:06.212958 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 172.217.23.78:80 -> 192.168.8.251:9131
01/15/2018-09:24:06.222750 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 216.58.205.46:80 -> 192.168.8.251:9132
01/15/2018-09:24:06.465201 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.27:80 -> 192.168.1.2:36504
01/15/2018-09:24:06.586432 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.35:80 -> 192.168.1.2:47288
01/15/2018-09:24:06.755024 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.13:80 -> 192.168.1.2:44558
01/15/2018-09:24:07.138333 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 212.73.221.205:80 -> 192.168.1.2:49148
01/15/2018-09:24:07.248673 [Drop] [] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 89.238.68.201:80 -> 192.168.1.2:34776
01/15/2018-09:24:07.526212 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 204.79.197.223:80 -> 192.168.1.2:35118
01/15/2018-09:24:07.736948 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.27:80 -> 192.168.1.2:36538
01/15/2018-09:24:07.988301 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41878
01/15/2018-09:24:08.015995 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39018
01/15/2018-09:24:08.139694 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 94.75.236.122:80 -> 192.168.1.2:59074
01/15/2018-09:24:08.305304 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 195.122.169.7:80 -> 192.168.1.2:34126
01/15/2018-09:24:08.346769 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.231.123.131:80 -> 192.168.1.2:43956
01/15/2018-09:24:08.457304 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 195.122.169.18:80 -> 192.168.1.2:40146
01/15/2018-09:24:08.601482 [Drop] [] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 185.26.182.117:443 -> 192.168.1.2:46782
01/15/2018-09:24:08.726988 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41906
01/15/2018-09:24:08.893996 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.27:80 -> 192.168.1.2:36572
01/15/2018-09:24:09.334481 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39050
01/15/2018-09:24:09.475456 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39054
01/15/2018-09:24:09.507773 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41918
01/15/2018-09:24:09.552478 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.239.174.47:80 -> 192.168.1.2:52382
01/15/2018-09:24:09.637261 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.239.174.47:80 -> 192.168.1.2:52386
01/15/2018-09:24:09.801301 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.231.123.131:80 -> 192.168.1.2:43994
01/15/2018-09:24:09.904974 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41932
01/15/2018-09:24:10.261262 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41940
01/15/2018-09:24:10.346685 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39084
01/15/2018-09:24:10.531719 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.35:80 -> 192.168.1.2:47404
01/15/2018-09:24:10.607371 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.35:80 -> 192.168.1.2:47406
01/15/2018-09:24:10.797104 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.11:80 -> 192.168.1.2:55228
01/15/2018-09:24:10.860939 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 212.73.221.199:80 -> 192.168.1.2:37908
01/15/2018-09:24:10.870938 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 23.50.149.163:80 -> 192.168.1.2:50586
01/15/2018-09:24:10.961451 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.239.174.47:80 -> 192.168.1.2:52430
01/15/2018-09:24:11.047211 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 195.122.169.18:80 -> 192.168.1.2:40220
01/15/2018-09:24:11.186432 [Drop] [] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.244.46.167:443 -> 192.168.1.2:54182
01/15/2018-09:24:11.264202 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 195.122.169.7:80 -> 192.168.1.2:34216
01/15/2018-09:24:11.321900 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.239.197.103:80 -> 192.168.1.2:39408
01/15/2018-09:24:11.671958 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39128
01/15/2018-09:24:11.723180 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 93.184.220.29:80 -> 192.168.1.2:50744


(Pasquale Inglese) #26

For update NS, I had to disabled Policy, Deleted and Shellcode. If I set a block on this have some problem with yum.

IPS behaves abnormally. If I connect to the VPN from another IP on the same WAN class, the client is not recognized as a Trojan.
Instead, if I connect to an IP class other than the WAN, the client is recognized as a Trojan.

Honestly, I can not find a solution without creating a security hole.

@giacomo there is a way to implement a pass list?

This update is also having repercussions on the local network as the host has problems communicating with other hosts.

is it possible to return to the previous version?


(Federico Ballarini) #27

Oh yes, return to the previous version can be a solution… anyone know if it is possible?


(Giacomo Sanchietti) #28

I see a little bit of confusion in this post, let’s try to clear some points :slight_smile:

  1. Latest nethserver-pulledpork doesn’t brake anything, it just uses new optimized rule format for Suricata 4.0
  2. When implementing an IPS/IDS on your network you must tune the configuration and block only relevant categories
  3. Rules are automatically updated overnight and could change their own behavior

We didn’t experimented any issue so far, this is our current production configuration for Suricata:

suricata=service
    AlertCategories=ET-emerging-current_events,ET-emerging-dos,ET-emerging-ftp,ET-emerging-games,ET-emerging-inappropriate,ET-emerging-info,ET-emerging-misc,ET-emerging-mobile_malware,ET-emerging-p2p,ET-emerging-scan,ET-emerging-shellcode,ET-emerging-sql,ET-emerging-trojan,ET-emerging-voip,ET-emerging-web_client,ET-emerging-worm
    BlockCategories=ET-botcc.portgrouped,ET-botcc,ET-ciarmy,ET-compromised,ET-drop,ET-dshield,ET-emerging-activex,ET-emerging-attack_response,ET-emerging-exploit,ET-emerging-malware,ET-emerging-netbios
    status=enabled

Yes, you can use yum downgrade but it will have no effect on your problems.

We could find a way but it’s quite difficult at firewall level because you need to bypass also established connections.
If you want to add exceptions, the simplest way is to hack the Suricata rules. :wink:

The traffic between LAN hosts doesn’t flow through the gateway, therefore it can’t be affected.


Nextcloud application magazine cannot install any app
Suricata - for dummies
(Filippo Carletti) #29

Please see this other thread:

The Deleted category is for rules that should not be used.
Please, review the manual:
http://docs.nethserver.org/en/v7/suricata.html


(Pasquale Inglese) #30

@filippo_carletti, @giacomo thanks for the clarifications and sorry for my insistence.

Now I have clear what is a correct set of rule for the production environment.

Perhaps, the set of old rules I had set before the update they were less restrictive and even if they were all set to block, it didn’t create the problems listed above.


(Joel Clendineng) #31

My Alerts : Deteted, Trojan, Shellcode, Policy, TFTP, all rest are block.

Deleted are rules that have been deleted (pretty self explanatory), Trojan was blocking amazon prime video, shellcode blocks centos repos, so blocking nethserver updates, policy blocks nextcloud desktop app, and I am currently fixing a bricked router and need tftp to communicate :smiley:

New rules, new policies on implementing them. I like suricata 4 upgrade.


(Federico Ballarini) #32

Applying this rules all works fine, thanks to all.


(Juan Carlos Fernandez) #33

Great post, could someone tell me how can I set the rules using the CLI?

I found that I can see Suricata current configuration with this:
db configuration show suricata or config show suricata

I think suricata configuration can be set using this command:
db configuration setprop suricata ...

But I don’t know exactly how. Could someone please aid me?


(Filippo Carletti) #34

Straight from “private” nethesis knowledge base:

config setprop suricata AlertCategories ET-emerging-current_events,ET-emerging-ftp,ET-emerging-games,ET-emerging-inappropriate,ET-emerging-info,ET-emerging-misc,ET-emerging-mobile_malware,ET-emerging-p2p,ET-emerging-scan,ET-emerging-shellcode,ET-emerging-sql,ET-emerging-worm BlockCategories ET-botcc.portgrouped,ET-botcc,ET-ciarmy,ET-compromised,ET-drop,ET-dshield,ET-emerging-activex,ET-emerging-attack_response,ET-emerging-dos,ET-emerging-exploit,ET-emerging-malware,ET-emerging-netbios,ET-emerging-trojan


(Juan Carlos Fernandez) #35

Thanks @filippo_carletti, I have read though that after changing a configuration one must fire up an event to make the system aware of it.

Like when you change a network interface, one must fire up signal-event interface-update. Is this also applies in here?


(Filippo Carletti) #36

Most database modifications have to be followed by an event to apply the settings.
Yours is nethserver-suricata-save


(Juan Carlos Fernandez) #37

Again, thanks @filippo_carletti, one more thing it’s there a way to get notify by email when a category set it as Alert gets a new event?


(Juan Carlos Fernandez) #38

@filippo_carletti you said in here this:

The trojan category should NOT be set to Block.

However here you suggest me to use a setup that blocks ET-emerging-trojan. I was struggling because after I enabled Suricata with your configuration, I was unable to connect to community.nethserver.org (159.65.189.64). Using dig community.nethserver.org I got this ip 159.65.189.64 and using Evebox I found a DROP on that ip falling into ET TROJAN [PTsecurity] pkt checker 0 signature. I gonna follow your advice about not setting as BLOCK the Trojan Category, but this event got my attention anyway. How can I be sure this is just a false positive, and how can I report it?


(Ralph) #39

In a new installation (NS 7.5) network connections only work if all categories are set to Alert. As soon as I set any category like Trojan or whatever to Block, the network stops.
Does that mean that Suricata is useless in NS?


(Markus Neuberger) #40

I tried it now and can’t reproduce. I blocked Attack Response, Chat and FTP and network is still working.
Which categories did you use?


(Ralph) #41

With all categories out, just Trojan on Alert it works.
Trojan set to Block network stops.
Okay, I can block Attack Response, too. Chat and FTP shall remain open. But Trojan being one of the most dangerous attacks cannot be blocked without paralyzing the network.


(Markus Neuberger) #42

It may be blocked because of a DNS query to an external server instead of an internal one from LAN IIRC but I have to recheck…

EDIT:

I don’t have these et trojan entries, you may use evebox to check why it is blocking.