IPS Network Problem

rasi · August 5, 2018, 3:06pm

With all categories out, just Trojan on Alert it works.
Trojan set to Block network stops.
Okay, I can block Attack Response, too. Chat and FTP shall remain open. But Trojan being one of the most dangerous attacks cannot be blocked without paralyzing the network.

mrmarkuz · August 5, 2018, 5:35pm

It may be blocked because of a DNS query to an external server instead of an internal one from LAN IIRC but I have to recheck…

EDIT:

I don’t have these et trojan entries, you may use evebox to check why it is blocking.

rasi · August 6, 2018, 5:03pm

Nope, Suricata does not work correctly. Blocking Malware or Trojans leads to TLS Handshake problems which make sites like leo.org unreachable. And evebox keeps loading in a loop without reporting anything.
I deactivated Suricata now but that is not a solution.

mrmarkuz · August 6, 2018, 5:23pm

It really seems like the suricata/evebox installation does not work correctly. Does your server have enough RAM?
We have to find out why evebox does not work and why suricata blocks in an extreme way:
Are there any relevant errors in /var/log/messages or /var/log/suricata/*? The logs will show what suricata blocked.
Did you already try to remove and reinstall suricata/evebox?

rasi · August 6, 2018, 5:33pm

The server has plenty of RAM.
The file suricata.log spits out repeatedly the warnings
- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can’t suppress sid 2011124, gid 1: unknown rule
and
- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can’t suppress sid 2022913, gid 1: unknown rule
Okay, I’ll give it a try and will remove suricata/evebox.

rasi · August 6, 2018, 5:54pm

The removal and reinstallation of suricata/evebox did not change anything. But I found out something else what is strange:
There are two machines using the NS firewall as gateway, a Windows 10 PC and a Linux/Ubuntu client VM.
From the Windows PC it works, from the linux desktop the TLS-Handshake is blocked. So, it’s not a matter of Suricata but of the virtualization. Unfortunately I have no idea where to search.

mrmarkuz · August 6, 2018, 6:07pm

Please also check /var/log/suricata/fast.log, it should show at least source and destination of the blocked event (looks like 1.2.3.4:1234 -> 4.3.2.1:4321)

rasi · August 7, 2018, 9:48am

Now I see in Evebox Events that traffic to the ports 443 and 3000 is dropped, flags ACK,PSH. But it does not tell me why and by which rule. What do the flags mean?

mrmarkuz · August 7, 2018, 10:04am

What about source and destination?

TCP Flags:

rasi · August 7, 2018, 10:10am

Source is an internal PC, destination is the bank Sparkasse (for port 3000 / HBCI).
The JSON analysis gives me this:
“_id”: “31274”,
“_source”: {
“alert”: {
“action”: “blocked”,
“category”: “A Network Trojan was detected”,
“gid”: 1,
“rev”: 1,
“severity”: 1,
“signature”: “ET TROJAN [PTsecurity] pkt checker 0”,
“signature_id”: 2024694
Is there a way to exclude specific ports from the trojan rule?
If not I can only use it set to Warning instead of Blocked.

mrmarkuz · August 7, 2018, 10:25am

I am afraid it’s not easily possible:

filippo_carletti · August 7, 2018, 10:30am

You can exclude IPS for ip/ports, not only some rules.

The Trojan category should not be set to block, only to alert. It’s intended to reveal installed trojans, not to stop them,

rasi · August 7, 2018, 10:36am

Where is that?

Thanks for the clarification.