WSUS and IPS, port range

firewall
ips
v7

(Federico Ballarini) #1

NethServer Version: 7
Module: IPS

My WSUS server is blocked on download by IPS but I can’t understand which category is blocking it? Anyone can help me?

And I have a second question… how can I open a port range in my firewall rules? I can’t find it on the docs.
Thanks.


(Joel Clendineng) #2

Go to evebox, or your logs, it will tell you what category.

  1. Go to “Firewall Objects”
  2. “Services”
  3. “Create New”
  4. Set a name and port(s), if more than 1, separate with a “,” (1, 233, 22, etc)
  5. Go back to “Firewall Rules”
  6. Add a new rule using the “Object” (set of ports) you just created.

(Federico Ballarini) #3

I need to open from 5000 to 6000 for example. It is possible?


(Joel Clendineng) #4

May I ask why? Thats 1000 ports that probably do not need to all be opened. But no, no way from the GUI to do this except to do 5000,5001,5002,5003,5004…etc. You can do this through CLI but again I ask why, its never a good idea to open up so many ports :smiley:


(Federico Ballarini) #5

For Skype to work correctly, the following ports need to be open in your firewall:

443/TCP
3478-3481/UDP
49152-65535/UDP + TCP

(Joel Clendineng) #6

you do not need to open ports to use skype…

Edit: skype would use ports on your computer, not ports on the gateway.


(Federico Ballarini) #7

ah ok, perfect. thanks…
and about windows update and IPS can you give me some news?


(Joel Clendineng) #8

IPS does not block windows update. Its something else. Make sure “Policy” category is set to “Alert” not “Block” because that may block some things. I doubt it would block windows update but make sure it is set on “Alert”


(Federico Ballarini) #9

yes, it’s on alert


(Joel Clendineng) #10

What happens when you try and search for windows updates?


(Markus Neuberger) #11

It’s the POLICY category as @Jclendineng already pointed out:


(Joel Clendineng) #12

I had him make sure “Policy” was “Alert” max, its not blocking. I run Policy on alert as well for the same reason, it blocks updates/yum/my nextcloud??


(Federico Ballarini) #13

My problem is on Windows Server Update Services… it downloads files from a microsoft server and client of my lan download updates from my server, but when IPS is on the server can’t finish to downlaod files.


(Joel Clendineng) #14

I understand that but the issue is still the same, it seems like policy is blocking it but its not. go to /var/log/suricata and post the contents of eve.json and fast.log and suricata.log, if they are really big just post the relevant part. Use this and post the link.

Edit: use https://winscp.net/download/WinSCP-5.11.3-Setup.exe as a ssh file manager if you do not have one already or if you are comfortable with SSH, use putty or another program to ssh in and get the logs.

https://gist.github.com/


(Markus Neuberger) #15

I am afraid POLICY may also block windows updates or wsus but I didn’t try, just set it to alert instead of block…

[root@server ~]# cat /etc/suricata/rules/ET-emerging-policy.rules | grep microsoft
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; content:"SOGOU_UPDATER"; nocase; http_user_agent; depth:13; isdataat:!1,relative; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:5; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
alert http $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:established,to_server; content:" MSIE 5."; http_user_agent; fast_pattern; nocase; content:!".microsoft.com"; http_host; isdataat:!1,relative; content:!".trendmicro.com"; http_host; isdataat:!1,relative; content:!".sony.net"; http_host; isdataat:!1,relative; content:!".weather.com"; http_host; isdataat:!1,relative; content:!".yahoo.com"; http_host; isdataat:!1,relative; content:!".dellfix.com"; http_host; isdataat:!1,relative; content:!"GeoVision"; http_header; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016870; rev:12; metadata:created_at 2013_05_20, updated_at 2013_05_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Application Crash Report Sent to Microsoft"; flow:to_server,established; content:"MSDW"; depth:4; http_user_agent; content:"Host|3a 20|watson.microsoft.com|0d 0a|"; http_header; classtype:policy-violation; sid:2018170; rev:4; metadata:created_at 2014_02_24, updated_at 2014_02_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:3; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert http $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

(Joel Clendineng) #16

Its possible to modify the policy file, Ill test some things this afternoon. He already set it to alert and it is still blocking, maybe we can see the logs and figure it out.


(Markus Neuberger) #17

I am afraid changed policy files may be overwritten on next update…

Possible suricata problem rules:

[root@server rules]# grep -ioRl "microsoft.com"
ET-emerging-activex.rules
ET-emerging-current_events.rules
ET-emerging-dos.rules
ET-emerging-exploit.rules
ET-emerging-info.rules
ET-emerging-malware.rules
ET-emerging-netbios.rules
ET-emerging-p2p.rules
ET-emerging-policy.rules
ET-emerging-trojan.rules
ET-emerging-user_agents.rules
ET-emerging-web_client.rules
ET-emerging-web_server.rules
ET-emerging-worm.rules

(Federico Ballarini) #18

(Joel Clendineng) #19

They are overwritten, i would still like to try it :smiley:


(Joel Clendineng) #20

Ok:
[1:2000419:22] ET POLICY PE EXE or DLL Windows file download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 13.107.4.50:80 -> 192.168.8.4:64788

There is the issue, it is policy. Go back to IPS and double check Policy, go ahead and disable it, and make sure to click Submit.