WSUS and IPS, port range

federico.ballarini · December 15, 2017, 4:10pm

NethServer Version: 7
Module: IPS

My WSUS server is blocked on download by IPS but I can’t understand which category is blocking it? Anyone can help me?

And I have a second question… how can I open a port range in my firewall rules? I can’t find it on the docs.
Thanks.

Jclendineng · December 15, 2017, 4:38pm

Go to evebox, or your logs, it will tell you what category.

Go to “Firewall Objects”
“Services”
“Create New”
Set a name and port(s), if more than 1, separate with a “,” (1, 233, 22, etc)
Go back to “Firewall Rules”
Add a new rule using the “Object” (set of ports) you just created.

federico.ballarini · December 15, 2017, 4:54pm

I need to open from 5000 to 6000 for example. It is possible?

Jclendineng · December 15, 2017, 4:59pm

May I ask why? Thats 1000 ports that probably do not need to all be opened. But no, no way from the GUI to do this except to do 5000,5001,5002,5003,5004…etc. You can do this through CLI but again I ask why, its never a good idea to open up so many ports

federico.ballarini · December 15, 2017, 5:01pm

For Skype to work correctly, the following ports need to be open in your firewall:

443/TCP
3478-3481/UDP
49152-65535/UDP + TCP

Jclendineng · December 15, 2017, 5:01pm

you do not need to open ports to use skype…

Edit: skype would use ports on your computer, not ports on the gateway.

federico.ballarini · December 15, 2017, 5:03pm

ah ok, perfect. thanks…
and about windows update and IPS can you give me some news?

Jclendineng · December 15, 2017, 5:05pm

IPS does not block windows update. Its something else. Make sure “Policy” category is set to “Alert” not “Block” because that may block some things. I doubt it would block windows update but make sure it is set on “Alert”

federico.ballarini · December 15, 2017, 5:07pm

yes, it’s on alert

Jclendineng · December 15, 2017, 5:11pm

What happens when you try and search for windows updates?

mrmarkuz · December 15, 2017, 5:18pm

It’s the POLICY category as @Jclendineng already pointed out:

Jclendineng · December 15, 2017, 5:20pm

I had him make sure “Policy” was “Alert” max, its not blocking. I run Policy on alert as well for the same reason, it blocks updates/yum/my nextcloud??

federico.ballarini · December 15, 2017, 5:21pm

My problem is on Windows Server Update Services… it downloads files from a microsoft server and client of my lan download updates from my server, but when IPS is on the server can’t finish to downlaod files.

Jclendineng · December 15, 2017, 5:25pm

I understand that but the issue is still the same, it seems like policy is blocking it but its not. go to /var/log/suricata and post the contents of eve.json and fast.log and suricata.log, if they are really big just post the relevant part. Use this and post the link.

Edit: use https://winscp.net/download/WinSCP-5.11.3-Setup.exe as a ssh file manager if you do not have one already or if you are comfortable with SSH, use putty or another program to ssh in and get the logs.

https://gist.github.com/

mrmarkuz · December 15, 2017, 5:27pm

I am afraid POLICY may also block windows updates or wsus but I didn’t try, just set it to alert instead of block…

[root@server ~]# cat /etc/suricata/rules/ET-emerging-policy.rules | grep microsoft
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; content:"SOGOU_UPDATER"; nocase; http_user_agent; depth:13; isdataat:!1,relative; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:5; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
alert http $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:established,to_server; content:" MSIE 5."; http_user_agent; fast_pattern; nocase; content:!".microsoft.com"; http_host; isdataat:!1,relative; content:!".trendmicro.com"; http_host; isdataat:!1,relative; content:!".sony.net"; http_host; isdataat:!1,relative; content:!".weather.com"; http_host; isdataat:!1,relative; content:!".yahoo.com"; http_host; isdataat:!1,relative; content:!".dellfix.com"; http_host; isdataat:!1,relative; content:!"GeoVision"; http_header; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016870; rev:12; metadata:created_at 2013_05_20, updated_at 2013_05_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Application Crash Report Sent to Microsoft"; flow:to_server,established; content:"MSDW"; depth:4; http_user_agent; content:"Host|3a 20|watson.microsoft.com|0d 0a|"; http_header; classtype:policy-violation; sid:2018170; rev:4; metadata:created_at 2014_02_24, updated_at 2014_02_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:3; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert http $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

Jclendineng · December 15, 2017, 5:30pm

Its possible to modify the policy file, Ill test some things this afternoon. He already set it to alert and it is still blocking, maybe we can see the logs and figure it out.

mrmarkuz · December 15, 2017, 5:39pm

I am afraid changed policy files may be overwritten on next update…

Possible suricata problem rules:

[root@server rules]# grep -ioRl "microsoft.com"
ET-emerging-activex.rules
ET-emerging-current_events.rules
ET-emerging-dos.rules
ET-emerging-exploit.rules
ET-emerging-info.rules
ET-emerging-malware.rules
ET-emerging-netbios.rules
ET-emerging-p2p.rules
ET-emerging-policy.rules
ET-emerging-trojan.rules
ET-emerging-user_agents.rules
ET-emerging-web_client.rules
ET-emerging-web_server.rules
ET-emerging-worm.rules

federico.ballarini · December 15, 2017, 5:40pm

gist.github.com

https://gist.github.com/anonymous/f742a6557cbcf2d16ff090b50d4c2120

eve.json

{"timestamp":"2017-12-15T03:22:06.528874+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":2,"ttl":117,"ipid":21293,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:06.600535+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21399,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:06.710387+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21475,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:06.910388+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21476,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:07.310889+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21480,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:08.110359+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21481,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:09.710805+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21482,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:12.910363+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21486,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:19.310884+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21488,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:44:52.456362+0100","flow_id":560122641323399,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64761,"proto":"TCP","drop":{"len":1492,"tos":2,"ttl":117,"ipid":10714,"tcpseq":4175636607,"tcpack":561001110,"tcpwin":1023,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}

This file has been truncated. show original

fast.log

suricata.log

Jclendineng · December 15, 2017, 5:44pm

They are overwritten, i would still like to try it

Jclendineng · December 15, 2017, 5:46pm

Ok:
[1:2000419:22] ET POLICY PE EXE or DLL Windows file download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 13.107.4.50:80 -> 192.168.8.4:64788

There is the issue, it is policy. Go back to IPS and double check Policy, go ahead and disable it, and make sure to click Submit.