Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: JohnDoe17 on February 16, 2022, 08:41:25 PM

Title: Recommendation wanted: test event
Post by: JohnDoe17 on February 16, 2022, 08:41:25 PM
Current set up:
o IDS/IPS (Suricata) is configured with "Enable eve syslog output."
o The firewall is configured to send syslog to a remote syslog server.
o The syslog server (Graylog in our case) is configured to email the admins when certain alerts meet certain conditions.

What I want to do:
o Setup up a cron job on a machine behind the firewall that occasionally does _something_ that triggers a Suricata alert that Graylog can match on to satisfy a "proof of life" condition.  If that condition is not met, Graylog can send an email to alert the admins that they may not be receiving IDS/IPS alerts like they are expecting.  (And/or have Graylog email the admins occasionally saying the condition is being met.)

So... is there a standard, innocuous event I can trigger that would cause Suricata to alert?  I was thinking something like trying to download EICAR or something.  (If I go with EICAR, what ET list would that event be in?  Malware?)

I'm open to feedback on further improving the whole system too if people have thoughts.  Thanks.
Title: Re: Recommendation wanted: test event
Post by: allan on March 07, 2022, 03:09:10 PM
Quote from: JohnDoe17 on February 16, 2022, 08:41:25 PM
So... is there a standard, innocuous event I can trigger that would cause Suricata to alert?  I was thinking something like trying to download EICAR or something.  (If I go with EICAR, what ET list would that event be in?  Malware?)

EICAR is in the OPNsense-App-detect/test ruleset. Make sure to download from an unencrypted HTTP connection.
Title: Re: Recommendation wanted: test event
Post by: sja1440 on March 09, 2022, 09:16:08 AM
Alas, eicar no longer provide a download through an unencrypted connection. This is what they say on their site "Sorry, HTTP downoad ist temporarily not provided." - unfortunately it has been unavailable for some time now.

Does anyone know of an alternative external "test" source?

I know you could use your own custom crafted rule.

BTW: to detect the presence of unencrypted eicar you need the ruleset  "OPNsense-App-detect/test"
Title: Re: Recommendation wanted: test event
Post by: allan on March 13, 2022, 02:45:40 AM
Quote from: sja1440 on March 09, 2022, 09:16:08 AM
Alas, eicar no longer provide a download through an unencrypted connection. This is what they say on their site "Sorry, HTTP downoad ist temporarily not provided." - unfortunately it has been unavailable for some time now.

I have been using http://www.eicar.org/download/eicar.com.txt for all my testing.
Title: Re: Recommendation wanted: test event
Post by: sja1440 on March 13, 2022, 08:10:55 PM
Indeed you are correct!

Using that direct link, does download using http and so triggers the test suricata block.

Many thanks!
Text only | Text with Images