OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: Adam on April 12, 2019, 08:40:37 am

Title: Suricata Intrusion Detection doesn't block all Malware using the abuse.ch
Post by: Adam on April 12, 2019, 08:40:37 am

Hello,

after I configured the Intrusion Detection in OPNsence, I wanted to know that the system is doing what it should do. So I looked on the URLhaus Database https://urlhaus.abuse.ch/browse/ for Malware URL's to test my configuration. Surprisingly it didn't block some of the Malware URLs. The same I tried with the rules which are listed in the Rules Tab under Services: Intrusion Detection: Administration. I arbitrarily choose a rule and also here it was the case, that not all downloadable files get blocked.

Here are two examples: The first one has the Signature Id 80863915 and the second Signature Id is 80874829
- The URL http://ajansred.com/audio/image.ico from the first rule got blocked as expected.
- The URL https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-278-1/1dd5709c6955b3627c0ef0171519dd38.zip from the second rule didn't got blocked. These are only two examples, there are several more which the system let pass without blocking. Not even a log entry is made.

The second thing I find out was, that in the Rule configuration Tab around 340 Rules were not set to Block, even though all Rulesets are configured to drop. There are no errors or warnings in the log and the system in general is running really fine. I'm running the version 19.1.4 and the Suricata version is 4.1.3. No special configuration were made nor are a lot of packages running. Just the Firewall, Proxy, Unbound and Intrusion Detection. The Rulesets which I enabled are only the four from abuse.ch. Also the rulesets are up to date and enabled.

Can someone confirm what I found out on my system, or is it just the behavior from my machine.

Regards
Adam

Title: Re: Suricata Intrusion Detection doesn't block all Malware using the abuse.ch
Post by: mayo on April 12, 2019, 09:30:37 am

Same for me...

Title: Re: Suricata Intrusion Detection doesn't block all Malware using the abuse.ch
Post by: DougD on May 02, 2019, 07:18:33 pm

Hey guys, is this still an issue for you? I was experiencing the same symptoms when trying a test of suricata using the first example you posted "http://ajansred.com/audio/image.ico"  and not seeing a block or even a log entry so I ended up removing my snort plug for the svt rules and my oink code from suricata along with the snort detection's and when i tried the test again and it was blocked in suricata as expected.  I have been back and forth from pfsense to opnsense and even though i really like opnsense more i need a solid and reliable intrusion detection system and one i fully trust.

I plan on turning back on the snort plugin and add back the snort rules and see if suircata still works.

Thanks. Doug