"
Giving this more thought, I'd only want to alert when windowsupdate.com in in the URL. All other values drop or block.
Need to figure out how to do that.
Need to figure out how to do that.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Intrusion Detection and Prevention / Re: Are alerts with *.windowsupdate.com in the URL really a threat?
March 08, 2024, 06:43:01 PM #2
Intrusion Detection and Prevention / Are alerts with *.windowsupdate.com in the URL really a threat?
March 08, 2024, 04:36:36 AM
I see two Emerging Threat alerts each time I ask windows to check for updates:
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY PE EXE or DLL Windows file download HTTP
The alerts always have some long string ending with windowsupdate.com in the "http url" field.
I don't get why there is a detection rule on this.
Suricata doesn't know when a windows host requests an update (I presume) and so cannot detect a legit incoming windows update from a real threat. Other than seeing the entry in the threat log and deducing it's ok based on how frequent it's in there and time of day what more should one do when seeing these alerts?
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY PE EXE or DLL Windows file download HTTP
The alerts always have some long string ending with windowsupdate.com in the "http url" field.
I don't get why there is a detection rule on this.
Suricata doesn't know when a windows host requests an update (I presume) and so cannot detect a legit incoming windows update from a real threat. Other than seeing the entry in the threat log and deducing it's ok based on how frequent it's in there and time of day what more should one do when seeing these alerts?
#3
Intrusion Detection and Prevention / Re: I am thoroughly confused about Intrusion Prevention and Action=Drop vs. Alert
December 26, 2023, 08:03:03 PMQuote from: Fright on December 26, 2023, 05:46:05 PMThanks.
1. Alerts
2. Alerts
3. Drops
I now see where this is stated in the documentation, here, this statement for ISP Mode:
QuoteWhen enabled, the system can drop suspicious packets. In order for this to work, your network card needs to support netmap. The action for a rule needs to be "drop" in order to discard the packet, this can be configured per rule or ruleset (using an input filter).
That all rule sets and rules download with Alert, none with Drop, it what was confusing.
#4
Intrusion Detection and Prevention / Re: I am thoroughly confused about Intrusion Prevention and Action=Drop vs. Alert
December 26, 2023, 04:48:51 PM
I'm old and slow on some of these points. Let me ask again:
When Intrusion Detection Enabled and IPS mode=Disabled:
1. What does a rule with Action = Drop do?
When Intrusion Detection Enabled and IPS mode=Enabled:
2. What does a rule with Action = Alert do?
3. What does a rule with Action = Drop do?
Extra credit:
4. Is there a way (an easy way) to test any of these cases? I already have done the eicar test file with the eicar test rule.
When Intrusion Detection Enabled and IPS mode=Disabled:
1. What does a rule with Action = Drop do?
When Intrusion Detection Enabled and IPS mode=Enabled:
2. What does a rule with Action = Alert do?
3. What does a rule with Action = Drop do?
Extra credit:
4. Is there a way (an easy way) to test any of these cases? I already have done the eicar test file with the eicar test rule.
#5
Intrusion Detection and Prevention / I am thoroughly confused about Intrusion Prevention and Action=Drop vs. Alert
December 26, 2023, 03:56:02 AM
Main question: What purpose does the setting enable "IPS Mode" serve when all rules (that I am able to download) default to alert?
And, to add to my confusion:
I followed the instructions at 25:16 to 29:25 in this video. I understand that things have changed since Oct 2020. Specifically the "Enable (drop filter)" button is no longer present where you download rules, replaced with a menu entry for Policy where you can set a policy affecting any number of rules, all of which is good because it seems to give much greater granularity.
However, for every rule I can get -- all the base rules plus the etpro-telemetry via the plugin + a free token -- all 113,685 of them, are created with action = alert. None (as in zero) get created with action = block. Is this correct? If it is correct, and if IPS mode does not override any action = alert, then ... I'm very confused how everything (rules, newly downloaded rules, and ISP mode) is intended to work together.
And, to add to my confusion:
- If I change (via a policy) some rules to have action = drop (per here), do I also need IPS mode to be enabled? Or will the drop also occur in IDS mode? I can't test any of this and I cannot find a clear answer in the documents.
- Does IPS mode somehow override all "drop" actions and make them "block"?
Is there a precedence, IPS mode over Action = Block?
I followed the instructions at 25:16 to 29:25 in this video. I understand that things have changed since Oct 2020. Specifically the "Enable (drop filter)" button is no longer present where you download rules, replaced with a menu entry for Policy where you can set a policy affecting any number of rules, all of which is good because it seems to give much greater granularity.
However, for every rule I can get -- all the base rules plus the etpro-telemetry via the plugin + a free token -- all 113,685 of them, are created with action = alert. None (as in zero) get created with action = block. Is this correct? If it is correct, and if IPS mode does not override any action = alert, then ... I'm very confused how everything (rules, newly downloaded rules, and ISP mode) is intended to work together.
Pages1
