Messages

1

Intrusion Detection and Prevention / Re: Talos_LightSPD.tar.gz and snortrules-snapshot-31470.tar.gz

« on: June 26, 2024, 10:12:44 pm »

So your Windows AV product flags these files? How is this OPNsense related?

Given that such files drive how ids and ips services in opnsense will respond to threats,

And they are updated frequently, one must make sure  protector is not the devil

2

Intrusion Detection and Prevention / Talos_LightSPD.tar.gz and snortrules-snapshot-31470.tar.gz

« on: June 26, 2024, 09:35:51 pm »

Talos_LightSPD.tar.gz and snortrules-snapshot-31470.tar.gz and snortrules-snapshot-29151.tar.gz

When I download above files on windows machine they show as virus files.

Kindly help.

(source of files: https://www.snort.org/downloads)

3

Intrusion Detection and Prevention / Suricata > IDS/IPS >Policies > bind policy to set of domain names [whatsapp]

« on: June 23, 2024, 02:53:20 am »

I have IDS/IPS enabled with default and snort rule sets.
Assume that I have a policy which makes many signature ids which are alert only signature as drop.

Now that say I have a signature assumed number "123456" which says drop such traffic.

But for only specific set of domain names (either on receiving side or on caller side), do not drop traffic for signature "123456". Just alert only.


Is there a way to drive behavior of a rule based on set of domain names.


Real world scenario, why I posted above message: whatsapp being blocked on iPhone


I have "trojan-activity" class of ruleset marked for drop.
This makes whatsapp video and audio calls to not work.
Below rules complain:

2009205  : ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
2009206  : ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
2009207  : ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
2009208  : ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)

Details (sampling):

Timestamp 2024-06-22T18:32:13.458996+0000
Alert ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
Alert sid 2009208
Protocol UDP
Source IP local ip of the iPhone
Destination IP 31.13.70.48
Source port 61200
Destination port 3478
Interface lan
Configured action  Enabled


Timestamp 2024-06-22T18:31:33.751463+0000
Alert ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
Alert sid 2009207
Protocol UDP
Source IP local ip of the iPhone
Destination IP 157.240.249.62
Source port 61200
Destination port 3478
Interface lan

Timestamp 2024-06-22T18:31:33.752484+0000
Alert ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
Alert sid 2009206
Protocol UDP
Source IP local ip of the iPhone
Destination IP 157.240.249.62
Source port 61200
Destination port 3478
Interface lan
Configured action  Enabled




Timestamp 2024-06-22T18:32:13.458243+0000
Alert ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
Alert sid 2009205
Protocol UDP
Source IP 192.168.52.14
Destination IP 157.240.26.52
Source port 61200
Destination port 3478
Interface lan


Unique destination ips in the numerous alerts:

157.240.241.62, 31.13.70.48, 157.240.3.52, 157.240.249.62, 57.144.33.48, 31.13.80.50



Is there a way in surricata service, to whitelist specific sids of the rules for specific ips or set of ips or  domain names.