How can I test my Suricata setup? Say, test URL?

[gctwnl]

I have Suricata running with ET Telemetry Pro with a couple of rulests (dhsield, emerging-current-events, emerging-imap, emerging-malware, emerging-phishing, emerging-web-client, emerging-web-server — I just checked a few after after reading their description somewhere), running on both LAN and WAN. So far so good, it runs. But I am at a loss how I would see the results. Is there a way I can make sure that something is triggered so that I can see it actually detects something?

[guenti_r]

http://testmynids.org/uid/index.html

https://www.snort.org/rule_docs/1-498

Suricata on LAN & WAN is a bit overdose....
LAN should be enough.

[seed]

I have Suricata running with ET Telemetry Pro with a couple of rulests (dhsield, emerging-current-events, emerging-imap, emerging-malware, emerging-phishing, emerging-web-client, emerging-web-server — I just checked a few after after reading their description somewhere), running on both LAN and WAN. So far so good, it runs. But I am at a loss how I would see the results. Is there a way I can make sure that something is triggered so that I can see it actually detects something?

This is very simple. Make sure that the OPNsense test rules package is installed: "OPNsense-App-detect/test".
Then you can download e.g. the Eicar testvirus via http:

"http://www.eicar.org/download/eicar.com"
If you then check your alerts, you should find a blocking event and not be able to download the file. Your browser or curl will then run into a timeout.

The Alert in logs:


Alert   OPNsense test eicar virus
Alert sid   7999999
Protocol   TCP
...
...
...
http hostname   www.eicar.org
http url   /download/eicar.com
http user_agent   curl/7.81.0


Payload

HTTP/1.1 200 OK
Date: Thu, 15 Dec 2022 15:47:58 GMT
Server: Apache
Last-Modified: Tue, 03 May 2022 02:00:42 GMT
ETag: "44-5de11e045b581"
Accept-Ranges: bytes
Content-Length: 68

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

[der_crazy]

Hello everyone.

I want to catch this topic again regarding the testing w/ the eicar test file.

Short introduction to my setup: I'm running the OPNsense w/ suricata enabled since a little bit over a year now. I was moving to another home last year and the ISP changed, also from cable to good old DSL connection. dial in was no problem and everything else was left as it was, because running system...
After strange behaviors like 2 cores running 100% load w/ suricata all the time over days I read a little bit and changed the interface from WAN to LAN. Previously I was running suricata on the WAN and zenarmor on the LAN interface. I removed zenarmor and left the WAN as it was.
No after I changed to LAN interface I tested the eicar file and can download it w/o any issue. On the other hand I saw blocks from the LAN network, which were not there when I used it on the WAN interface before. I didn't change the ruleset and noticed no blocks on the WAN interface whatsoever. With my last ISP there was a lot going on in suricata and the alert logs.

Any idea how I can check if the system is running correct? Following I sent the logfile from every night, when the ruleset is updated and reloaded:

Code Select Expand

2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2807400 and 0 other sigs
2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2016502 and 0 other sigs
2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016503 and 5 other sigs
2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs
2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2807400 and 0 other sigs
2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2016502 and 0 other sigs
2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016503 and 5 other sigs
2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs
2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2807400 and 0 other sigs
2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2016502 and 0 other sigs
2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016503 and 5 other sigs
2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs
2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.

[gctwnl]

This is very simple. Make sure that the OPNsense test rules package is installed: "OPNsense-App-detect/test".
Then you can download e.g. the Eicar testvirus via http:

"http://www.eicar.org/download/eicar.com"
If you then check your alerts, you should find a blocking event and not be able to download the file. Your browser or curl will then run into a timeout.

Thank you and sorry for the late thank you. I actually forgot I already asked and I was distracted.

I recently asked again because I found https://secure.eicar.org/eicar.com and I could download this one. But then I thought, moment, that is inside https so Suricata will not be able to see it and then I thought "given that all that web traffic is inside SSL, what use if Suricata for web traffic?". But that is more a suricata forum question

[bimbar]

Suricata is useful for https traffic for a few reasons:

- it might (depending on what rules you load) be able to detect protocol anomalies
- it will block some IP addresses
- and it will block some DNS names it can get unencrypted from the ssl session via SNI

Still, I recommend using some sort of antivirus on the client that wil be able to scan content.

[seed]

This is very simple. Make sure that the OPNsense test rules package is installed: "OPNsense-App-detect/test".
Then you can download e.g. the Eicar testvirus via http:

"http://www.eicar.org/download/eicar.com"
If you then check your alerts, you should find a blocking event and not be able to download the file. Your browser or curl will then run into a timeout.

Thank you and sorry for the late thank you. I actually forgot I already asked and I was distracted.

I recently asked again because I found https://secure.eicar.org/eicar.com and I could download this one. But then I thought, moment, that is inside https so Suricata will not be able to see it and then I thought "given that all that web traffic is inside SSL, what use if Suricata for web traffic?". But that is more a suricata forum question

Suricata is not a proxy. So there is no ssl interception.
When you want to break open https you might use the webproxy.

[EricPerl]

FWIW, there's a copy of that eicar test file that's accessible over http.
The URL is at the bottom of this page: https://docs.opnsense.org/manual/how-tos/proxyicapantivirus.html
A simple curl will fetch it.

[ngr2001]

Here are some cleaner instructions for validating that IPS is blocking for the average windows user:


Step 1: Enable the rule ""OPNsense-App-detect/test", located at: Services/Intrusion Detection/Administration/Download

Step 2: Open the PowerShell ISE

Step 3: Paste in the following code

$url = "pkg.opnsense.org/test/eicar.com.txt"
$dest = "C:\temp\eicar.com.txt"
Invoke-RestMethod -Uri $url -OutFile $dest

Step 4: Click the Green Run arrow

Step 5: Check your IPS Alerts, located at: Services/Intrusion Detection/Administration/Alerts. You should see a hit for "OPNsense test eicar virus"

Step 6: Check C:\Temp\ for the creation of any new files named "eicar.com.txt", you should have none and your Powershell ISE should be just sitting there hung looking like its doing nothing, well thats because your IDS is blocking the download.

Congrats.