ips/ids suricata Solved

[GDixon]

Hi,
I followed the wiki to enable Intrusion detection and have a couple problems.

Code Select Expand

OPNsense 19.1.b_306-amd64
FreeBSD 11.2-RELEASE-p4-HBSD
OpenSSL 1.0.2q 20 Nov 2018

I get these errors and of the 4 abuse.ch rule sets only the one actually downloads. These are the only rules I enabled to test suricata out.

Code Select Expand

abuse.ch/Dyre SSL IPBL not installed drop
abuse.ch/Feodo Tracker 2018/12/01 1:31 drop
abuse.ch/SSL Fingerprint Blacklist not installed drop
abuse.ch/SSL IP Blacklist not installed drop

and these errors are in the log

Code Select Expand

Dec 1 01:30:43 suricata: [100244] <Notice> -- Stats for 'em1': pkts: 283, drop: 0 (0.00%), invalid chksum: 0

Code Select Expand

ec 1 01:30:23 suricata: [100172] <Error> -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid mpm algo supplied in the yaml conf file: "hs"

I rebooted and the same happens along with the IPv6 gateway being down and needing a restart.

what did i screw up this time?  :)

[mimugmail]

Change between Hyperscan and Aho?

[GDixon]

I'm using the default Aho but did try the hyperscan and ips/ids wouldn't load or refresh at all with hyperscan so am currently using the default Aho.

[t00r]

All of the abuse.ch lists have problems at the moment (server-problems caused from an OS-update).Try the ET Open lists.

[GDixon]

I was going through old threads and saw that, went to their site and no mention of continuing problems. I'll turn off the 4 and try your suggestion :)

which ET rules would you recommend?

thank you

[GDixon]

I turned off the 3 and added 5 of the ET rules at random to test and they downloaded and the few checks i made and they seem to work.

I still get the dhcp6, gateway dhcp6 and ntp problem and have to restart them to get IPv6 back.

The rules work and I'll see in a bit if the errors went away :)

again thank you!

EDIT: I cleared the log so we will see what comes back.

I set up cron in the gui when you close the pop up to see if the rule is added it goes to the last place you were in the configs . I was looking at the alerts before I did the cron and cron just put me right back to alerts. the gui will not let you look to see what rules are in the schedule.

I went to download the eicar test and it let me know it was a virus so that works but I don't see any blocked in the alerts.  I used this site ( http://www.wicar.org/test-malware.html ) and it also blocked the flash and java script by only opening completly blank pages. I use firefox and run opensuse tumbleweed.

I probably should also mention I'm only using the WAN and not the lan if it makes any difference?

[t00r]

I was going through old threads and saw that, went to their site and no mention of continuing problems. I'll turn off the 4 and try your suggestion :)

which ET rules would you recommend?

thank you

Good that the main problem is now solved :-).
I have a "test prodecure" to check if an ruleset is working:
I click on the ruleset info symbol and open the URL in the "Ruleset details" field in a browser.Most of the abuse.ch URLs bring an HTTP "Error 503 Connection timed out".But that works only for the abuse.ch rulesets, other rulesets pointing to informational pages explaining the rulesets.

I have all of the other rulesets enabled.
And be careful to enable "abuse.ch/URLhaus", when they work again, because this ruleset can crash OPNsense (my experience).

[t00r]

...
I went to download the eicar test and it let me know it was a virus so that works but I don't see any blocked in the alerts.  I used this site ( http://www.wicar.org/test-malware.html ) and it also blocked the flash and java script by only opening completly blank pages. I use firefox and run opensuse tumbleweed.

I probably should also mention I'm only using the WAN and not the lan if it makes any difference?

I cannot test the wicar.org site because Microsoft Windows Defender  let my open this :-).
But i know there is no so-called "blockpage" informing you about the incident, only a blank site with timeout, so its probably blocking.

Maybe here is some more info:

Code Select Expand

clog -f /var/log/suricata.log
tail -f /var/log/suricata/stats.log


ATM I dont have enabled the LAN interface in suricata, only DMZ and WAN.
But i see sometimes things are blocked.
Some of the rulesets with malicious actions i set generally to Drop, not only Alert, for example "ET open/emerging-malware" or "   ET open/emerging-trojan".

[GDixon]

I saw where the haus one is a system crasher lol

All of them?  I only did 5 to see how it works and so far I have yet to have anything show up in alerts.

CPU usuage is still minimal, memory usage did go up and the load avg went up very slightly so I think I'll load a few at a time and go from that.

Ah ha, I have things set to drop. So you need something set to alert for it to show in the gui?

So the alerts tab is more for testing to see what rules are messing up and son't really need to be dropped?

I see the only choice is none and drop so I'm going to guess none logs them in alerts?

[t00r]

...
All of them?  I only did 5 to see how it works and so far I have yet to have anything show up in alerts.

CPU usuage is still minimal, memory usage did go up and the load avg went up very slightly so I think I'll load a few at a time and go from that.

Yes atm I have all of them enabled (exception all abuse.ch rulesets). CPU load is 28-31% with that with my hardware. 

Ah ha, I have things set to drop. So you need something set to alert for it to show in the gui?

So the alerts tab is more for testing to see what rules are messing up and son't really need to be dropped?

Thats a good question!
In the "download" tab you can only enable the complete rulesets, then this ruleset is alerting. In the ruleset itself you can set them only to "None" or "Drop" and "None" means its alerting.

BUT: In the ruleset itself some or somtimes many of the signatures are not enabled.
In the "Rule" tab you can fine-tune the signatures: Disable completly, enable Alert or set to Drop.

You can see this when you search in the "Rule" tab for "trojan" (when you have enabled "emerging-trojan.rules". Some are enabled, some not.

And i see "eicar" is not enabled or it has the class-type "bad-unknown".
I assume class-type means here the status of the IPS-signature and bad is not so good :-)

I disabled in the last weeks/months myself some of the the signatures because they alerting about harmless events to reduce the noise of suricata.
I think the best is to surf and work as always and look from time to time in the logs to get a feeling for the whole thing :-).

[GDixon]

Yes I found the second place to either drop or alert the rules. There's over 16,000!

How in the heck do you enable them all ? There has to be a quick way to do so with out scrolling through them all I hope.

And I still didn't download/enable all the ET rules hmmmmm

[t00r]

Yes I found the second place to either drop or alert the rules. There's over 16,000!

How in the heck do you enable them all ? There has to be a quick way to do so with out scrolling through them all I hope.

And I still didn't download/enable all the ET rules hmmmmm

Oh, sorry for the misunderstooding, I neverever enable them all (to alert)! :-)
In fact I enabled some of them manually over the GUI as described above.

I mean to know (no proof) that the maintainer of these rulesets enable the signatures that are important (from their view).

[GDixon]

Doh

[t00r]

Doh

Dont worry!
When you want to test it out, download kali linux in a virtual machine and run some enumeration tools against the firewall itself or another (test) target. Before testing enable suricata at the LAN interface, to detect this.

[GDixon]

I have new errors lol different than before and no alerts show up yet.

I'm going to remove surica, restore a good config and start over with surica.

this is just a few of the errors, there are many more similar.

Code Select Expand

Dec 1 11:27:33 suricata[66339]: [100275] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 0 other sigs
Dec 1 11:27:28 suricata[66339]: [100275] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs