Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata Intrusion Detection doesn't block all Malware using the abuse.ch
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata Intrusion Detection doesn't block all Malware using the abuse.ch (Read 4790 times)
Adam
Newbie
Posts: 2
Karma: 0
Suricata Intrusion Detection doesn't block all Malware using the abuse.ch
«
on:
April 12, 2019, 08:40:37 am »
Hello,
after I configured the Intrusion Detection in OPNsence, I wanted to know that the system is doing what it should do. So I looked on the URLhaus Database
https://urlhaus.abuse.ch/browse/
for Malware URL's to test my configuration. Surprisingly it didn't block some of the Malware URLs. The same I tried with the rules which are listed in the Rules Tab under Services: Intrusion Detection: Administration. I arbitrarily choose a rule and also here it was the case, that not all downloadable files get blocked.
Here are two examples: The first one has the Signature Id 80863915 and the second Signature Id is 80874829
- The URL
http://ajansred.com/audio/image.ico
from the first rule got blocked as expected.
- The URL
https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-278-1/1dd5709c6955b3627c0ef0171519dd38.zip
from the second rule didn't got blocked. These are only two examples, there are several more which the system let pass without blocking. Not even a log entry is made.
The second thing I find out was, that in the Rule configuration Tab around 340 Rules were not set to Block, even though all Rulesets are configured to drop. There are no errors or warnings in the log and the system in general is running really fine. I'm running the version 19.1.4 and the Suricata version is 4.1.3. No special configuration were made nor are a lot of packages running. Just the Firewall, Proxy, Unbound and Intrusion Detection. The Rulesets which I enabled are only the four from abuse.ch. Also the rulesets are up to date and enabled.
Can someone confirm what I found out on my system, or is it just the behavior from my machine.
Regards
Adam
Logged
mayo
Jr. Member
Posts: 72
Karma: 4
Re: Suricata Intrusion Detection doesn't block all Malware using the abuse.ch
«
Reply #1 on:
April 12, 2019, 09:30:37 am »
Same for me...
Logged
DougD
Newbie
Posts: 1
Karma: 0
Re: Suricata Intrusion Detection doesn't block all Malware using the abuse.ch
«
Reply #2 on:
May 02, 2019, 07:18:33 pm »
Hey guys, is this still an issue for you? I was experiencing the same symptoms when trying a test of suricata using the first example you posted "
http://ajansred.com/audio/image.ico
" and not seeing a block or even a log entry so I ended up removing my snort plug for the svt rules and my oink code from suricata along with the snort detection's and when i tried the test again and it was blocked in suricata as expected. I have been back and forth from pfsense to opnsense and even though i really like opnsense more i need a solid and reliable intrusion detection system and one i fully trust.
I plan on turning back on the snort plugin and add back the snort rules and see if suircata still works.
Thanks. Doug
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata Intrusion Detection doesn't block all Malware using the abuse.ch