OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Recommendation wanted: test event
« previous next »
  • Print
Pages: [1]

Author Topic: Recommendation wanted: test event  (Read 2710 times)

JohnDoe17

  • Newbie
  • *
  • Posts: 40
  • Karma: 5
    • View Profile
Recommendation wanted: test event
« on: February 16, 2022, 08:41:25 pm »
Current set up:
o IDS/IPS (Suricata) is configured with "Enable eve syslog output."
o The firewall is configured to send syslog to a remote syslog server.
o The syslog server (Graylog in our case) is configured to email the admins when certain alerts meet certain conditions.

What I want to do:
o Setup up a cron job on a machine behind the firewall that occasionally does _something_ that triggers a Suricata alert that Graylog can match on to satisfy a "proof of life" condition.  If that condition is not met, Graylog can send an email to alert the admins that they may not be receiving IDS/IPS alerts like they are expecting.  (And/or have Graylog email the admins occasionally saying the condition is being met.)

So... is there a standard, innocuous event I can trigger that would cause Suricata to alert?  I was thinking something like trying to download EICAR or something.  (If I go with EICAR, what ET list would that event be in?  Malware?)

I'm open to feedback on further improving the whole system too if people have thoughts.  Thanks.
Logged

allan

  • Newbie
  • *
  • Posts: 45
  • Karma: 11
    • View Profile
Re: Recommendation wanted: test event
« Reply #1 on: March 07, 2022, 03:09:10 pm »
Quote from: JohnDoe17 on February 16, 2022, 08:41:25 pm
So... is there a standard, innocuous event I can trigger that would cause Suricata to alert?  I was thinking something like trying to download EICAR or something.  (If I go with EICAR, what ET list would that event be in?  Malware?)

EICAR is in the OPNsense-App-detect/test ruleset. Make sure to download from an unencrypted HTTP connection.
Logged

sja1440

  • Jr. Member
  • **
  • Posts: 86
  • Karma: 6
    • View Profile
Re: Recommendation wanted: test event
« Reply #2 on: March 09, 2022, 09:16:08 am »
Alas, eicar no longer provide a download through an unencrypted connection. This is what they say on their site "Sorry, HTTP downoad ist temporarily not provided." - unfortunately it has been unavailable for some time now.

Does anyone know of an alternative external "test" source?

I know you could use your own custom crafted rule.

BTW: to detect the presence of unencrypted eicar you need the ruleset  "OPNsense-App-detect/test"
« Last Edit: March 09, 2022, 10:53:45 am by sja1440 »
Logged

allan

  • Newbie
  • *
  • Posts: 45
  • Karma: 11
    • View Profile
Re: Recommendation wanted: test event
« Reply #3 on: March 13, 2022, 02:45:40 am »
Quote from: sja1440 on March 09, 2022, 09:16:08 am
Alas, eicar no longer provide a download through an unencrypted connection. This is what they say on their site "Sorry, HTTP downoad ist temporarily not provided." - unfortunately it has been unavailable for some time now.

I have been using http://www.eicar.org/download/eicar.com.txt for all my testing.
Logged

sja1440

  • Jr. Member
  • **
  • Posts: 86
  • Karma: 6
    • View Profile
Re: Recommendation wanted: test event
« Reply #4 on: March 13, 2022, 08:10:55 pm »
Indeed you are correct!

Using that direct link, does download using http and so triggers the test suricata block.

Many thanks!
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Recommendation wanted: test event
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2