Recommendation wanted: test event

Started by JohnDoe17, February 16, 2022, 08:41:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 16, 2022, 08:41:25 PM
Current set up:
o IDS/IPS (Suricata) is configured with "Enable eve syslog output."
o The firewall is configured to send syslog to a remote syslog server.
o The syslog server (Graylog in our case) is configured to email the admins when certain alerts meet certain conditions.

What I want to do:
o Setup up a cron job on a machine behind the firewall that occasionally does _something_ that triggers a Suricata alert that Graylog can match on to satisfy a "proof of life" condition.  If that condition is not met, Graylog can send an email to alert the admins that they may not be receiving IDS/IPS alerts like they are expecting.  (And/or have Graylog email the admins occasionally saying the condition is being met.)

So... is there a standard, innocuous event I can trigger that would cause Suricata to alert?  I was thinking something like trying to download EICAR or something.  (If I go with EICAR, what ET list would that event be in?  Malware?)

I'm open to feedback on further improving the whole system too if people have thoughts.  Thanks.
March 07, 2022, 03:09:10 PM #1
Quote from: JohnDoe17 on February 16, 2022, 08:41:25 PM
So... is there a standard, innocuous event I can trigger that would cause Suricata to alert?  I was thinking something like trying to download EICAR or something.  (If I go with EICAR, what ET list would that event be in?  Malware?)

EICAR is in the OPNsense-App-detect/test ruleset. Make sure to download from an unencrypted HTTP connection.
March 09, 2022, 09:16:08 AM #2 Last Edit: March 09, 2022, 10:53:45 AM by sja1440
Alas, eicar no longer provide a download through an unencrypted connection. This is what they say on their site "Sorry, HTTP downoad ist temporarily not provided." - unfortunately it has been unavailable for some time now.

Does anyone know of an alternative external "test" source?

I know you could use your own custom crafted rule.

BTW: to detect the presence of unencrypted eicar you need the ruleset  "OPNsense-App-detect/test"
March 13, 2022, 02:45:40 AM #3
Quote from: sja1440 on March 09, 2022, 09:16:08 AM
Alas, eicar no longer provide a download through an unencrypted connection. This is what they say on their site "Sorry, HTTP downoad ist temporarily not provided." - unfortunately it has been unavailable for some time now.

I have been using http://www.eicar.org/download/eicar.com.txt for all my testing.
March 13, 2022, 08:10:55 PM #4
Indeed you are correct!

Using that direct link, does download using http and so triggers the test suricata block.

Many thanks!
Print
Go Up Pages1
User actions