pevma
commented
6 years ago I think you could try updating an pushing the ruleset (from Suricata tab/Suricata actions).
Would that help?
Open berekese opened 6 years ago
pevma
commented
6 years ago I think you could try updating an pushing the ruleset (from Suricata tab/Suricata actions).
Would that help?
berekese
commented
6 years ago I am doing it. Now I will test if same rule is banned or not. Thanks.
Source ETOpen Ruleset@HEAD
Added: 0 Deleted: 0 Updated: 0 (Updated at Feb. 16, 2018, 6:39 a.m.)
Source SSLBL abuse.ch@HEAD
Added: 0 Deleted: 0 Updated: 0 (Updated at Feb. 16, 2018, 6:39 a.m.) I too added to another filters trying to solve it.
berekese
commented
6 years ago No. Selks banned again same rule: http://i67.tinypic.com/9rn4ti.png
Any idea or way to debug it? Thanks.
pevma
commented
6 years ago You need to update and redeploy/push your ruleset -since it is only edited the new options are not yet deployed/operational. To do that - from the "Suricata" tab from the main menu-> choose "Suricata actions" on the left hand side -> then select all options and apply.
Let me know if it helps.
berekese
commented
6 years ago Hi, No :/ I have it disabled, here picture: http://i63.tinypic.com/eg4cnm.png
But I after to update rules as you said me (with success) I have same alerts:
02/16/2018-10:25:26.988198 [**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.XX.XX:42016 -> 192.168.XX.XX:80
If you can or you know more options to debug it, I will try it to solve this.
Thanks.
berekese
commented
6 years ago Maybe this can give more info @pevma ?? When I start suricata with debug:
[1071] 19/2/2018 -- 08:26:33 - (util-threshold-config.c:585) <Warning> (SetupThresholdRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[1071] 19/2/2018 -- 08:26:33 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[1071] 19/2/2018 -- 08:26:33 - (util-threshold-config.c:585) <Warning> (SetupThresholdRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[1071] 19/2/2018 -- 08:26:33 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[1071] 19/2/2018 -- 08:26:33 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[1071] 19/2/2018 -- 08:26:33 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[1071] 19/2/2018 -- 08:26:33 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown ruleThanks.
pevma
commented
6 years ago It seems that the rule/sig is not there - which is what is expected, correct - you disabled the rule? I will try to reproduce and get back to you as it seems strange.
berekese
commented
6 years ago That message ocurrs me when I start suricata from my "special" line (u know that I use traf and stdin). I disabled some rules more but not works, SELKS continue alert me with that rules which I disabled before. I tried too reboot server and start again SELKS but not luck, but from that I see that messages starting Suricata, that rules YES are disabled, only that I dont know what steps I did to disable it definitely, in threshold.config are both rules (but only which give me that warning starting Suricata are disabled really)
I have threshold uncomment and when daemon starts appears a message saying that is reading that config but I dont know why don't disable the rule really.
I thank you any help. Thanks again.
pevma
commented
6 years ago Do you have the rule present in /etc/suricata/rules/scirius.rules ?
berekese
commented
6 years ago Hi @pevma I have scirius.rules on parth /etc/suricata/rules, but I haven't scirius.rules inside suricata.yaml, my rules's section in suricata.yml has this:
default-rule-path: /etc/suricata/rules
rule-files:
- botcc.rules
# - botcc.portgrouped.rules
- ciarmy.rules
- compromised.rules
- drop.rules
- dshield.rules
# - emerging-activex.rules
- emerging-attack_response.rules
- emerging-chat.rules
- emerging-current_events.rules
- emerging-dns.rules
- emerging-dos.rules
- emerging-exploit.rules
- emerging-ftp.rules
# - emerging-games.rules
# - emerging-icmp_info.rules
# - emerging-icmp.rules
- emerging-imap.rules
# - emerging-inappropriate.rules
# - emerging-info.rules
- emerging-malware.rules
- emerging-misc.rules
- emerging-mobile_malware.rules
- emerging-netbios.rules
- emerging-p2p.rules
- emerging-policy.rules
- emerging-pop3.rules
- emerging-rpc.rules
# - emerging-scada.rules
# - emerging-scada_special.rules
- emerging-scan.rules
# - emerging-shellcode.rules
- emerging-smtp.rules
- emerging-snmp.rules
- emerging-sql.rules
- emerging-telnet.rules
- emerging-tftp.rules
- emerging-trojan.rules
- emerging-user_agents.rules
- emerging-voip.rules
- emerging-web_client.rules
- emerging-web_server.rules
# - emerging-web_specific_apps.rules
- emerging-worm.rules
- tor.rules
- emerging-misc.rules
- emerging-mobile_malware.rules
- emerging-netbios.rules
- emerging-p2p.rules
- emerging-policy.rules
- emerging-pop3.rules
- emerging-rpc.rules
# - emerging-scada.rules
# - emerging-scada_special.rules
- emerging-scan.rules
# - emerging-shellcode.rules
- emerging-smtp.rules
- emerging-snmp.rules
- emerging-sql.rules
- emerging-telnet.rules
- emerging-tftp.rules
- emerging-trojan.rules
- emerging-user_agents.rules
- emerging-voip.rules
- emerging-web_client.rules
- emerging-web_server.rules
# - emerging-web_specific_apps.rules
- emerging-worm.rules
- tor.rules
# - decoder-events.rules # available in suricata sources under rules dir
# - stream-events.rules # available in suricata sources under rules dir
- http-events.rules # available in suricata sources under rules dir
- smtp-events.rules # available in suricata sources under rules dir
- dns-events.rules # available in suricata sources under rules dir
- tls-events.rules # available in suricata sources under rules dir
# - modbus-events.rules # available in suricata sources under rules dir
# - app-layer-events.rules # available in suricata sources under rules dir
# - dnp3-events.rules # available in suricata sources under rules dir
# - ntp-events.rules # available in suricata sources under rules dir
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
threshold-file: /etc/suricata/threshold.configI before had #threshold-file: /etc/suricata/threshold.config. I uncommented and I have re-started suricata again and now I see more rules banned:
21246] 22/2/2018 -- 07:03:25 - (detect-engine-loader.c:351) <Info> (SigLoadSignatures) -- 1 rule files processed. 22149 rules successfully loaded, 0 rules failed
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:585) <Warning> (SetupThresholdRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:585) <Warning> (SetupThresholdRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2006380, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2019415, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:585) <Warning> (SetupThresholdRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2019415, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2019415, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:585) <Warning> (SetupThresholdRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2012886, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:397) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2012886, gid 1: unknown rule
[21246] 22/2/2018 -- 07:03:25 - (util-threshold-config.c:1130) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 17 rule(s) found
[21246] 22/2/2018 -- 07:03:25 - (detect-engine-build.c:1398) <Info> (SigAddressPrepareStage1) -- 22154 signatures processed. 1165 are IP-only rules, 6504 are inspecting packet payload, 16688 inspect application layer, 0 are decoder event onlyI dont remember to comment that line (threshold), but I am going to check now if rules really are obviated. I will let you know news, if you see any stranger thing, let me know too.
Thanks.
berekese
commented
6 years ago I just add a new rule to threshold with sid -> 2012811 (using dashboard scirius of course). In threshold.config is and I stop/start suricata but when I start again in start's log I don't see that rule how yes ocurrs with anothers which effectively yes are suppressed. Only extra information :)
Thanks.
pevma
commented
6 years ago Ok - you should only have scirius.rules in the /etc/suricata/suricata.yaml config. So no other rules.
Scirius manages all rules via that file and if you have other rule files in that config section it will lead to unexpected results.
berekese
commented
6 years ago Hi, I hadn't it on suricata.yml (I didn't remove it, maybe any update did it?
Here my actual suricata.yml
default-rule-path: /etc/suricata/rules
rule-files:
## - botcc.rules
# - botcc.portgrouped.rules
## - ciarmy.rules
## - compromised.rules
##- drop.rules
##- dshield.rules
# - emerging-activex.rules
##- emerging-attack_response.rules
##- emerging-chat.rules
##- emerging-current_events.rules
##- emerging-dns.rules
## - emerging-dos.rules
##- emerging-exploit.rules
##- emerging-ftp.rules
# - emerging-games.rules
# - emerging-icmp_info.rules
# - emerging-icmp.rules
##- emerging-imap.rules
# - emerging-inappropriate.rules
# - emerging-info.rules
## - emerging-malware.rules
##- emerging-misc.rules
##- emerging-mobile_malware.rules
##- emerging-netbios.rules
##- emerging-p2p.rules
##- emerging-policy.rules
##- emerging-pop3.rules
##- emerging-rpc.rules
# - emerging-scada.rules
# - emerging-scada_special.rules
##- emerging-scan.rules
# - emerging-shellcode.rules
##- emerging-smtp.rules
##- emerging-snmp.rules
##- emerging-sql.rules
##- emerging-telnet.rules
##- emerging-tftp.rules
##- emerging-trojan.rules
##- emerging-user_agents.rules
##- emerging-voip.rules
##- emerging-web_client.rules
## - emerging-web_server.rules
# - emerging-web_specific_apps.rules
##- emerging-worm.rules
##- tor.rules
# - decoder-events.rules # available in suricata sources under rules dir
# - stream-events.rules # available in suricata sources under rules dir
##- http-events.rules # available in suricata sources under rules dir
##- smtp-events.rules # available in suricata sources under rules dir
##- dns-events.rules # available in suricata sources under rules dir
##- tls-events.rules # available in suricata sources under rules dir
# - modbus-events.rules # available in suricata sources under rules dir
# - app-layer-events.rules # available in suricata sources under rules dir
# - dnp3-events.rules # available in suricata sources under rules dir
# - ntp-events.rules # available in suricata sources under rules dir
- scirius.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
threshold-file: /etc/suricata/threshold.configNow if I disable a rule, rule keep disabled? Should I restart suricata each time I disable a rule? Is all right now?
Thanks!
berekese
commented
6 years ago Bad news, I disable a rule in dashboard (2000334 | ET P2P BitTorrent peer sync | 08/18/2017 12:35 a.m.)
It appears on Rulesets -> Default Ruleset -> disabled rule -> OK But in rules/threshold.config isn't that rule disabled (maybe scirius isn't add that rules there, dunno)
And of course, when ocurrs the event again, the rule appears. I want to disable it definitely some rules because I have a API connected with router which ban IP automatically and some rules are banned own IP o server IP.
In suricata.yaml I have only uncomment (section rules)
Any idea to disable it definitely? Thanks.
regit
commented
6 years ago If you disable a rules, it will be removed from /etc/suricata/rules/scirius.rules. You need to check it has disappeared from there.
berekese
commented
6 years ago I didn't disable it and in dashboard appears, but in scirius.rules appears too.
alert tcp $HOME_NET any -> $EXTERNAL_NET !7680 (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
For any reason when I disable any rule, that change doesn't appears on server's file.
Any thing that I do different is start suricata from command line and not using script.
Thanks.
regit
commented
6 years ago Did you build and push the ruleset (then apply) like the following:
berekese
commented
6 years ago Thanks. I didnt remember that option and @pevma said it to me before :)
I am going to test if its works fine now. Thanks both again.
Hi, I am receiving alerts about a rule (2006380). I saw the rule and I pushed on button "delete rule" but Suricata doesn't delete it because after same rule has banned a new IP. Should I restart suricata to take effects?
I tried with supress and thresold too, without luck.
Thanks.