search

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro
https://www.stamus-networks.com/open-source/#selks
GNU General Public License v3.0
1.48k stars 285 forks source link

Selks 4 or 5RC1 - Alert detection problems (Clean install) #155

Open Mauro2k opened 5 years ago

Mauro2k commented 5 years ago

Perform a clean installation of selks v5RC1 and later v4 on a physical server. the problem is that it does not register malicious events as alerts. For example

I see p2p traffic, mined coins, malware in EventBox (Events) but it does not catalog them as alerts!

What can I have wrongly configured?

It is as if he were not analyzing the installed rules.

Can someone help me please?

pevma commented 5 years ago

You may need to adjust the HOME and EXTERNAL net variables in that case.

How exactly do you conduct your tests ?

-- Regards, Peter Manev

On 1 Feb 2019, at 21:21, Mauro2k notifications@github.com wrote:

Perform a clean installation of selks v5RC1 and later v4 on a physical server. the problem is that it does not register malicious events as alerts. For example

I see p2p traffic, mined coins, malware in EventBox (Events) but it does not catalog them as alerts!

What can I have wrongly configured?

It is as if he were not analyzing the installed rules.

Can someone help me please?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

Mauro2k commented 5 years ago

Thanks for answering.

All my internal segments are within the 192.168.x.x range:

192.168.5.x 192.168.9.x 192.168.25.x etc

My current configuration of suricata.yaml is: IDS Server: 192.168.7.30 Version: 4 Scirius CE v3.1.0.

vars:

more specifc is better for alert accuracy and performance

address-groups: HOME_NET: "[192.168.0.0/24]"

HOME_NET: "[192.168.0.0/16]"

#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"

EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"

My tests are done by:

Bittorrent downloads Bitcoin mining Mining of altcoins Access to blacklist sites Port scan

I have another Suricata version 4 - Scirius CE v2.0.1. which if you see the alerts.

I do not understand what the configuration error is in my new IDS. image

Scirius CE v2.0.1.

Cptspal commented 5 years ago

HOME_NET: "[192.168.0.0/16]" should be better than HOME_NET: "[192.168.0.0/24]" according to your internal range