Suricata possibly not detecting "bad traffic"

[ManuelFFF]

Hi,

I have a fresh SELKS 5 installation. Successfully executed and competed:

• SELKS 5.0 Buster upgrade
• selks-first-time-setup_stamus
• selks-upgrade_stamus

Now I have started to test Suricata.

• I have added all the public/free sources from the list.
• Both Moloch services are running without errors.
• Other services are also running without issues when I run "selks-health-check_stamus"
• Evebox and Hunt are both showing data so, apparently packets are being captured from and to the server running Suricata. But here is my concern:

I have not been able to see Suricata detecting any "bad" traffic. I have been using some websites to do some tests and download fake threats to the server

http://metal.fortiguard.com/tests/

So far Suricata is not reporting bad traffic nor threats, but only events like flow, dns, fileinfo, http, tls, dhcp, etc.

The only persistent alert shown is "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management" every time I run "selks-upgrade_stamus" to have the latest SELKS and system updates. And even so the category is "Not Suspicious Traffic".

Is there anything I need to manually config in "scirius-iprep.list" or "scirius.rules" or somewhere else? Perhaps I am not doing the correct tests or I am missing some important step. Maybe you can advise of some other tests to finally be able to see alerts in Suricata.

Thank you

[pevma]

What kind of tests are those? Did you also set up HOME_NET accordingly etc in selks6-addin.yaml ?

[ManuelFFF]

Yes I defined my HOME_NET variable, but in suricata.yaml, since selks5-addin.yaml does not have the address-groups section. Settings were set as follows:

address-groups:

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
HOME_NET: "[192.168.1.0/24]"

EXTERNAL_NET: "!$HOME_NET"

and regarding the tests, I am just trying to simulate some kind of "bad" traffic just to make sure Suricata is detecting those.

[ManuelFFF]

Should I add line "HOME_NET: "[192.168.1.0/24]" to config file "selks5-addin.yaml" in order to make it work properly?

[ManuelFFF]

I am just trying to see a different message here, to confirm Suricata is working fine. I have been trying to generate some traffic that Suricata would alert about by downloading samples from https://www.eicar.org/?page_id=3950.

Maybe this is not the best way to test Suricata or alerts does not work the way I think.

Any help or advice is welcome :) .

[pevma]

Most likely the interface where the Suricata sniffs traffic on is not seeing the traffic? If you tcpdump on that interface would you see the traffic properly ?

Also the test needs to be done from within the HOME_NETWORK - just as pre test check.

[ManuelFFF]

I have been running the tests from the server running Suricata (running SELKS), which is of course included in the HOME_NETWORK. Should I try from a different PC within the same network?

Since this is just for testing purposes, the server it is not connected to the main router mirroring any port. It is connected to the network like any other server, but if Suricata couldn't see the traffic from other devices, at least it should detect its own bad traffic if I try a site like https://www.eicar.org/?page_id=3950, right?

[ManuelFFF]

When I run tcpdump I can see traffic, however it is traffic going out/in the Suricata server only

[ManuelFFF]

*Note: SELKS server is now mirroring port on the core switch, so it's detecting traffic and generating data from multiple IPs, but the alerts are generated only when SELKS server is the destination or source IP.

I am reviewing the rule sets in Scirus (check attached photo). When I log in to see the details of each category, I am assuming the following (please correct me if it is not correct):

• The "Rules" table contains the rules that Suricata is currently using to make detections.
• The "Status in rulesets" table shows the status of this category (whether or not it is active in the default SELKS rule set).

But I'm not sure I understand the 3rd table correctly, "Commented rules". I checked that the status of each rule here is "inactive".

1. Does it mean that Suricata is not currently using any of these rules?
2. These rules come "inactive" by default with Suricata or were they disabled in SELKS for some specific reason?
3. When I toggle availability for a rule to make it "active", does Scirius import that rule into "scirius.rules" so Suricata can start using that rule immediately, even if the rule stays "commented" in the source?
4. If I wanted to have 100% of the available rules among all the sources as "active", can I do it without breaking anything inside Scirius or SELKS?
5. Is there a quick way to activate them all at once from Scirius instead of one by one (there are thousands)?
6. (please check screenshot) In Scirius, what does it mean for a rule to have "State in source: commented" and "Available: True" at the same time? Does it mean Suricata will use the rule because is "available" even when "State in source: commented", or still need to uncomment that rule in the source, or how should I interpret that information?

[pevma]

Commented rules are not loaded. If it only alerts when SELKS is destination or source - it means it most likely is not seeing all the traffic it is supposed to see? If you do a test with a different IP and tcpdump that ip on the same interface where Suricata is listening - would you see the traffic?

[ManuelFFF]

• Yes, like I said, Suricata is seeing all the traffic (now that is mirroring all traffic from the core switch) and filing all other dashboards with data, but not alerts.

• "Commented rules are not loaded". Is this by default only?

• When I toggle availability for a rule to make it "active", does Scirius import that rule into "scirius.rules" so Suricata can start using that rule immediately, even if the rule stays "commented" in the source? At least the number of rules in the ruleset increases every time (see screenshot).

• Is there a quick way to activate them all at once (bulk) from Scirius or CLI instead of one by one (there are thousands)?

I found something that may be the reason that Suricata is not launching alerts, but detecting the rest of the traffic on the internal network. (https://www.stamus-networks.com/blog/2018/03/14/scirius-2-0-is-here-to-get-your-suricata-easier-faster-stronger):

Lateral Movement

Lateral movement transformation modifies signatures to have them detect lateral movement. As signatures are often written with the EXTERNAL_NET and HOME_NET variables, this means they won’t match if both sides of a flow are in the HOME_NET. Thus, lateral movements are not detected. This transformation changes EXTERNAL_NET to any to be able to detect lateral movements. Scirius propose per ruleset, per categories and per signature changes. One of the value proposed is auto that use an algorithm that trigger the substitution if the signature verifies some properties.

[pevma]

1 - Ok. If you see all traffic that is good and removes that as potential fault. What rules are not alerting that are supposed to? Can you share some details about the tests if possible please? (you can share it privately if you want as well.)

2 - Suricta would not load a commented rule.

3 - It is not advisable to enable / un-comment all commented rules as they are commented for a reason -too many FPs, too verbose, old/deleted etc..

You should enable both like so - then Update the ruleset and push -

Also once you enable a rule , in order for Suricata to start using it you should reload the rules- update and push from the Suricta tab in the GUI.

[ManuelFFF]

OK, I see. You certainly have a point about enabling all the alerts. IT could be too much, besides the other issues that you mentioned.

So far I moved in the direction that I exposed earlier: Lateral Movement. Once I enabled this option in Scirius for a wide group of rules, Suricata finally started detecting/reporting alerts related to the LAN traffic. I am talking about categories related to brute force and C2 attacks, for taking an example. We were trying to have Suricata alerting about potential attacks attempts in case the hackers reaching the internal network.

I think the issue has been resolved. Now I just need to determine which rules I really need to enable the lateral movement for, to avoid having undesired results.

For that and similar tasks it would be useful to have a way to:

1. Be able to enable/disable or toggle availability for all rules in a given category or source (if not for all of them). Some of them have only a small group of rules.
2. Be able to list all rules among all sources and rulesets enabled/disabled to toggle status from the same screen instead of navigating each rulset or source.
3. Be able to bulk enable/disable or toggle availability rules or categories related to a given filter. For instance, I really wanted to have all C2 related rules active/enabled, so I did a search that showed 55 pages of rules related (1355 rules), and I had to modify them all one by one. I would love to have a solution similar to the way to "Add rules to disabled list' or "Remove rules from disabled list".

If there is anything else that you would like to have more details, feedback or test, to help your team improving Sirius/SELKS, please do not hesitate and let me know. I would love to help.

Thank you

[pevma]

3 - I agree , we need to do that.
You can enable/disable by categories en mass like on the screenshot above - https://github.com/StamusNetworks/SELKS/issues/221#issuecomment-625849871 , just click Edit categories