Closed ManuelFFF closed 4 years ago
What kind of tests are those? Did you also set up HOME_NET accordingly etc in selks6-addin.yaml ?
Yes I defined my HOME_NET variable, but in suricata.yaml, since selks5-addin.yaml does not have the address-groups section. Settings were set as follows:
address-groups:
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
HOME_NET: "[192.168.1.0/24]"
EXTERNAL_NET: "!$HOME_NET"
and regarding the tests, I am just trying to simulate some kind of "bad" traffic just to make sure Suricata is detecting those.
Should I add line "HOME_NET: "[192.168.1.0/24]" to config file "selks5-addin.yaml" in order to make it work properly?
I am just trying to see a different message here, to confirm Suricata is working fine. I have been trying to generate some traffic that Suricata would alert about by downloading samples from https://www.eicar.org/?page_id=3950.
Maybe this is not the best way to test Suricata or alerts does not work the way I think.
Any help or advice is welcome :) .
Most likely the interface where the Suricata sniffs traffic on is not seeing the traffic? If you tcpdump on that interface would you see the traffic properly ?
Also the test needs to be done from within the HOME_NETWORK
- just as pre test check.
I have been running the tests from the server running Suricata (running SELKS), which is of course included in the HOME_NETWORK. Should I try from a different PC within the same network?
Since this is just for testing purposes, the server it is not connected to the main router mirroring any port. It is connected to the network like any other server, but if Suricata couldn't see the traffic from other devices, at least it should detect its own bad traffic if I try a site like https://www.eicar.org/?page_id=3950, right?
When I run tcpdump I can see traffic, however it is traffic going out/in the Suricata server only
*Note: SELKS server is now mirroring port on the core switch, so it's detecting traffic and generating data from multiple IPs, but the alerts are generated only when SELKS server is the destination or source IP.
I am reviewing the rule sets in Scirus (check attached photo). When I log in to see the details of each category, I am assuming the following (please correct me if it is not correct):
But I'm not sure I understand the 3rd table correctly, "Commented rules". I checked that the status of each rule here is "inactive".
Commented rules are not loaded. If it only alerts when SELKS is destination or source - it means it most likely is not seeing all the traffic it is supposed to see? If you do a test with a different IP and tcpdump that ip on the same interface where Suricata is listening - would you see the traffic?
Yes, like I said, Suricata is seeing all the traffic (now that is mirroring all traffic from the core switch) and filing all other dashboards with data, but not alerts.
"Commented rules are not loaded". Is this by default only?
When I toggle availability for a rule to make it "active", does Scirius import that rule into "scirius.rules" so Suricata can start using that rule immediately, even if the rule stays "commented" in the source? At least the number of rules in the ruleset increases every time (see screenshot).
I found something that may be the reason that Suricata is not launching alerts, but detecting the rest of the traffic on the internal network. (https://www.stamus-networks.com/blog/2018/03/14/scirius-2-0-is-here-to-get-your-suricata-easier-faster-stronger):
Lateral Movement
Lateral movement transformation modifies signatures to have them detect lateral movement. As signatures are often written with the EXTERNAL_NET and HOME_NET variables, this means they won’t match if both sides of a flow are in the HOME_NET. Thus, lateral movements are not detected. This transformation changes EXTERNAL_NET to any to be able to detect lateral movements. Scirius propose per ruleset, per categories and per signature changes. One of the value proposed is auto that use an algorithm that trigger the substitution if the signature verifies some properties.
1 - Ok. If you see all traffic that is good and removes that as potential fault. What rules are not alerting that are supposed to? Can you share some details about the tests if possible please? (you can share it privately if you want as well.)
2 - Suricta would not load a commented rule.
3 - It is not advisable to enable / un-comment all commented rules as they are commented for a reason -too many FPs, too verbose, old/deleted etc..
You should enable both like so - then Update the ruleset and push -
Also once you enable a rule , in order for Suricata to start using it you should reload the rules- update and push from the Suricta tab in the GUI.
OK, I see. You certainly have a point about enabling all the alerts. IT could be too much, besides the other issues that you mentioned.
So far I moved in the direction that I exposed earlier: Lateral Movement. Once I enabled this option in Scirius for a wide group of rules, Suricata finally started detecting/reporting alerts related to the LAN traffic. I am talking about categories related to brute force and C2 attacks, for taking an example. We were trying to have Suricata alerting about potential attacks attempts in case the hackers reaching the internal network.
I think the issue has been resolved. Now I just need to determine which rules I really need to enable the lateral movement for, to avoid having undesired results.
For that and similar tasks it would be useful to have a way to:
If there is anything else that you would like to have more details, feedback or test, to help your team improving Sirius/SELKS, please do not hesitate and let me know. I would love to help.
Thank you
3 - I agree , we need to do that.
You can enable/disable by categories en mass like on the screenshot above - https://github.com/StamusNetworks/SELKS/issues/221#issuecomment-625849871 , just click Edit categories
Hi,
I have a fresh SELKS 5 installation. Successfully executed and competed:
Now I have started to test Suricata.
I have not been able to see Suricata detecting any "bad" traffic. I have been using some websites to do some tests and download fake threats to the server
http://metal.fortiguard.com/tests/
So far Suricata is not reporting bad traffic nor threats, but only events like flow, dns, fileinfo, http, tls, dhcp, etc.
The only persistent alert shown is "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management" every time I run "selks-upgrade_stamus" to have the latest SELKS and system updates. And even so the category is "Not Suspicious Traffic".
Is there anything I need to manually config in "scirius-iprep.list" or "scirius.rules" or somewhere else? Perhaps I am not doing the correct tests or I am missing some important step. Maybe you can advise of some other tests to finally be able to see alerts in Suricata.
Thank you