search

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro
https://www.stamus-networks.com/open-source/#selks
GNU General Public License v3.0
1.46k stars 286 forks source link

Supress rule not working #368

Open JoppeOostenrijk opened 2 years ago

JoppeOostenrijk commented 2 years ago

I'm running SELKS-ce in docker. (4 vCPU's & 16Gb RAM) I set up drop rules, with the neccessary IPS code in the SELKS-6_addin.yaml.

As part of my testing I wanted to try out supressing (parts of) rules. My understanding of supressing a rule is that it shouldn't generate alerts?

I try to simulate alerts by running "curl -A "BlackSun" www.google.com" to generate a "ET USER_AGENTS Suspicious User Agent (BlackSun)" alert. I run this command on the same machine as where SELKS is running. This works fine, the alert is generated. Then, I try to supress this rule (SID 2008983) for the IP of my SELKS machine (..*.176) by doing the following:

After posting this to discord, I got confirmed this is a bug.

regit commented 2 years ago

Just a last check: What is the src_ip and dest_ip event that got generated and what is the suppression rule ?

JoppeOostenrijk commented 2 years ago

src_ip = 192.168.1.178 dest_ip = 142.251.39.110 (not exactly, but a same type of google IP, currently no access to this machine) suppression rule = 192.168.1.178 (misstyped the IP in the post above) also tried 192.168.1.0/24 as suppresion rule

pevma commented 2 years ago

@JoppeOostenrijk can you try something out as a test. Can you try to adjust the file

containers-data/suricata/etc/selks6-addin.yaml

Change the following line

grep -i threshold /etc/suricata/selks6-addin.yaml 
threshold-file: /etc/suricata/threshold.config

to 

threshold-file: /etc/suricata/rules/threshold.config

Can you please redo the test and see if it works?

JoppeOostenrijk commented 2 years ago

Hi, it seems to have worked to stop generating alerts. However, when trying to build suricata (through ruleset update) it throws an "nosuchpatherror at /suricata/update" error at the build stage...

pevma commented 2 years ago

I could not reproduce that error. We actually emerged the fix, maybe pull and recreate the containers and redo the test ?

JoppeOostenrijk commented 2 years ago

I reinstalled the docker containers, also cleaning their data, however, it doesn't seem to have fixed the issue after all. With the suppression rule the traffic still generates alerts.

pevma commented 2 years ago

Hi, Did you sync up the git code as well ?(git pull)

https://github.com/StamusNetworks/SELKS/wiki/Docker#upgrade-all-containers

Thanks for trying it out!

-- Regards, Peter Manev

On 17 Dec 2021, at 19:50, JoppeOostenrijk @.***> wrote:

 I reinstalled the docker containers, also cleaning their data, however, it doesn't seem to have fixed the issue after all. With the suppression rule the traffic still generates alerts.

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

JoppeOostenrijk commented 2 years ago

Hi yes, I just completely removed it from my system and cloned it again to make it work, double checked the selks6_addin.yaml to be sure.

pevma commented 2 years ago

glad to hear it works. I think this routine below should be good for the next time an upgrade is needed:

 git pull
 docker-compose pull
 docker-compose stop
 docker-compose up -d
JoppeOostenrijk commented 2 years ago

Hi Peter,

I think you misunderstood, it still doesn't supress the alerts for me.

pevma commented 2 years ago

Hi @JoppeOostenrijk ,

Sorry i missed that. Can you please share the contents of the threshold file. You can do that from the docker running directory , via : 

docker exec -it suricata  /bin/bash 
cat /etc/suricata/rules/threshold.conf

?

JoppeOostenrijk commented 2 years ago

Hi @pevma ,

the contents is: cat /etc/suricata/rules/threshold.config suppress gen_id 1, sig_id 2008983, track by_src, ip 192.168.1.179 suppress gen_id 1, sig_id 2008983, track by_src, ip 192.168.1.0/24 suppress gen_id 1, sig_id 2030137, track by_src, ip 192.168.1.0/24

while the file is named threshold.config instead of .conf, this is in line with your earlier comment and code edit.

pevma commented 2 years ago

Yes, thank you. Do those seem like the suppressions you made ? Are they not suppressing everything form src_ip 192.168.1.179 lets say ?

JoppeOostenrijk commented 2 years ago

These are the suppressions I added specifically to those rules.

pevma commented 2 years ago

ok so basically , if i understand correctly you are receiving alerts from : the IP/Networks above for those specific signatures - 2008983, 2030137. It seems like a suppression bug if that is the case. Can you please confirm or share a screenshot of an example alert?

JoppeOostenrijk commented 2 years ago

Hi, I think you understand correctly, see images below.

image image

pevma commented 2 years ago

Ok.

Did you also do the Ruleset actions (Suricata tab in management) - select all actions/apply. After a suppression or any rule adjustment change you need to update/push those. (apologies if i am repetitive, just making sure we will not miss something in order to pinpoint the issue)

augustus-j commented 1 year ago

I am also facing the same issue. I have tried to apply the ruleset actions but that hasn't helped.
Is this still an unresolved issue ?