several attacks are not detected when using pytbull

[superhobbit]

Hi! I just install the suricataIDPS on my system,and after that I run the pytbull to have a few test of this system,I updated the latest rules with oinkmaster,but the test result shows that there's no shellcodes,fragmentedPackets detection,in fact 60% results are 'no detection'. I followed the documentation to set up the suricata , and I check the rules file there's a rule called 'emerging-shellcodes' , and I also uncommented all the rules in suricata.yaml , I have no idea what to do next... Any help? .. Thanks!

[pevma]

Have you adjusted your home and external net variables so that for example they reflect an attacker from the outside networks?

Also just as a fyi - your question seems more on Suricata than SELKS - we are glad to help out but you can also get a ton of assistance from the sources here as well - https://suricata-ids.org/support/

[superhobbit]

Hi pevma! Thanks for reply,I change the home net variables but after that the test is not able to be done..I think is maybe because suricata lock it all out. Then I try to set the client and the server in the same LAN, and still, plenty of results shows no detection..Is it because the two computers are in the same LAN set in the home net , so suricata ignore the packages sent by the attacker client? Furthermore..What else can I do to test the IPS ? If, not using the pytbull? Thanks a lot! I'll go to the IRC to see if I can get any help,too.Thanks for sharing!

[pevma]

Hi :) Well the bottom line would be - if the rule that is supposed to trigger is:

alert tcp $EXTERNAL_NET any -> $HOME_NET any....

then the "attack" has to come from the outside/EXTERNAL_NET for the rule to trigger. Some rules are disabled - example - https://rules.emergingthreats.net/open/suricata-3.0/rules/emerging-shellcode.rules
so make sure the ones that need to trigger are there and enabled. Also you should check if the needed outputs are enable d/fast.log/eve.json etc (not sure if pytbull uses eve.json).

You also need to make sure you ave disabled NIC offloading and there are no errs when you start Suricata in verbose mode.

[pevma]

@superhobbit - any update?

[superhobbit]

Yeah!..Sorry for the delay..I don't have much time after my graduate work TT,so I change some of the rules as you said and the results showed exactly right!!Thanks so much for the help!!!