Custom rules not alerting
-
I am testing some custom rules within my DMZ network but when i initiate traffic it is not creating any logs.
Here are my custom rules. The way im getting is going to a dmz server and attempting to establish a connection to a website on a nonstandard port for either http or tls.
alert ssh any any -> any !22 (msg:"SSH TRAFFIC on non-SSH port"; flow:to_client, not_established; classtype: misc-attack; target: dest_ip; sid:1000000;) alert http any any -> any !80 (msg:"HTTP REQUEST on non-HTTP port"; flow:to_client, not_established; classtype:misc-activity; sid:1000002;) alert tls any any -> any !443 (msg:"TLS TRAFFIC on non-TLS HTTP port";
My test
wget https://cnn.com:1234 --2022-12-27 23:16:18-- https://cnn.com:1234/ Resolving cnn.com (cnn.com)... 151.101.195.5, 151.101.3.5, 151.101.131.5, ... wget https://google.com:1234 --2022-12-27 23:25:28-- https://google.com:1234/ Resolving google.com (google.com)... 64.233.185.102, 64.233.185.139, 64.233.185.101, ...
-
Your rule is using the HTTP protocol, but your test is querying an HTTPS host.
Your rule:
alert http any any -> any !80
Your test:
wget https://cnn.com:1234
From the Suricata rules protocol documentation (https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html#protocol): If you have a signature with for instance a http protocol, Suricata makes sure the signature can only match if it concerns http-traffic.
Also, are you sourcing this traffic from a host within your DMZ network? That would be the only way an IDS instance running on the DMZ would see the traffic.
-
@bmeeks hey bill. I’m using https as to trigger on the tls protocol. Is there a better way to trigger this?
And yes I’m sourcing traffic from a host in the DMZ going outbound to the internet.