NEW - Suricata 1.4.6 IDS pkg. v0.2-BETA Released

Cino

@bmeeks:

No, I'm sorry that one slipped my mind in the rush to get Suricata 0.2 out.  I will write it down on my list of TODO fixes for the next version.

So you are saying you get multiple instances of Barnyard2 on Snort with the exact same command-line parameters?  I did not know that was still happening for anyone.

Bill

Np, it happens. Hoping its an easy fix… Barnyard2, yes. I will see multiple instances of it running. I can reproduce on the fly by resetting my cable modem. I think I may have reported it but to be honest, I can't remember...

bmeeks

@Cino:

@bmeeks:

No, I'm sorry that one slipped my mind in the rush to get Suricata 0.2 out.  I will write it down on my list of TODO fixes for the next version.

So you are saying you get multiple instances of Barnyard2 on Snort with the exact same command-line parameters?  I did not know that was still happening for anyone.

Bill

Np, it happens. Hoping its an easy fix… Barnyard2, yes. I will see multiple instances of it running. I can reproduce on the fly by resetting my cable modem. I think I may have reported it but to be honest, I can't remember...

Since you reported this, I checked last night and I am seeing that Barnyard2 problem on my Snort setup as well.  When my cable modem reboots and bounces my firewall's WAN interface, Barnyard2 is not reliably restarting.  I'm working on it.  Hopefully it's just a dumb typo someplace since Snort works OK.  They are both supposed to be using essentially the same shell script commands.  I will put my glasses on and examine the code carefully to find the mistake.  There has to be one someplace… :-[

Bill

priller

Very minor thing, but passing it along.  When the widget gets an IPv6 alert, it causes the right side border to extend past the normal alignment.  The Snort widget wraps the address.

Here it is with only IPv4 alerts and with an IPv6 alert changing the alignment.

priller

** Problem - Cannot Disable Interface **

Problem:  Cannot disable Suricata on an interface, it faults to "The following input errors were detected: The value for Maximum-Pending-Packets must be between 1 and 65,000!"

Steps to Reproduce:

1. Have Suricata enable and running on an interface.  Max Pending Packets is at the default 1024.

2. Uncheck "Enable" and hit "Save".

3. The error box "The following input errors were detected: The value for Maximum-Pending-Packets must be between 1 and 65,000!"  pops up.

4. Go back to interfaces and the disable action did not take.

BBcan177

@priller:

** Problem - Cannot Disable Interface **

FYI - This also occurred in the previous version. Hope that helps diagnose.

bmeeks

@priller:

** Problem - Cannot Disable Interface **

Problem:  Cannot disable Suricata on an interface, it faults to "The following input errors were detected: The value for Maximum-Pending-Packets must be between 1 and 65,000!"

Steps to Reproduce:

1. Have Suricata enable and running on an interface.  Max Pending Packets is at the default 1024.

2. Uncheck "Enable" and hit "Save".

3. The error box "The following input errors were detected: The value for Maximum-Pending-Packets must be between 1 and 65,000!"  pops up.

4. Go back to interfaces and the disable action did not take.

I will fix it.  I screwed up the order of input validation and also forgot to skip it all when just disabling the interface.  My bad… :-[

I will post the Pull Request today, and hopefully one of the Core Team devs will have a chance to review and approve.

Bill

bmeeks

@priller:

Very minor thing, but passing it along.  When the widget gets an IPv6 alert, it causes the right side border to extend past the normal alignment.  The Snort widget wraps the address.

Here it is with only IPv4 alerts and with an IPv6 alert changing the alignment.

I will try to get this fixed in the next update as well.  The only way I've found around this is to insert zero-length spaces next to every colon in an IPv6 address.  These don't display, but they offer the browser a "line break" opportunity.  This makes the prettiest line break (breaking on a colon, that is).  The other option is a forced wrap, but that can happen in odd places and makes readability more difficult.

Related to this, what is the preference among users for how to delimit ports when displaying IPv6 addresses?  The IPv4 standard is a colon at the end of the address, but since IPv6 already has colons, things are more confusing.

Bill

AhnHEL

@bmeeks:

Related to this, what is the preference among users for how to delimit ports when displaying IPv6 addresses?  The IPv4 standard is a colon at the end of the address, but since IPv6 already has colons, things are more confusing.

I believe square brackets around the address portion of the address is the standard.

bmeeks

@AhnHEL:

@bmeeks:

Related to this, what is the preference among users for how to delimit ports when displaying IPv6 addresses?  The IPv4 standard is a colon at the end of the address, but since IPv6 already has colons, things are more confusing.

I believe square brackets around the address portion of the address is the standard.

Thanks!  I will make the adjustment in the widget display.

Bill

bmeeks

Bug Fix Update

Just FYI.  A new Pull Request was posted today containing fixes for the bugs reported thus far with the Suricata package.  The version number will remain the same for now, but I will post an update when the pull request is merged and then interested parties can do a quick reinstall of the Suricata package GUI components to pick up the fixes.

Here is a link to the Pull Request with the details:  https://github.com/pfsense/pfsense-packages/pull/622

Bill

priller

What are the possibilities of adding in some log file rotation routines?  alerts.log and http.log have grown to the point that it's not practical to view them in the Logs Browser.

1041187808 Mar 13 21:52 alerts.log    ( a very unhappy checksum rule filled this up rather quickly )
47180176    Mar 14 07:31 http.log

Even just a daily rotation with date in the file name (ex: alerts_20140314.log) would be nice.

bmeeks

@priller:

What are the possibilities of adding in some log file rotation routines?  alerts.log and http.log have grown to the point that it's not practical to view them in the Logs Browser.

1041187808 Mar 13 21:52 alerts.log    ( a very unhappy checksum rule filled this up rather quickly )
47180176    Mar 14 07:31 http.log

Even just a daily rotation with date in the file name (ex: alerts_20140314.log) would be nice.

I can do that.  I also noticed that Suricata can be quite chatty.  I will make the rotation a configurable cron job so the user can select from several rotation options.

Bill

BBcan177

ET has finally killed the RBN rulesets.

http://www.emergingthreats.net/2014/03/14/daily-ruleset-update-summary-03142014-%CF%80-edition/?utm_source=rss&utm_medium=rss&utm_campaign=daily-ruleset-update-summary-03142014-%25cf%2580-edition

"Emerging Threats would like to remind and/or inform everyone that this ruleset does not contain the Russian Business Network (RBN) rules. These rules are obsolete and will not be distributed in future releases."

Another feature for Snort/Suricata that would help is to have two Alert screens.

One for the noisy alerts like Scans/CINS/DROP/MYSQL/SQL etc.
One for all other alerts which would make it easier to see from the Alert screen without all of the other alerts on the same log.

A Former User

Time to update the blueprint with the removed rules then. Open to suggestions for lists to replace those.

BBcan177

For ET changes, these three seem to still be online -

pfBlocker ET Blocker
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

For Snort/Suricta, I would always recommend that people start with as many rules as their box can handle (Memory and CPU) and start in non-blocking mode, remove all the false positives over several weeks of review. And then putting it into Blocking mode. With Bills new tweeks removing Rules from the Alert Page makes it easier. If we had the endablesid.conf and disablesid.conf files we could populate those files with our settings and it would be even easier to manage.

–-----------------------------------------

Here is a list for pfBlocker.

I like to keep the lists separate so I can see what is triggering a block. This helps to weed out False Positives.

pfblockerlists

pfBlocker iBlockList
http://list.iblocklist.com/?list=bt_hijacked&fileformat=p2p
http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p
http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p
http://list.iblocklist.com/?list=tbnuqfclfkemqivekikv&fileformat=p2p
http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p
http://list.iblocklist.com/?list=bt_templist&fileformat=p2p

pfBlocker ET Blocker
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

Spamhaus
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt

pfBlocker Other
http://www.ciarmy.com/list/ci-badguys.txt
http://danger.rulez.sk/projects/bruteforceblocker/blist.php
http://www.us.openbl.org/lists/base_30days.txt
http://malc0de.com/bl/IP_Blacklist.txt

pfBlocker Zeus/SpyEye/Palevo
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist

pfBlocker dShield
http://feeds.dshield.org/top10-2.txt

pfBlocker Arbor Networks - Atlas
https://atlas.arbor.net/summary/attacks.csv
https://atlas.arbor.net/summary/botnets.csv
https://atlas.arbor.net/summary/fastflux.csv
https://atlas.arbor.net/summary/phishing.csv
https://atlas.arbor.net/summary/scans.csv
http://atlas-public.ec2.arbor.net/public/ssh_attackers

pfBlocker Malware Domain List
http://www.malwaredomainlist.com/hostslist/ip.txt

pfBlocker No Think!
http://www.nothink.org/blacklist/blacklist_malware_http.txt
http://www.nothink.org/blacklist/blacklist_ssh_week.txt
http://www.nothink.org/blacklist/blacklist_malware_dns.txt

pfBlocker SRI
http://cgi.mtc.sri.com/download/attackers/01-17-2014/Get_Top-51_30-Day_Filterset.html
http://cgi.mtc.sri.com/download/cc_servers/01-17-2014/Get_Top-1_30-Day_Filterset.html

pfBlocker Infiltrated
http://www.infiltrated.net/blacklisted

pfBlocker AlienVault
https://reputation.alienvault.com/reputation.snort

DRG
http://www.dragonresearchgroup.org/insight/sshpwauth.txt
http://www.dragonresearchgroup.org/insight/vncprobe.txt
http://www.dragonresearchgroup.org/insight/http-report.txt

pfBlocker Feodo
https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
https://feodotracker.abuse.ch/blocklist/?download=badips

pfBlocker Blocklist.de
http://lists.blocklist.de/lists/all.txt
http://www.senderbase.org/static/spam/#tab=2

pfBlocker StopForumSpam
Local List (.CSV script to convert)

pfBlocker Autoshun
Local List (.CSV script to convert)

A Former User

http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

I think that's the one that was causing problems for a number of people, so I switched from that to the "new" RBN list (now obsolete).

A couple of interesting lists there, will test them out. If you are ok with it, I'll add them in due time to the blueprint and credit you.

BBcan177

I had that link with the other ET links and never noticed that it wasn't updating properly.

If you use the pffetch script that I wrote previously, you can add that to the script and add a link in pfBlocker to the local file.

fetch http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
It will download as "RussianBusinessNetworkIPs.txt"

The more effort we all make the better off we all are. Open Source all the way!

** SORRY Bill for taking over this Thread… ***

BBcan177

I took another look at the RBN text document in VI, and noticed that each line has a "^M" carriage return. This is probably what was causing issues with pfBlocker not reading the file properly. The RBN list is out of date, but there are still alot of hits on my Router from Russia!!

You can filter the ^M with -

fetch http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
returncode=$?
echo $returncode

if [ "$returncode" -eq "0" ]; then
        cat RussianBusinessNetworkIPs.txt | tr -d '\r' > RBN.txt
fi

and use the RBN.txt in pfBlocker local file.

A Former User

The funny thing is that I personally never had a problem with that list. It downloaded and added the IPs in the table  (checked it myself, and the IPs were there), as well as updated for over a year with no issues at all. Some other people though always had problems with it.

That list belongs to the ET guys, so I'm assuming that it too will be made obsolete. I know that you should never assume but…

yea, sorry Bill for taking over the thread  :P

felesaerius

Not sure if this is the place to post, but I figure it's a good starting point if nothing else, is there an easy way to get Suricata to throw the logs to Kibana like Suricata shows on their site?
http://idsips.files.wordpress.com/2014/03/kibana300.png

Per this walkthrough:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output

It wants Suricata to have libjansson support enabled… the only thing they're missing is how to get Suricata and the install of Kibana, etc to talk to each other, but this all may be way too much to ask this early on in the game, not sure if anyone has any tips on it. Thank you for helping if possible!