No alerts generated for emerging-trojan.rules, Suricata Inline
-
Hello guys,
We've been running Suricata inline mode for a better part of a year in a SOHO environment.
( now on pfsense 2.4.3, Suricata 4.0.4_1)
The rules that we've been using are ETOpen and Snort Subscriber/GPL.
Alerts have been generated and we've disabled certain SID's during this time.All has been good until recently where we've taken on a new manufacturer line and their web site is being blocked but no alerts are generated. (https://centennialplastics.com/)
We've narrowed it down to the "emerging-trojan.rules" rule set. The moment I disable this, we are able to gain access to it. Not sure why there isn't an Alert being generated, and in the event that there is a Trojan on that website, we would like to inform the site operators as to which possible Trojan (SID) it might be.
Thanks.
-
Do you have the EVE Drop Log option enabled on the INTERFACE SETTINGS tab? If you do, examine that log file to see what may be happening. It will be in the /var/log/suricata directory down in a sub-directory named with the interface and a random UUID.
Bill
-
Got it. Will enable and look into it.
-
Oh wow!!!
The amount of data that this log produces is astonishing!
With some digging, I clearly do see where{"timestamp":"2018-05-04T10:44:53.526603-0700","flow_id":99431111545856,"in_iface":"em0","event_type":"dns","src_ip":"216.239.34.10","src_port":53,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":21791,"proto":"UDP","dns":{"type":"answer","id":65156,"rcode":"NOERROR","rrname":"ssl-google-analytics.l.google.com","rrtype":"AAAA","ttl":300,"rdata":"2607:f8b0:4007:0804:0000:0000:0000:2008"}} {"timestamp":"2018-05-04T10:44:53.527425-0700","flow_id":1440139512730690,"in_iface":"em0","event_type":"dns","src_ip":"216.239.32.10","src_port":53,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":53520,"proto":"UDP","dns":{"type":"answer","id":21195,"rcode":"NOERROR","rrname":"ssl-google-analytics.l.google.com","rrtype":"A","ttl":300,"rdata":"172.217.11.168"}} {"timestamp":"2018-05-04T10:44:53.537412-0700","flow_id":454092331009839,"in_iface":"em0","event_type":"dns","src_ip":"216.239.36.10","src_port":53,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":35383,"proto":"UDP","dns":{"type":"answer","id":46143,"rcode":"NOERROR","rrname":"googleadapis.l.google.com","rrtype":"AAAA","ttl":300,"rdata":"2607:f8b0:4007:080c:0000:0000:0000:200a"}} {"timestamp":"2018-05-04T10:44:53.538671-0700","flow_id":729824936398157,"in_iface":"em0","event_type":"tls","src_ip":"XXX.XXX.XXX.XXX","src_port":5411,"dest_ip":"172.217.11.168","dest_port":443,"proto":"TCP","tls":{"session_resumed":true,"sni":"ssl.google-analytics.com","version":"TLS 1.2"}} {"timestamp":"2018-05-04T10:44:53.557003-0700","flow_id":387636302039536,"in_iface":"em0","event_type":"dns","src_ip":"216.239.34.10","src_port":53,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":23126,"proto":"UDP","dns":{"type":"answer","id":7500,"rcode":"NOERROR","rrname":"googleadapis.l.google.com","rrtype":"A","ttl":300,"rdata":"172.217.5.74"}} {"timestamp":"2018-05-04T10:44:53.568546-0700","flow_id":1313957668553002,"in_iface":"em0","event_type":"tls","src_ip":"XXX.XXX.XXX.XXX","src_port":48492,"dest_ip":"172.217.5.74","dest_port":443,"proto":"TCP","tls":{"session_resumed":true,"sni":"fonts.googleapis.com","version":"TLS 1.2"}} {"timestamp":"2018-05-04T10:44:53.584620-0700","flow_id":318873875599558,"in_iface":"em0","event_type":"drop","src_ip":"72.9.159.115","src_port":443,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":10600,"proto":"TCP","drop":{"len":1500,"tos":0,"ttl":53,"ipid":52178,"tcpseq":1468085480,"tcpack":7740890,"tcpwin":237,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2024772,"rev":2,"signature":"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert","category":"A Network Trojan was Detected","severity":1}} {"timestamp":"2018-05-04T10:44:53.588424-0700","flow_id":318873875599558,"in_iface":"em0","event_type":"tls","src_ip":"XXX.XXX.XXX.XXX","src_port":10600,"dest_ip":"72.9.159.115","dest_port":443,"proto":"TCP","tls":{"subject":"CN=centennialplastics.com","issuerdn":"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority","serial":"27:15:3C:0D:A4:FE:23:43:16:75:E7:C0:28:91:3C:AB","fingerprint":"33:77:8e:a4:67:0c:f7:db:2a:c7:e5:9f:fc:08:f9:6e:50:42:d8:2c","sni":"centennialplastics.com","version":"TLS 1.2","notbefore":"2018-04-14T00:00:00","notafter":"2018-07-13T23:59:59"}} {"timestamp":"2018-05-04T10:44:53.836026-0700","flow_id":318873875599558,"in_iface":"em0","event_type":"drop","src_ip":"72.9.159.115","src_port":443,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":10600,"proto":"TCP","drop":{"len":1500,"tos":0,"ttl":53,"ipid":52182,"tcpseq":1468085480,"tcpack":7740890,"tcpwin":237,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2024772,"rev":2,"signature":"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert","category":"A Network Trojan was Detected","severity":1}} {"timestamp":"2018-05-04T10:44:54.341023-0700","flow_id":318873875599558,"in_iface":"em0","event_type":"drop","src_ip":"72.9.159.115","src_port":443,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":10600,"proto":"TCP","drop":{"len":1500,"tos":0,"ttl":53,"ipid":52183,"tcpseq":1468085480,"tcpack":7740890,"tcpwin":237,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2024772,"rev":2,"signature":"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert","category":"A Network Trojan was Detected","severity":1}} {"timestamp":"2018-05-04T10:44:55.144588-0700","flow_id":1793658270987468,"in_iface":"em0+","event_type":"dns","src_ip":"XXX.XXX.XXX.XXX","src_port":14203,"dest_ip":"192.175.48.6","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20389,"rrname":"104.75.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2018-05-04T10:44:55.195916-0700","flow_id":1793658270987468,"in_iface":"em0","event_type":"dns","src_ip":"192.175.48.6","src_port":53,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":14203,"proto":"UDP","dns":{"type":"answer","id":20389,"rcode":"NXDOMAIN","rrname":"104.75.168.192.in-addr.arpa"}} {"timestamp":"2018-05-04T10:44:55.195916-0700","flow_id":1793658270987468,"in_iface":"em0","event_type":"dns","src_ip":"192.175.48.6","src_port":53,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":14203,"proto":"UDP","dns":{"type":"answer","id":20389,"rcode":"NXDOMAIN","rrname":"168.192.in-addr.arpa","rrtype":"SOA","ttl":14976}} {"timestamp":"2018-05-04T10:44:55.305193-0700","flow_id":693090073686335,"in_iface":"em0+","event_type":"drop","src_ip":"XXX.XXX.XXX.XXX","src_port":47572,"dest_ip":"40.97.222.34","dest_port":443,"proto":"TCP","drop":{"len":40,"tos":0,"ttl":64,"ipid":0,"tcpseq":3179588945,"tcpack":2644901028,"tcpwin":513,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":true,"tcpres":0,"tcpurgp":0}} {"timestamp":"2018-05-04T10:44:55.350029-0700","flow_id":318873875599558,"in_iface":"em0","event_type":"drop","src_ip":"72.9.159.115","src_port":443,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":10600,"proto":"TCP","drop":{"len":1500,"tos":0,"ttl":53,"ipid":52184,"tcpseq":1468085480,"tcpack":7740890,"tcpwin":237,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2024772,"rev":2,"signature":"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert","category":"A Network Trojan was Detected","severity":1}} {"timestamp":"2018-05-04T10:44:55.703954-0700","flow_id":2020737483688112,"in_iface":"em0+","event_type":"drop","src_ip":"XXX.XXX.XXX.XXX","src_port":55514,"dest_ip":"40.97.220.34","dest_port":443,"proto":"TCP","drop":{"len":52,"tos":0,"ttl":64,"ipid":0,"tcpseq":1861039517,"tcpack":286321989,"tcpwin":513,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":true,"tcpres":0,"tcpurgp":0}} {"timestamp":"2018-05-04T10:44:57.370036-0700","flow_id":318873875599558,"in_iface":"em0","event_type":"drop","src_ip":"72.9.159.115","src_port":443,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":10600,"proto":"TCP","drop":{"len":1500,"tos":0,"ttl":53,"ipid":52185,"tcpseq":1468085480,"tcpack":7740890,"tcpwin":237,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2024772,"rev":2,"signature":"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert","category":"A Network Trojan was Detected","severity":1}} {"timestamp":"2018-05-04T10:44:57.588813-0700","flow_id":846377457170845,"in_iface":"em0+","event_type":"drop","src_ip":"XXX.XXX.XXX.XXX","src_port":19976,"dest_ip":"40.121.213.159","dest_port":443,"proto":"TCP","drop":{"len":52,"tos":0,"ttl":64,"ipid":0,"tcpseq":1721207572,"tcpack":464089846,"tcpwin":517,"syn":false,"ack":true,"psh":false,"rst":true,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
"alert":{"action":"blocked","gid":1,"signature_id":2024772,"rev":2,"signature":"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert","category":"A Network Trojan was Detected","severity":1
With this information, I can contact the web admins to see if they'll correct it. I'm not comfortable in disabling this SID just to allow a single website on our network.
As for it to not show up in the Alerts tab, could this be a wrong configuration on my end?Thank you Bill!
-
As for it to not show up in the Alerts tab, could this be a wrong configuration on my end?
Thank you Bill!
No, it's an issue with the way the Suricata binary logs drops when using Netmap. I probably need to change the way the GUI gets alerts and drops when using the Inline IPS mode (which uses Netmap). This happens from time to time.
Bill