Suricata and potential false positives, heartbleed, and SMB alerts

pfPanda

Hi,
My SG-2200 box quit and I recently replaced with SG-3100, and am tailoring suricata rules...
I've trimmed them down by following a lot of the advice in: https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint?lang=en-US , and this: https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf/61 .

I am getting some alerts that I am wondering if they are false positives or not, and am hoping someone on forum has had experience with these particular rules.

Context: Suricata running on LAN interface which contains multiple VLANs, each running on their own subnet. I have a mac computer running latest o/s (Catalina) on one VLAN, and a synology NAS (running latest o/s and patches) on a different VLAN. The alerts are for communications between these two devices.
Also, I am using Snort individual paid rules, and ET free ones.

1. ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement , and
   ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement

• I have my mac backing up to the synology NAS using timemachine. I have the backup folder available via SMB. I suspect the timemachine backup might be tripping these. Does anyone else have the same/similar experience? Or has anyone run into issues with these rules tripping on anything else not related to the rules purpose?

2. ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client) , and the partner rule where the request is made

• I'm pretty sure both the mac and synology box have been patched for HeartBleed... anyone else experiencing false positives on this rule? Or is it posible they aren't fully patched?

3. ET INFO Observed DNS Query to .cloud TLD

• While it is an INFO msg, it is filling up my logs... in your experience, is this a pretty normal, nothing to worry about kind of thing? Or does this strike you as unusual?

4. SURICATA TLS invalid record/traffic , SURICATA TLS invalid handshake message , and pretty much all the TLS rules

• I seem to recall having to disable these on my old 2220... do you find the TLS rules in general trip on legit services/connections?

Does anyone know if there is a sticky or place where people are noting/questioning rules as potential false positives? The two links above, and I think I saw another (although I think the person was banned, so not so confident about that one) were attempting to keep, amongst other things, a current account of people's experience with the various rules disrupting legit services/connections.

Thanks in advance for any thoughts on this. I appreciate everyones efforts, and the helpful community that exists here.
Panda

bmeeks

The ET Policy and ET Info rules are really not for detecting "bad" things. They are designed to alert you if some machine is doing something that matches the policy. So that ET POLICY WMIC WMI rule is simply telling you that it detected WMI (Windows Management Instrumentation) traffic over the link. That is typically harmless and does not mean malware exists. Generally speaking, for home users and even most small business users, the ET POLICY rules are not a good thing to enable. They will give you plenty of alerts, but the alerts do not mean anything bad is happening. I would recommend not using that rule category in most circumstances.

Same for the ET INFO rules. They are designed to give you "information", not protect from necessarily bad stuff. In the example you gave, that rule is simply firing because some host on your network performed a DNS lookup for a *.info domain. Do you really and truly care about every single domain lookup performed by every host on your network? If you do, then leave the ET INFO rules enabled, otherwise, disable them.

Suricata has had issues with TLS detection from the start. The upstream developers have patched that code several times over the years. Probably still not 100% reliable. I would ignore that alert or just disable those rules. Not very useful in my view.

There is no place here on the forum where rules are routinely discussed. And I have never really found much on the Internet either. The Talos (Snort) rules team has a blog site and a Talos Advisories site where rule changes in each weekly update are described.

pfPanda

@bmeeks Thanks for taking the time to respond. I guess I find it frustrating that the various rulesets available aren't cared for a bit more, in terms of pruning ones that perhaps at one time were very relevant and useful for detecting errant behavious but now trigger on "normal" "good" things. I definitely feel anyone's pain who tries to keep up with this. That being said, I do appreciate at least having the option to run suricata on my pfsense box (thank you).

One other related challenge I am having is how to save all the ruleset customization (in terms of which rules are enabled and which I have disabled) when it comes to installing pfsense on a new box. Please correct me if I am wrong, but backing up a pfsense configuration (for "all") doesn't save any of that rule customization, or at least it didn't for me. So that's one way I ran into trouble when I went to re-install suricata... I turned on way too many rules and the cpu got bogged down very quickly. Do you know if there is a way to save all these ruleset customizations (there's probably a better term for this) for such an occation as a re-install on a new box?

Thanks again.

bmeeks

@pfPanda said in Suricata and potential false positives, heartbleed, and SMB alerts:

One other related challenge I am having is how to save all the ruleset customization (in terms of which rules are enabled and which I have disabled) when it comes to installing pfsense on a new box. Please correct me if I am wrong, but backing up a pfsense configuration (for "all") doesn't save any of that rule customization, or at least it didn't for me. So that's one way I ran into trouble when I went to re-install suricata... I turned on way too many rules and the cpu got bogged down very quickly. Do you know if there is a way to save all these ruleset customizations (there's probably a better term for this) for such an occation as a re-install on a new box?

Everything you do in the GUI for Suricata is saved into the config.xml on the firewall. If you import that into a new firewall install, the Suricata configuration should come in as well. The categories you select, the rules you force to enabled or disabled, any custom rules you create and any SID MGMT tab modifications you make are all stored in the config.xml on the firewall.

I've never tested it, but it should come over. If nothing else, you could copy and paste the relevent section of the file into the new firewall since everything is XML text anyway. Some things in the Suricata config are Base64 encoded text, but all the XML tags are plaintext.

pfPanda

@bmeeks thanks, I'll have to pay attention to that and see. I am currently putting the finishing touches on building my own box, and am going to restore a backup from my SG-3100 (where I customized things for the rules), so I will look closely at that once I get suricata installed on the new box (it's not connected to the internet yet while I build it, so it's not able to re-install suricata yet).

Thanks again.