Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Whack-a-mole with DigitalOcean "ET COMPROMISED Known Compromised or Hostile Host Traffic group"

    Scheduled Pinned Locked Moved IDS/IPS
    26 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drewsaur @bmeeks
      last edited by drewsaur

      @bmeeks said in Whack-a-mole with DigitalOcean "ET COMPROMISED Known Compromised or Hostile Host Traffic group":

      Scratch part of what I said earlier about correlating alerts.log with the contents of snort2c. For Suricata, it actually uses the blocks.log file instead of the alerts.log. I was thinking of how Snort works instead of Suricata. The custom binary plugin used in Suricata works slightly differently and writes a blocks.log file for each interface.

      So go look at the contents of that file instead of alerts.log. The same rules about log rotation will apply.

      Sorry about that. I confused Snort with Suricata.

      The logs I have been looking at are the ones that I get from pressing the "Download" button on the alerts tab. Are those the wrong ones? (EDIT: I see, they are indeed the "wrong" ones. Please hold.)

      1 Reply Last reply Reply Quote 0
      • D
        drewsaur @bmeeks
        last edited by drewsaur

        @bmeeks That too, shows an attack on 2/1, as well as the 1/31 attack that is displayed in my screen shot:

        01/31/2023-03:56:43.082414 [Block Src] [] [1:2500118:6422] ET COMPROMISED Known Compromised or Hostile Host Traffic group 60 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:54140

        01/31/2023-03:56:43.082414 [Block Src] [] [1:2500118:6422] ET COMPROMISED Known Compromised or Hostile Host Traffic group 60 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:54140

        02/01/2023-14:07:01.426232 [Block Src] [] [1:2500104:6426] ET COMPROMISED Known Compromised or Hostile Host Traffic group 53 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:42058

        Here are all the attacks from that IP address listed in the block file:

        8:32: 01/04/2023-05:20:02.234341 [Block Src] [] [1:2500114:6398] ET COMPROMISED Known Compromised or Hostile Host Traffic group 58 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:41377
        8:1225: 01/05/2023-13:54:11.503500 [Block Src] [] [1:2500116:6399] ET COMPROMISED Known Compromised or Hostile Host Traffic group 59 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:55242
        8:1717: 01/06/2023-04:02:51.876168 [Block Src] [] [1:2500116:6399] ET COMPROMISED Known Compromised or Hostile Host Traffic group 59 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:49114
        8:2582: 01/07/2023-04:12:48.257136 [Block Src] [] [1:2500120:6400] ET COMPROMISED Known Compromised or Hostile Host Traffic group 61 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:42988
        8:2824: 01/07/2023-11:13:27.541541 [Block Src] [] [1:2500122:6401] ET COMPROMISED Known Compromised or Hostile Host Traffic group 62 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:56871
        8:3505: 01/08/2023-06:04:25.770401 [Block Src] [] [1:2500122:6401] ET COMPROMISED Known Compromised or Hostile Host Traffic group 62 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:50776
        8:4315: 01/09/2023-07:56:21.322000 [Block Src] [] [1:2500122:6401] ET COMPROMISED Known Compromised or Hostile Host Traffic group 62 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:44664
        8:5170: 01/10/2023-07:13:41.997930 [Block Src] [] [1:2500126:6404] ET COMPROMISED Known Compromised or Hostile Host Traffic group 64 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:58572
        8:5706: 01/10/2023-22:32:31.896060 [Block Src] [] [1:2009582:3] ET SCAN NMAP -sS window 1024 [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 157.230.218.88:52466
        8:6709: 01/12/2023-05:06:58.982523 [Block Src] [] [1:2500122:6406] ET COMPROMISED Known Compromised or Hostile Host Traffic group 62 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:46355
        8:7125: 01/12/2023-19:00:12.154489 [Block Src] [] [1:2500122:6406] ET COMPROMISED Known Compromised or Hostile Host Traffic group 62 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:40263
        8:8110: 01/13/2023-23:31:10.836267 [Block Src] [] [1:2500118:6407] ET COMPROMISED Known Compromised or Hostile Host Traffic group 60 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:54151
        8:8925: 01/14/2023-22:55:36.274855 [Block Src] [] [1:2500116:6408] ET COMPROMISED Known Compromised or Hostile Host Traffic group 59 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:48187
        8:9320: 01/15/2023-11:10:53.995156 [Block Src] [] [1:2500116:6408] ET COMPROMISED Known Compromised or Hostile Host Traffic group 59 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:42213
        8:9815: 01/16/2023-01:00:12.017811 [Block Src] [] [1:2500116:6408] ET COMPROMISED Known Compromised or Hostile Host Traffic group 59 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:56160
        8:10775: 01/17/2023-06:07:38.327039 [Block Src] [] [1:2500106:6411] ET COMPROMISED Known Compromised or Hostile Host Traffic group 54 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:50114
        8:11657: 01/18/2023-07:17:44.033972 [Block Src] [] [1:2009582:3] ET SCAN NMAP -sS window 1024 [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 157.230.218.88:44065
        8:11989: 01/18/2023-18:17:42.120452 [Block Src] [] [1:2500104:6412] ET COMPROMISED Known Compromised or Hostile Host Traffic group 53 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:58016
        8:12605: 01/19/2023-14:12:07.668423 [Block Src] [] [1:2500104:6413] ET COMPROMISED Known Compromised or Hostile Host Traffic group 53 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:51990
        8:13433: 01/20/2023-15:44:40.846356 [Block Src] [] [1:2500104:6414] ET COMPROMISED Known Compromised or Hostile Host Traffic group 53 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:45956
        8:14221: 01/21/2023-16:52:07.747769 [Block Src] [] [1:2500106:6415] ET COMPROMISED Known Compromised or Hostile Host Traffic group 54 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:59892
        8:14934: 01/22/2023-15:15:55.623257 [Block Src] [] [1:2500106:6415] ET COMPROMISED Known Compromised or Hostile Host Traffic group 54 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:53830
        8:15087: 01/22/2023-19:23:22.259195 [Block Src] [] [1:2500106:6415] ET COMPROMISED Known Compromised or Hostile Host Traffic group 54 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:47781
        8:16291: 01/24/2023-07:39:51.995682 [Block Src] [] [1:2500112:6418] ET COMPROMISED Known Compromised or Hostile Host Traffic group 57 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:41844
        8:16809: 01/25/2023-00:56:07.901411 [Block Src] [] [1:2500112:6418] ET COMPROMISED Known Compromised or Hostile Host Traffic group 57 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:55867
        8:17153: 01/25/2023-12:22:18.497529 [Block Src] [] [1:2500116:6419] ET COMPROMISED Known Compromised or Hostile Host Traffic group 59 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:49890
        8:17966: 01/26/2023-16:46:07.541188 [Block Src] [] [1:2500116:6420] ET COMPROMISED Known Compromised or Hostile Host Traffic group 59 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:43919
        8:18250: 01/27/2023-01:15:56.706231 [Block Src] [] [1:2500116:6420] ET COMPROMISED Known Compromised or Hostile Host Traffic group 59 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:57891
        8:19419: 01/28/2023-17:01:25.391222 [Block Src] [] [1:2500118:6422] ET COMPROMISED Known Compromised or Hostile Host Traffic group 60 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:51903
        8:19708: 01/29/2023-02:23:54.703570 [Block Src] [] [1:2500118:6422] ET COMPROMISED Known Compromised or Hostile Host Traffic group 60 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:46046
        8:20737: 01/30/2023-10:15:34.559449 [Block Src] [] [1:2500118:6422] ET COMPROMISED Known Compromised or Hostile Host Traffic group 60 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:40111
        8:21306: 01/31/2023-03:56:43.082414 [Block Src] [] [1:2500118:6422] ET COMPROMISED Known Compromised or Hostile Host Traffic group 60 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:54140
        8:21520: 01/31/2023-03:56:43.082414 [Block Src] [] [1:2500118:6422] ET COMPROMISED Known Compromised or Hostile Host Traffic group 60 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:54140
        8:22365: 02/01/2023-14:07:01.426232 [Block Src] [] [1:2500104:6426] ET COMPROMISED Known Compromised or Hostile Host Traffic group 53 [] [Classification: Misc Attack] [Priority: 2] {TCP} 157.230.218.88:42058

        1 Reply Last reply Reply Quote 0
        • D
          drewsaur @bmeeks
          last edited by

          @bmeeks Also, here is the latest state of that entry in the Blocks GUI - still no entry for 2/1:

          Screenshot 2023-02-01 at 4.52.26 PM.png

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Sorry for the delayed reply. Had to step away for a few hours for another commitment.

            If I understand your question, you see the 157.230.218.88 IP address as being blocked since it is listed in the BLOCKS tab list. But you are wondering why there is no separate entry under that list of associated rule alerts on the BLOCKS tab for a triggered alert on 02/01/2023.

            I don't have an exact answer for that because I don't have your log files to examine, but one possibility is that particular line could contain an error such that the PHP code that parses it with a regex into discrete fields is not coming up with the required number of unique fields for that line. If that condition is hit, the code throws away the offending line. You can examine the PHP code in the file /usr/local/www/suricata/suricata_blocked.php beginning around line 298 to see how that process works.

            The listing under each blocked IP is just a convenience display. An entry missing there is not critically important. If the IP is in the BLOCKS tab list, it is currently being blocked. The block is what matters. If you truly need to know which rule caused it, look on the ALERTS tab. If you want to disable the rule or suppress future alerts, you must do that on the ALERTS tab anyway.

            D 2 Replies Last reply Reply Quote 0
            • D
              drewsaur @bmeeks
              last edited by drewsaur

              @bmeeks Thank you so much. I did send you the full log separately. Please let me know if I can get you anything else. And you needn’t do any more. I’m more than happy with what I’ve learned. Cheers!

              1 Reply Last reply Reply Quote 0
              • D
                drewsaur @bmeeks
                last edited by

                @bmeeks Just in case anyone following this cares :), I am now only running port scan rules on my WAN interface, and leaving everything else in my LAN interface.

                This was easy to do because I run everything from SID files, so I just downloaded my custom Enable and Disable files, copied them as "EnableWAN" and "DisableWAN," whittled down the contents from each that pertained to "emerging-scan"...configured them in the List Assignments area, clicked the Rebuild boxes, hit Save, and I was off to the races.

                Only extra thing I had to do was in the "WAN Categories" tab - I had to hit "Unselect All" and "Save" to disable the (now-manually-checked remnant) rulesets that had been previously enabled by the old SID files. The one category in my "EnableWAN" file stayed enabled with the special little "A" icon.

                Everything really is much more "sane" now - I am getting the port scanning protection I want on the WAN; I have more sane "Blocks"; and I have better Alert information logs for the LAN.

                All that, and using much less RAM (usually was running at 31-35%; now at 21-22%)

                Thanks again!

                1 Reply Last reply Reply Quote 0
                • S SteveITS referenced this topic on
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.