Taming the beasts… aka suricata blueprint

BBcan177

I was looking at the Suricata Package and I don't see where the PORT Scanning Pre-Processor is configured? Is this option available in Suricata? or is it expected to be released in the 2.0x releases?

Along with what jflsakfja and Matt Jonkman (ET) have said, here is some more good advice:

http://dcid.me/notes/2013-jul-08

A Former User

Quotes taken from http://dcid.me/notes/2013-jul-08 unless otherwise stated. Don't sue me to death  :P

"And that’s a hard spot to be on. If you read all recent cases of APT, 100% of them started with zero-days sent via very targeted phishing emails. How do you protect against that?"
With the only way you can defend against that. Take a baseball bat with you when you are going on your tour around the office educating people not to click on every link/download every file sent to them via email. I got this right up to the point where (certain) people don't even answer phones from unknown numbers. Yes users can be educated, it's only a matter of which finger will be broken first. And yes, I'm being 100% serious.

"Unfortunately, very few companies have that level of monitoring and security enabled. Very few would be able to detect a user trying to increase their privileges or even detect any anomaly from where he is logging in from. They can have a firewall and an IDS, but nobody looks at them. They are just so noisy that it is very easy to miss the important activity."

More work for security "experts", more people to pick on for me ;D. A person (key word) should never be expected to watch logs for intrusion. EVER. If you are an industry leader and recommend you watch your logs closely, then all hope is lost for you. Please consider a career selling hotdogs instead. It's a lot easier than trying to convince the world you know anything about network security.

I do NOT care what the security industry is recommending about logs. It's a case of the right way (watch the logs), the wrong way (don't watch the logs) and my way. My way is setting up automatic monitoring of the logs and alert the sysadmins automatically when the monitoring detects anomalies. Did the webserver restart in the middle of night? Which user requested the restart? From where were they connected to the system? What other commands were ran in the last 10 minutes of them being logged in?

Watch the IDS? Who in their right mind watches an IDS? Have you seen the volume of data it logs in realtime? The key to keeping your fire-breathing dragon (suricata, snort is dead, stop feeding it) on the leash is to look at the blocked hosts every now and then. Sort their alerts alphabetically, take out the common suspects (unused ports rule for example, should be the largest volume) then take a close look at what the other blocks say. Make this a habit instead of wasting hours of company time reading what others did last night on fb/twitter/other + "thing". My way? If the IDS bans a host with an alert other than the usual suspects, drop me an email alerting me to this.

Sidenote to the above couple of paragraphs. You can safely skip this.
Got a call today from a client of mine. He told me that the router must have blocked him again, because he tried to ping the webhosting server to find out its IP. The conversation went something like this:

Client: "Hi, how are you?"
Me: "Hello, I'm good, how about you?"
Client: "Fine. Hey the router must have blocked me."
Me: "Why?"
Client: "I tried to ping the webserver that X is hosted on, and after a single reply all traffic was cut off."
Me: "That means the security system did it's job correctly. Doesn't windows have a command similar to the "host" command on linux? Why did you ping it?"
Client: "It's the easiest way to get the IP. My IP is XX.XX…"
Me: "Wait, hold on, I'm on the second password, 1 more to go"
Client: "You should allow 4 pings, that would make it easier"
Me: "No. I get a few hundred thousand pings per day from China,Romania,Russia, I'm good thank you. Use the proper command to get the IP. On linux it's host, on windows I dunno, don't have any experience with "that"" (exact phrase removed, this is a public forum, even visited by minors)
Client: Doing other things while I try to find the password to log on to the router. We said something about this in the beginning of the guide (I think, I'm getting old :p). If you know the passwords to your systems, you are doing it wrong (I should trademark that phrase).
Me: "ok, what's your IP?"
Client: "XX.XXX.XXX.XXX"
Me: "Hm... yea, you pinged it using windows" BOFH like clickety-click
Client: "Ok thanks, it's working now"
Me: "Happy to help, if you have any other problems give me a call."

See? It's only a matter of which finger you'll break first, trust me.

"I will certainly do a full post about it, but what I learned is that you can’t really block all attacks. You can’t even detect all of them. Your software will have vulnerabilities. You will make mistakes. You will get owned one day!"
Started securing networks/systems when I was 10 years old. I'm 27 now, and that day has not yet come. It's a record I'm doing my best to keep, thank you very much.

"What you need is a system to alert and raise red flags when that does happen, so you can respond. The “you just got owned” alerting system. And those are not hard to setup, but requires a different mindset."
My points exactly  ;D

Computers have become extremely good at one thing: Doing the same thing over and over without making a mistake. Set up your network/systems so that EVERYTHING is logged to syslog. From temperatures, to disk performance change (I get a couple of seek performance changed a day, must really replace that disk, the head actuator is getting weak), to users logging in, to users logging out, commands being ran by users, scheduled tasks, EVERYTHING.
Filter through the noise by discarding unneeded messages. For example, a host's resync with a mariadb galera cluster causes (about) 30 lines of syslog messages. It should only generate a single line from that particular host, and a line from each of the cluster members seeing the host joining.

Keep the log messages to a manageable volume, then set up automatic monitoring for those logs. If something is suspicious, contact a sysadmin to have it looked at. If one particular sysadmin logs from networks X and Y, and suddenly logs in from network Z in the middle of the sahara desert, then something fishy is going on.

And as stupid as this may sound, it will actually save you when a judge asks you "WHAT?". Keep >forensic< evidence trails. Yes, which pc connected to what, under what user, what commands were given and all that, BUT make sure those can actually STAND in a court of law. If I was a consultant for the prosecution, I would provide evidence showing that the authenticity of the logs submitted cannot be questioned. If i was a consultant for the defense, I would provide evidence showing that those logs that were submitted earlier as unquestionable evidence showing that X is guilty, cannot be actually checked to be sure that they weren't manually typed up and submitted.

We already got pretty far with this guide and the help of the pfsense devs, package maintainers, other forum members. If we keep this up, not one of the security industry "leaders" will have a job. Think of the children/cyber/terrorism/Russia  ;D

I should really finish that internal book for The Company: "Building sentient AI security systems. Their applications and limitations." aka the "How to build the Matrix guide".

An example of this is an automated system we use at The Company. It takes a list of the servers and their uses. It then decides what each system should run, sets it up accordingly, and starts monitoring it. Good events are slowly ignored, bad events are evaluated and future systems are set up to resist them (if possible). We had a few "near employee firing" experiences, but it slowly learned to behave  ;D

To the disbelievers, you can also design the same system. You think the technology still isn't there? puppet/chef/nagios (or others)/fail2ban/logwatch/syslog/ssh/network-booting/not booting servers unless their specific usb key is plugged in (HDD encrypted, of course). VPN the logs to another location and print them on a dot-matrix, just for the hell of it. Connect the dots and stop questioning everything I say ;D. If you are really creative, you can even set up your systems to be as simple as a message popping up "Hey, go plug USB key XXXXXX into server YYYYYY, it needs to restart". Or spend the $200 it takes to do it using an actuator ;) Taking care of the systems then becomes a mob the floor, stare at the screen for pretty graphs to dip/raise.

BBcan177

I think it was obvious that you wouldn't look at every single log and every single IDS alert. It is true thou that people can setup these systems and get drowned out by the minutia.

However, this is not what he is saying. Its important to filter those logs and those alerts from the IDS so you are only seeing the important ones. Setting up tripwires so that if and when someone does get in, or someone on the inside does something, it will trip an alarm.

It all great to put up blocking system to stop maliciousness from getting in, but as the article articulated, you will make a mistake or someone will, or a zero-day and something gets past your security. Nothing is impenetrable.

Tools like OSSEC are good to have running on servers so that it can alert on file changes or brute forces inside your network. I run Security Onion running full packet capture immediately after my Firewall. So when you have an issue, you can atleast have a bread crumb trail so you can see what was accessed and infiltrated or attempted to be. These logs and pcaps can determine whether someone just snooped around or if they actually downloaded/uploaded anything.

If you look at most network intrusions, its not the first hack that made any damage. Most likely a single event won't be catastrophic. So if you have detection on the inside, they will most likely trip an alarm that will allow you to root out an intruder before they do damage.

As with age, I never judge the length of time someone has been doing something as a sign of wisdom. People do jobs for their entire life; unfortunately some of them never had it right in the first place.

bmeeks

@BBcan177:

I was looking at the Suricata Package and I don't see where the PORT Scanning Pre-Processor is configured? Is this option available in Suricata? or is it expected to be released in the 2.0x releases?

Along with what jflsakfja and Matt Jonkman (ET) have said, here is some more good advice:

http://dcid.me/notes/2013-jul-08

I'm not a Suricata expert yet, but to the best of my knowledge there is no equivalent of Snort's sf_portscan preprocessor in Suricata.  There are text rules (ET Scan rules come to mind) that can detect most port scans, though.

Bill

G.D. Wusser Esq.

Give me a ping, Vasili. One ping only.

dmitripr

Hi,

Trying to code a custom rule and getting an error. The rule is basically to block the traffic to closed ports, something like:

alert tcp $EXTERNAL_NET any -> any [1:1024,![XX,XX,XX,XXX]]

However, I'm getting an error:
[ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.

I thought this was a valid syntax. What am I missing here?

Thanks for your help!

BBcan177

@dmitripr:

I thought this was a valid syntax. What am I missing here?

This is from an older manual, but I believe its still the same format.

2.2.4 Port Numbers

Port numbers may be specified in a number of ways, including "any" ports, static port definitions, ranges, and by negation. "Any" ports are a wildcard value, meaning literally any port. Static ports are indicated by a single port number, such as 111 for port mapper, 23 for telnet, or 80 for http, etc. Port ranges are indicated with the range operator ":". The range operator may be applied in a number of ways to take on different meanings, such as in Figure 2.6.

log udp any any -> 192.168.1.0/24 1:1024 log udp

traffic coming from any port and destination ports ranging from 1 to 1024
log tcp any any -> 192.168.1.0/24 :6000

log tcp traffic from any port going to ports less than or equal to 6000

log tcp any :1024 -> 192.168.1.0/24 500:

log tcp traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500

Port negation is indicated by using the negation operator "!". The negation operator may be applied against any of the other rule types (except any, which would translate to none, how Zen…). For example, if for some twisted reason you wanted to log everything except the X Windows ports, you could do something like the rule in Figure 2.7.

log tcp any any -> 192.168.1.0/24 !6000:6010

A Former User

@dmitripr:

Hi,

Trying to code a custom rule and getting an error. The rule is basically to block the traffic to closed ports, something like:

alert tcp $EXTERNAL_NET any -> any [1:1024,![XX,XX,XX,XXX]]

However, I'm getting an error:
[ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.

I thought this was a valid syntax. What am I missing here?

Thanks for your help!

You need to remove the regular ports from the rule and only select the negated range. It wouldn't be any use anyway to include 1:1024. If you don't allow that range, the rule will still alert for those ports, since that's what you told the IDS to do. Alert on any port other than the open ports (used ports). Any port you don't specifically allow, will generate the alert.

@G.D. Wusser Esq.: It's not a matter of one ping only Vasili. It's a matter of not using a screwdriver and a hammer to remove a 1/2" bolt. Yes it can be done, yes it's extremely useful if the head of the bolt is broken off for any reason, but it's not the right tool for the job. Use the 1/2" wrench to remove the 1/2" bolt.

To ping a host you first need to resolve the host, then ping it.
To find out the IP of a host, you just need to resolve the host.

Cino

@jflsakfja next time you speak to that user, tell them to use nslookup on windows. you can look up by hostname or ip…

dmitripr

@jflsakfja:

You need to remove the regular ports from the rule and only select the negated range. It wouldn't be any use anyway to include 1:1024. If you don't allow that range, the rule will still alert for those ports, since that's what you told the IDS to do. Alert on any port other than the open ports (used ports). Any port you don't specifically allow, will generate the alert.

Thanks jflsakfja. That makes sense. However, the reason I stated 1:1024 is because I want ports 1024: onwards to remain open as well. Basically I would like to block all destination privileged port, except a few (IPsec, OpenVPN, etc.), but also leave non-privileged ports open as well (as you suggested :) ). What would be the appropriate syntax for the port part of the rule? Based on the documentation I found online, my proposed syntax should work, but it doesn't and I get the error that I mentioned.

Maybe I'm over-thinking this. Can I use pfsense port alias here?

Also, I've been using snort for a while before this, and it seems that suricata is utilizing more CPU than snort. I got a 50/10 line at home, and during speedtests while with snort my CPU utilization would spike to 30-40% (I have an Atom D2550). However, with suricata during the same test the CPU spikes to 85-95%. And during regular Netflix/youtube streaming suricata seems to use 2x more CPU (snort: ~2-4% avg, suricata: ~5-7%). Anyone else notice that?

Again, thanks for the help!

A Former User

@dmitripr:

Thanks jflsakfja. That makes sense. However, the reason I stated 1:1024 is because I want ports 1024: onwards to remain open as well. Basically I would like to block all destination privileged port, except a few (IPsec, OpenVPN, etc.), but also leave non-privileged ports open as well (as you suggested :) ). What would be the appropriate syntax for the port part of the rule? Based on the documentation I found online, my proposed syntax should work, but it doesn't and I get the error that I mentioned.

As suggested, keep the rule alerting on all unused ports: ![port1,port2,port3,port4:port25,port1024:port65535]
You just need to set up the ports you use inside that [ ]. I highly suggest to include all the unprivileged ports in there, unless you manually go into every program you use and tell it to use a specific unprivileged range.

@dmitripr:

Maybe I'm over-thinking this. Can I use pfsense port alias here?

Nope. I used to be able to declare the variables at the start of the custom rules tab (eg USED_PORTS) but last time I tried it, it didn't work. Didn't fiddle with it anymore, since it's not that many ports you need to open up anyway.

@dmitripr:

Also, I've been using snort for a while before this, and it seems that suricata is utilizing more CPU than snort. I got a 50/10 line at home, and during speedtests while with snort my CPU utilization would spike to 30-40% (I have an Atom D2550). However, with suricata during the same test the CPU spikes to 85-95%. And during regular Netflix/youtube streaming suricata seems to use 2x more CPU (snort: ~2-4% avg, suricata: ~5-7%). Anyone else notice that?

Again, thanks for the help!

Yeap seen that too. I'm putting my money on the old version of suricata as being the culprit for this.

@Cino: Will do, thanks.

dmitripr

Thanks, jflsakfja. That rule syntax worked.

I see that the latest Suricata release is 2.0.3. Any ideas when pfsense package will be upgraded to that version? Is there a way to manually update?

I have noticed that as of late I'm being pinged from multiple hosts for several minutes at a time. Feels like an attack from hijacked hosts. I put a rule to block those, and I was able to block almost 500 hosts in 24 hours via suricata.

Thanks again!

A Former User

@dmitripr:

Thanks, jflsakfja. That rule syntax worked.

I see that the latest Suricata release is 2.0.3. Any ideas when pfsense package will be upgraded to that version? Is there a way to manually update?

I have noticed that as of late I'm being pinged from multiple hosts for several minutes at a time. Feels like an attack from hijacked hosts. I put a rule to block those, and I was able to block almost 500 hosts in 24 hours via suricata.

Thanks again!

I think 2.x is coming with the next release of the suricata package. How long that takes, dunno though.

The pings are regular internet noise. Don't worry about it. As long as you are not responding back, then you are still flying under the radar.

dmitripr

After doing some testing of Snort vs Suricata, I've decided to go back to Snort.

For whatever reason, looks like Comcast upgraded my line to 100/10 tier in the last couple of days. Now, with my D2550 Atom CPU Suricata was maxing out my CPU cycles and my max throughput was 95 mbps (@100% CPU load). I've tried snort and @45% CPU load I'm getting about 108 mbps (plus it's a more stable/smooth download vs suricata, which was more "jumpy"). I've ran the test 2x between the two, and same result. Suricata came to be the bottleneck for me. And Suricata couldn't download Snort VRT rule set, so, snort had a larger rule set running as well. (although I've never seen a single VRT rule triggered, only the custom rules and the ET rules).

I'll try Suricata again once the 2.0 comes to pfsense. Hopefully that'll perform better.

Just my 2 cents. Thanks for the help!

A Former User

It would be interesting to see more details about your setup. Did you disable the rules I recommended in this topic? Even the amazon one (yes that single rule does matter)? How much RAM was used? Nice to see that a dual core atom @ 1.86Ghz can (nearly) max out 100Mbps. I'm sure with a bit of tuning it could get there, unless you have already removed suricata and installed snort.

Don't worry about the VRT rules.

Cino

I have TWC. I'm currently 100/5. I have both snort and suricata running on my D510 Atom with no issue. Running speed test, I can max out at 107-110mbps. CPU% anywhere from 45% to 100%. If I download torrents, cpu will peg at 100% but i'm still able to browse with no issues.

A Former User

Respect for the little atoms that could  ;D. The newer 4 core models (technically a celeron, or is it the other way around?) are interesting, thinking about getting a couple for testing. A fully loaded psfsense system based on those should be close to 30W (cpu+cards+hdd).

Cino

I want to say my D510 box is running around 20-25watts. Have to find my build notes to confirm. off topic but I have a few interfaces, traffic shaping, snort, pfblocker, suricta, squid, ntop, vnstat… she runs good... Need to change her it 64bit so I can use all of the 4gb of memory but I think i'll wait for 2.2 to be release then do a fresh install and rebuild the config for fun  :o

A Former User

@Cino:

I want to say my D510 box is running around 20-25watts. Have to find my build notes to confirm. off topic but I have a few interfaces, traffic shaping, snort, pfblocker, suricta, squid, ntop, vnstat… she runs good... Need to change her it 64bit so I can use all of the 4gb of memory but I think i'll wait for 2.2 to be release then do a fresh install and rebuild the config for fun  :o

Ah, the Debian bug. Nothing happens to it, to the point where you want to upgrade to testing just for the hope of something breaking? :p

Atoms are perfect for personal use, IMHO.

bmeeks

@jflsakfja:

@dmitripr:

Thanks, jflsakfja. That rule syntax worked.

I see that the latest Suricata release is 2.0.3. Any ideas when pfsense package will be upgraded to that version? Is there a way to manually update?

I have noticed that as of late I'm being pinged from multiple hosts for several minutes at a time. Feels like an attack from hijacked hosts. I put a rule to block those, and I was able to block almost 500 hosts in 24 hours via suricata.

Thanks again!

I think 2.x is coming with the next release of the suricata package. How long that takes, dunno though.

The pings are regular internet noise. Don't worry about it. As long as you are not responding back, then you are still flying under the radar.

I am hopefully just a week or so away from posting the Pull Request for 2.0.x Suricata.  I ran into a small snag compiling the new package for 2.2 of pfSense, but I think I have a solution for that now.  I have been developing/testing with 2.0.2, but if it's not too big of a change I will bump it to 2.0.3 before I post the Pull Request.

Bill