Suricata - blocks Download from CentOS

sunghost

Hi,
i have enabled suricata with snort and suricata community free rules. I now wanted to download centos iso but get blocked with:

MALWARE-CNC Win.Trojan.ZeroAccess inbound communication
ET SHELLCODE Possible Call with No Offset TCP Shellcode
ET DROP Dshield Block Listed Source group 1
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 165

i tried mor than 8 mirrors and my ext. ip get blocked at aprox. 65MB.
Any idea if it is a false message or a serious problem?

bmeeks

More than likely these are false positives, but you can't be 100% sure without analyzing each packet with a sniffer.  My guess would be the ET rules are alerting on some bank of IP addresses that either currently do, or in the recent past did, host some malware servers.  The IP or net block might now be used for legitimate distribution of CentOS ISOs, or it could be the nodes distributing CentOS are also distributing other "less reputable" content.

If you are initiating the connection via FTP or HTTP from your end, I would say it's OK to whitelist the IP long enough to download the ISO.  The remove the IP from the Pass List (or re-enable the rules, whichever method you choose to use).  I would definitely crosscheck the SHA checksum on the final downloaded ISO, though!

Bill

sunghost

Hi bmeeks,
and thanks for your thoughts. I am new with IDS and suricata. My problem is, that its hard to find out, where the problem came from ,what is meant with it and how can i analyse it. In this case i think the connection came from outbound, but why suricata blocks my wan ip-adress, so i have no internet connection? I thought suricata have to block the opposite, so no attack could run agains my wan-ip. Next thing is that i thought i could see anywhere the internal ip-adress which leads to this. So if i have a network with hundreds of clients, the chance is high that some client could to bad things an all other got trouble too, instead of blocking only this one ip-adress.

fsansfil

ET DROP Dshield Block Listed Source group 1

Other 3 alerts could produce false positive tho. Make sure the alert ET DROP Dshield Block Listed Source group 1 is related to the CentOs donwload and paste the IP here. Dshield DROP are a set of IPs/Range that are almost certain to be bad. But it could be an alert that came inbetween the other alerts and that isnt related to your download…

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

#Dshield Top Attackers

43.255.188.0/24
169.54.233.0/24
61.240.144.0/24
218.77.79.0/24
94.102.49.0/24
213.128.81.0/24
199.203.59.0/24
71.6.216.0/24
199.217.113.0/24
141.212.121.0/24
195.211.154.0/24
141.212.122.0/24
71.6.135.0/24
66.240.192.0/24
169.229.3.0/24
128.232.110.0/24
188.138.9.0/24
61.5.204.0/24
124.232.142.0/24
71.6.165.0/24

F.

sunghost

Thanks fsansfil,

yes i think youre right. All alerts came together and was shown as one. I will have a look at this and try to download again.