Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata - blocks Download from CentOS

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sunghost
      last edited by

      Hi,
      i have enabled suricata with snort and suricata community free rules. I now wanted to download centos iso but get blocked with:

      MALWARE-CNC Win.Trojan.ZeroAccess inbound communication
      ET SHELLCODE Possible Call with No Offset TCP Shellcode
      ET DROP Dshield Block Listed Source group 1
      ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 165

      i tried mor than 8 mirrors and my ext. ip get blocked at aprox. 65MB.
      Any idea if it is a false message or a serious problem?

      1 Reply Last reply Reply Quote 0
      • bmeeksB Online
        bmeeks
        last edited by

        More than likely these are false positives, but you can't be 100% sure without analyzing each packet with a sniffer.  My guess would be the ET rules are alerting on some bank of IP addresses that either currently do, or in the recent past did, host some malware servers.  The IP or net block might now be used for legitimate distribution of CentOS ISOs, or it could be the nodes distributing CentOS are also distributing other "less reputable" content.

        If you are initiating the connection via FTP or HTTP from your end, I would say it's OK to whitelist the IP long enough to download the ISO.  The remove the IP from the Pass List (or re-enable the rules, whichever method you choose to use).  I would definitely crosscheck the SHA checksum on the final downloaded ISO, though!

        Bill

        1 Reply Last reply Reply Quote 0
        • S Offline
          sunghost
          last edited by

          Hi bmeeks,
          and thanks for your thoughts. I am new with IDS and suricata. My problem is, that its hard to find out, where the problem came from ,what is meant with it and how can i analyse it. In this case i think the connection came from outbound, but why suricata blocks my wan ip-adress, so i have no internet connection? I thought suricata have to block the opposite, so no attack could run agains my wan-ip. Next thing is that i thought i could see anywhere the internal ip-adress which leads to this. So if i have a network with hundreds of clients, the chance is high that some client could to bad things an all other got trouble too, instead of blocking only this one ip-adress.

          1 Reply Last reply Reply Quote 0
          • F Offline
            fsansfil
            last edited by

            ET DROP Dshield Block Listed Source group 1

            Other 3 alerts could produce false positive tho. Make sure the alert ET DROP Dshield Block Listed Source group 1 is related to the CentOs donwload and paste the IP here. Dshield DROP are a set of IPs/Range that are almost certain to be bad. But it could be an alert that came inbetween the other alerts and that isnt related to your download…

            https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

            #Dshield Top Attackers

            43.255.188.0/24
            169.54.233.0/24
            61.240.144.0/24
            218.77.79.0/24
            94.102.49.0/24
            213.128.81.0/24
            199.203.59.0/24
            71.6.216.0/24
            199.217.113.0/24
            141.212.121.0/24
            195.211.154.0/24
            141.212.122.0/24
            71.6.135.0/24
            66.240.192.0/24
            169.229.3.0/24
            128.232.110.0/24
            188.138.9.0/24
            61.5.204.0/24
            124.232.142.0/24
            71.6.165.0/24

            F.

            1 Reply Last reply Reply Quote 0
            • S Offline
              sunghost
              last edited by

              Thanks fsansfil,

              yes i think youre right. All alerts came together and was shown as one. I will have a look at this and try to download again.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.