IPS / setup / testing / no log-entries

Hi guys,

trying to understand/configure the IPS but getting no log-entries …

Setup:

• Core 138
• wiki used: https://wiki.ipfire.org/configuration/firewall/ips
• activated monitoring only: https://i.imgur.com/Fc90pgx.png
• ruleset from Talos VRT registered: https://i.imgur.com/3NI8a5a.png
• rulest up-to-date: https://i.imgur.com/WcnuqN9.png

What I tried:

• Activated “policy-spam.rules” and additional, but should not be necessary, “POLICY-SPAM pku-edp.cn”: https://i.imgur.com/66LfilI.png
• nslookup/ping from “green” for/to pku-edp.cn

Result:

• No log-entries about the test yesterday.

Question:

• What’s wrong with my setup or with my expectation? Thought the test should give me an entry but without blocking … : https://i.imgur.com/jc5cWFV.png

Thanks in advance,

Jan

Hi guys,

isn’t there anybody who uses Intrusion Prevention on IPfire?

Thanks,
Jan

core139 fixes a bug that the suricate has a wrong dns server entry. Update to current version first and try again.

Hi Arne,

Update 139 done.
Same as before.
nslookup on a Win10-Client for sjtu-edp.cn shows the IP.
But no entry inside the IPS-Log. Keeps empty.

But one question at first: my expectation, written step-by-step, is correct?

And confusing: Message “Total of number of activated rules for February 21: 0”
Why 0? Different rules are activated: https://i.imgur.com/7TscKNV.png

Greetz,

Jan

I also think there is still someting wrong with IPS. I recently reinstalled my system (clean) and activated IPS. I got a ruleset listed and checked some rules. Now I just had a look and the ruleset list was gone. Just clicked on save in “ruleset settings” and the ruleset list came back after a few secs with all my selected/checked rules. After that the deamon was stopped . That’s kind of confusing.

Looks like that is a number of triggered rules and not active rules in the mean of activated/checked rulesets. That’s kind of disturbing, indeed.

grafik1334×867 65.3 KB

Hi Terry,

thank you for the explanation.
So “active rules” means “triggered rules”!
But if the IPS doesn’t trigger an rule I checked, the IPS-log keeps empty.
Means: Either I’m doing something fundamental wrong with the IPS-config as shown in the hardcopies, or there is something wrong with the IPS itself.

Now: What to do?

Greetz Jan

I think so because I have days with more than 100 triggers and some dasys with 0.

I’m not sure if that is probable. I think you just don’t have any intruders on your doorstepp or you are just using not good rulesets. I run the classic: emergingthreats and checked all rulesets because I’m too lazy the analyze them

As I wrote while opening the thread:

So it must trigger or it doesn’t work as it should.

Which interface do you monitor? RED, right?

Hi Terry,

as I wrote too:

The hardcopy shows all interfaces are chosen. For testing. And so any IPS-trigger on green should return a log-entry I think.

Did you ever try different rulesets/sources?

The Talos VRT ruleset generally gives very few alerts although it depends on which rules you’ve enabled. Some of the policy rules block upgrades and you’ll obviously notice if these rules are triggered, otherwise you may not notice anything until someone establishes a connection and then tries to pass malware on it. Note that, unless you’re offering services to the outside world (for example a website), that most connections will be blocked by the default input policy before a connection is established.

ICMP connections (including ping) are also a special case because when you ping someone else, the return message is accepted before passing the IPS>

You could try downloading the EICAR antivirus test message from http://www.eicar.org/download/eicar.com.txt after making sure that the appropriate rule in policy-other is enabled.

The Emerging threats rules can generate more alerts since they include IP address blacklists which will detect attempts by bad actors to probe your system. Again, unless you’re offering a service to the outside world, the default input policy would block these probes anyway, so the Talos rules don’t include any of these lists.

(Aside - this is a very inefficient way of implementing IP Address Blacklists. It’s intended to add a more efficient method of doing this to IPFire).

Hi @timf, I just tried the test against the http://www.eicar.org/download/eicar.com.txt file and it did not trigger an event. I am using the Talos VRT Subscribed rules, I have the policy-other rules enabled for all six of the EICAR rules within policy-other. I have policy set to “policy security-ips”
egrep “^drop|^alert” /var/lib/suricata/*.rules | wc -l – shows that 16124 are active/enabled
I do get events for other rules – such as these from /var/log/suricata/fast.log:

02/23/2020-01:46:30.181140 [Drop] [] [1:28556:3] PROTOCOL-DNS DNS query amplification attempt [] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 45.139.239.5:59217 → xx.xx.xxx.xx:53
02/23/2020-06:57:36.214406 [Drop] [] [1:28556:3] PROTOCOL-DNS DNS query amplification attempt [] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 172.105.216.159:60851 → xx.xx.xxx.xx:53

Could you try the EICAR antivirus test message to see if that is working as you would expect?
When I ran it, the download made it to my Windows PC – triggering an event in Windows anti virus

[Edit] rules enabled for EICAR antivirus test:

[root@ipfire suricata]# grep -i eicar /var/lib/suricata/policy-other.rules
drop tcp any any → any any (msg:“POLICY-OTHER eicar test string download attempt”; flow:to_client,established; file_data; content:“7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+”; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:37732; rev:3;)
drop tcp any any → any any (msg:“POLICY-OTHER eicar file detected”; flow:established; file_data; content:“|CB 68 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|”; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42376; rev:3;)
drop tcp any any → any any (msg:“POLICY-OTHER eicar file detected”; flow:established; file_data; content:“|08 43 1F A6 84 67 40 39 48 76 D3 FE 4B 3C 80 07 33 EF 32 83 6D 24 F4 B2 3D 48 15 90 BA E2 5C 40|”; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42375; rev:3;)
drop tcp any any → any any (msg:“POLICY-OTHER eicar file detected”; flow:established; file_data; content:“|44 54 CD 3C BA 76 BF 75 53 47 28 94 1E 72 15 04 41 3B 9A B6 32 85 89 31 84 81 83 A6 42 DA 42 95|”; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42374; rev:3;)
drop tcp any any → any any (msg:“POLICY-OTHER eicar file detected”; flow:established; file_data; content:“|CB 68 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|”; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42373; rev:3;)
drop tcp any any → any any (msg:“POLICY-OTHER eicar file detected”; flow:established; file_data; content:“X5O!P%@AP[4|5C|PZX54(P^)7CC)7}-STANDARD-ANTIVIRUS-TEST-FILE!+H*”; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42372; rev:3;)
[root@ipfire suricata]#

[Edit 2] screen snap of IPS settings:

Screenshot_2020-02-24 ipfire pookie home - Intrusion Prevention System1034×1502 54.4 KB

Too bad the virus test won’t work with SquidClamAv enabled.

Hi @xperimental,

trying Emeringthreats community at the moment.

But can’t find any DNS-rule for simple nslookup-trigger-test.
Do you know an efficient way to test/trigger from green without waiting for days?

Thanks,

Jan

Tried nslookup and ping for activated rule “ET POLICY Hi5.com Social Site Access” inside “emerging-policy.rules” from green.
Both works. OK, because only monitoring is activated.
But nothing shown in IPS Logs: Total of number of activated rules for February 25: 0
At the moment it seems, that it is not working.

Correction to my comment above, @timf, with policy set to “security”, I have 16,150 rules enabled for Talos VRT Subscribed rules.
I also found other rules related to anti-virus and eicar – server-other.rules: “SERVER-OTHER Multiple vendor anti-virus extended ASCII filename scan bypass attempt”; and malware-cnc.rules: “MALWARE-CNC CobaltStrike trial version inbound beacon response”. However, even with those rules also enabled (along with the 6 eicar rules in policy-other.rules) I can still download the eicar.com.txt file without triggering / blocking / dropping / alerting by IPS / Suricata

I can still confirm: with other rules the IPS log keeps empty.
Yesterday I switched IPS from monitoring to block for testing-reasons.
But nothing changed. Seems IPS dosn’t work!

Hi @stevee
I have the Talos VRT Subscriber rules loaded, with policy set to security – this results in 16,150 rules enabled. I have things working okay and I do periodically have events triggered. However, the test mentioned by @timf above does not trigger. Could you take a look and see what’s wrong?

Test suggested by @timf above:

You could try downloading the EICAR antivirus test message from http://www.eicar.org/download/eicar.com.txt after making sure that the appropriate rule in policy-other is enabled.

I have grepped through the “/var/lib/suricata” rule files looking for anything related to “eicar” and enabled the corresponding rules – in malware-cnc.rules, policy-other.rules, server-other.rules.

With all those rules enabled, I am still able to download the eicar.com.txt file. The IPS does not trigger when I attempt the download – and I can unfortunately download the file.

Since I’m getting other rules to fire, I’m pretty sure of what I’m doing. But I don’t understand why this EICAR test is not triggering

Yesterday I enabled all (!) emergingthreat-rules and got some logs.
But it’s not what I want.
The goal isn’t to get a full log and feeling happy. It’s to be sure that the system is blocking what it should block (or alert with monitoring only).
For today I only activated all (!) emergingthreat-rules , but only for the green interface. looking forward but not confident.