Re: [security-onion] Snort Local rules not getting alerts in ELSA / SQUERT

75 views
Skip to first unread message
Message has been deleted

Wes Lambert

unread,
Mar 14, 2018, 11:01:23 AM3/14/18
to securit...@googlegroups.com
Is Snort running?

sudo service nsm_sensor_ps-status

Did those rules make it into /etc/nsm/rules/downloaded.rules?

grep 10000003 /etc/nsm/rules/downloaded.rules

and so on...

You also may want to check your Snort log file to ensure there are no errors with your syntax:

sudo tail -100 /var/log/nsm/hostname-interface/snortu-x.log

Thanks,
Wes


On Wed, Mar 14, 2018 at 10:53 AM, Neeraj Shah <neeraj...@gmail.com> wrote:
Hello All,
I am a new user of Security Onion. We have a single server deployment. During the setup i selected SNORT as the IDS. I have also configured a Mirror/SPAN port connection to my SO server & have it set a monitoring interface.

I have 3 simple use cases (1) Detect FTP Connection to our public server 129.x.x.x (2) Detect SSH Connection attempts (3) Detect NMAP scan. I went ahead and put in the below rules under /etc/nsm/local.rules and ran the rule-update command.

alert tcp any any -> $HOME_NET 22 ( msg:”Potential SSH Brute Force Attack”; flow:to_server; flags:S; threshold:type threshold, track by_src, count 3, seconds 60; classtype:attempted-dos; sid:2001219; rev:4; resp:rst-all; )

alert tcp any any -> 129.x.x.x 21(msg: "FTP attempt to Public IP";sid:10000003;rev:1;)

alert icmp any any -> $HOME_NET any (msg: “NMAP ping sweep Scan “; dsize:0;sid:10000004; rev: 1;)

Then when i tried doing a FTP test from my workstation 172.16.3.10 to that 129.x.x.x server, I don't see any alert generated in ELSA or SQUERT.  In ELSA, I checked under "SNORT/SURRICATA" option & even here it does not show anything.  Likewise similar is happening for ssh connection.

However in ELSA >> Connections >> Query "class=BRO_CONN "-"srcip="172.16.3.10" proto="TCP" dstport:21  does show the traffic packets. So the traffic is hitting the SO server , its just SNORT is not converting that into an alert.

Can someone please advise ? I am sure this is a common scenario which many of you have hit.



--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Neeraj Shah

unread,
Mar 14, 2018, 11:17:08 AM3/14/18
to security-onion
Hi Wes, Thanks for replying. When i run "sudo service nsm_sensor_ps-status" i am getting below message:

nsm_sensor_ps-status: unrecognized service

However, when i run "sudo sostat | less", it shows SNORT as OK

=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Started
bro standalone localhost running 3736 13 Mar 19:53:49
Status: securityonion-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]

=====================================================

The local.rules have not made it to the downloaded rules. What could be the reason for that ? Please find below snippet from my securityonion.conf file. Everything is commented out by default Do i need to change anything here ?


# LOCAL_NIDS_RULE_TUNING
# The effect of this option is different depending on whether this box is a server or not.
# SERVER
# LOCAL_NIDS_RULE_TUNING=yes
# rule-update will operate on a local copy of the rules instead of downloading rules from the Internet
# LOCAL_NIDS_RULE_TUNING=no
# rule-update will try to download rules from the Internet
# SENSOR-ONLY
# LOCAL_NIDS_RULE_TUNING=yes
# rule-update will copy rules from master server and then try to run PulledPork locally for tuning
# LOCAL_NIDS_RULE_TUNING=no


The Snort log file doesn't show any error as such. Please find attachment.

Thanks for your help.

snortu-1.log

Wes Lambert

unread,
Mar 14, 2018, 11:23:25 AM3/14/18
to securit...@googlegroups.com
Sorry, I had a typo in there previously.

It should have been

sudo nsm_sensor_ps-status

On a standalone,

both LOCAL_HIDS_RULE_TUNING and LOCAL_NIDS_RULE_TUNING should be unremarked and set to "no'.

For these lines only:

# If set to yes, this node will keep its own copy of the OSSEC rules.
LOCAL_HIDS_RULE_TUNING=no

# rule-update will copy rules from master server as-is (no changes)
LOCAL_NIDS_RULE_TUNING=no


Please try changing as such and re-running rule-update to see if the local.rules make it into downloaded.rules.

Thanks,
Wes

Neeraj Shah

unread,
Mar 14, 2018, 11:48:56 AM3/14/18
to security-onion
Wes,
Here is the output of "sudo nsm_sensor_ps-status"

Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Started
bro standalone localhost running 3736 13 Mar 19:53:49
Status: securityonion-eth1
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort-1 (alert data) [ OK ]
* barnyard2-1 (spooler, unified2 format)

==================================================================

Now, in my security.conf file both of those fields are uncommented & set to NO. Here is a snippet:

# If set to yes, sensor will keep its own copy of the OSSEC rules.
LOCAL_HIDS_RULE_TUNING=no

# LOCAL_NIDS_RULE_TUNING


# The effect of this option is different depending on whether this box is a server or not.
# SERVER
# LOCAL_NIDS_RULE_TUNING=yes
# rule-update will operate on a local copy of the rules instead of downloading rules from the Internet
#LOCAL_NIDS_RULE_TUNING=no

# rule-update will try to download rules from the Internet
# SENSOR-ONLY
# LOCAL_NIDS_RULE_TUNING=yes

# rule-update will copy rules from master server and then try to run PulledPork locally for tuning
# LOCAL_NIDS_RULE_TUNING=no

# rule-update will copy rules from master server as-is (no changes)
LOCAL_NIDS_RULE_TUNING=no

========================================================

Since mine is a standalone host, do i need uncomment the "LOCAL_NIDS_TUNING=no" in the "server" section also ?

Here is the output of "rule-update"


Wed Mar 14 15:45:16 UTC 2018
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.

https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2990.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2990.tar.gz for work....
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 10 rules
Skipped 10 rules (already disabled)
Done
Setting Flowbit State....
Enabled 159 flowbits
Enabled 1 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------8
Deleted:---28
Enabled Rules:----30632
Dropped Rules:----0
Disabled Rules:---29206
Total Rules:------59838
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: securityonion-eth1
* stopping: barnyard2-1 (spooler, unified2 format) [ OK ]
* starting: barnyard2-1 (spooler, unified2 format) [ OK ]
Restarting IDS Engine.
Restarting: securityonion-eth1
* stopping: snort-1 (alert data) [ OK ]
* starting: snort-1 (alert data)

=================================================

But yet the local.rules do not make it to downloaded.rules. I tried doing a grep again on the downloaded.rules & it does not show any of my local rules.

Neeraj Shah

unread,
Mar 14, 2018, 12:41:56 PM3/14/18
to security-onion
Hi Wes,

I figured out the rules updating problem. It was a syntax issue under my local.rules. It turns out that local.rules does not like the extra ";" at the end after rev:1. I am not sure why or how this is working for other users because i found this rule syntax online.

alert tcp any any -> 129.x.x.x 21(msg: "FTP attempt to Public IP";sid:10000003;rev:1;)

So i changed this to

alert tcp any any -> 129.x.x.x 21(msg: "FTP attempt to Public IP";sid:10000003;rev:1) (without the semicolon at the end)

When i now run rule-update, this rule is able to make it to downloaded.rules.

But yet, when i test the ftp connection or ssh connection, both ELSA & SQUERT are not generating an alert with the custom msg. I can see the connection make it to the Security Onion standalone server. The traffic shows up in the list in ELSA >> Connections >> Query >>

Neeraj Shah

unread,
Mar 14, 2018, 1:56:16 PM3/14/18
to security-onion
Wes, After further troubleshooting, it was an extra whitespace character that was the issue. We are now getting alerts as well. Thank you very much.

One last question related to best practices, Can i uncomment & modify some of the rules i want directly in the downloaded.rules file or do we have to copy those over to local-rules ? Reason i ask is because lot of rules listed under downloaded.rules are commented out. We want to use some of them.

Wes Lambert

unread,
Mar 14, 2018, 2:21:32 PM3/14/18
to securit...@googlegroups.com
You should never modify downloaded.rules directly, as it will get overwritten when rule-update runs.  If there are rules that are commented out in downloaded.rules by default, you can enable them using /etc/nsm/pulledpork/enablesid.conf.

Thanks,
Wes

On Wed, Mar 14, 2018 at 1:56 PM, Neeraj Shah <neeraj...@gmail.com> wrote:
Wes, After further troubleshooting, it was an extra whitespace character that was the issue. We are now getting alerts as well. Thank you very much.

One last question related to best practices, Can i uncomment & modify some of the rules i want directly in the downloaded.rules file or do we have to copy those over to local-rules ? Reason i ask is because lot of rules listed under downloaded.rules are commented out. We want to use some of them.
Reply all
Reply to author
Forward
0 new messages