curl testmyids.com yeilds no alerts in Squil

1,215 views
Skip to first unread message

namobud...@gmail.com

unread,
Sep 23, 2015, 12:37:10 PM9/23/15
to security-onion
Hello Group,

"curl testmyids.com," yields no alerts in Squil when I run it on a sensor or the master, however internal scans across subnet boundaries using Nessus do trigger alerts. I assume this test should yield an alert in Squil. What's the best place and steps to troubleshoot this?

Thanks,

Doug Burks

unread,
Sep 24, 2015, 7:05:57 AM9/24/15
to securit...@googlegroups.com
Hi namobuddhaonion,

First, check to see if you have the rule enabled. What's the output
of the following?
grep 2100498 /etc/nsm/rules/downloaded.rules
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

namobud...@gmail.com

unread,
Sep 24, 2015, 9:34:29 AM9/24/15
to security-onion
This grep returns nothing, just a blank line.

On Thursday, September 24, 2015 at 7:05:57 AM UTC-4, Doug Burks wrote:
> Hi namobuddhaonion,
>
> First, check to see if you have the rule enabled. What's the output
> of the following?
> grep 2100498 /etc/nsm/rules/downloaded.rules
>

> >

Doug Burks

unread,
Sep 24, 2015, 9:42:32 AM9/24/15
to securit...@googlegroups.com
Are you running the Snort VRT ruleset?

What's the output of the following?
grep "uid=0" /etc/nsm/rules/downloaded.rules

namobud...@gmail.com

unread,
Sep 24, 2015, 11:39:49 AM9/24/15
to security-onion
Here you go:

grep "uid=0" /etc/nsm/rules/downloaded.rules
# alert ip any any -> any any (msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11;)
# alert ip any any -> any any (msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.zlob.wwv variant outbound connection onestoponlineshop"; flow:to_server,established; content:"/templates/onestoponlineshop.net/images/css.css"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a; classtype:trojan-activity; sid:16109; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.zlob.wwv variant outbound connection childhe"; flow:to_server,established; content:"/pas/apstpldr.dll.html?affid=152174"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a; classtype:trojan-activity; sid:16110; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.zlob.wwv installtime detection"; flow:to_server,established; content:"/Setup_ver1.1427.0.exe"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a; classtype:trojan-activity; sid:16111; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC on non-standard HTTP Ports"; flow:to_server,established; content:"/add.jsp?uid=001&ver=0307&mac="; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9D3D80DADEA99809E835072C5452F47581ECD0C57854A743BA7448B9332401B1/analysis/; classtype:attempted-user; sid:32769; rev:1;)


On Thursday, September 24, 2015 at 9:42:32 AM UTC-4, Doug Burks wrote:
> Are you running the Snort VRT ruleset?
>
> What's the output of the following?
> grep "uid=0" /etc/nsm/rules/downloaded.rules

> > This grep returns nothing, just

> On Thu, Sep 24, 2015 at 9:34 AM, a blank line.

Heine Lysemose

unread,
Sep 24, 2015, 1:10:54 PM9/24/15
to securit...@googlegroups.com

Your alert for testmyids.com is disabled. Try enabling sid:498 from enablesid.conf

Regards,
Lysemose

namobud...@gmail.com

unread,
Sep 24, 2015, 2:48:39 PM9/24/15
to security-onion
Thanks Lysemose!

namobud...@gmail.com

unread,
Sep 24, 2015, 2:54:38 PM9/24/15
to security-onion
Here's the line I added and then did a rule update on master and sensors. Was this correct:
# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
1:498


On Thursday, September 24, 2015 at 1:10:54 PM UTC-4, Lysemose wrote:

Heine Lysemose

unread,
Sep 24, 2015, 3:07:57 PM9/24/15
to securit...@googlegroups.com

Yes, that looks right. Try, grep "uid=0" /etc/nsm/rules/downloaded.rules, to see if the rule is enabled now...
Then try curl testmyids.com again.

Regards,
Lysemose

Reply all
Reply to author
Forward
0 new messages