NTP service in SELKS causes TOR alert

237 views
Skip to first unread message

emre....@btpsec.com

unread,
Jul 26, 2016, 8:06:50 AM7/26/16
to SELKS
Hi,

SELKS causes to generate "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group <XYZ>" alert.
In /etc/ntp.conf, 0.debian.pool.ntp.org is defined as a server.
It resolves to 78.46.53.11, it also known as tor.nocabal.de.
NTP service ping-pongs to that address regularly, so suricata raises TOR alert regularly.

What is it the easiest and sensible solution? 
Is the suppress of this IP for each TOR <XYZ> rule? or leave it to generate?

Thank you,

Peter Manev

unread,
Jul 26, 2016, 8:19:02 AM7/26/16
to emre....@btpsec.com, SELKS
I would say it is up to you. There are a few options:
- create a suppression or threshold for that IP for that alert in Scirius
- you can create a "pass" rule and custom add it through a file in Scirius
- you can disable that rule SID
...

I would do the first one. Go to Scirius - Suricata tab. Find the
"Sid", click and the look for the src or dst IP - 78.46.53.11 , click
on the "x" (cross) mark right next to it and "Add Suppress".
Update the ruleset/Suricata afterwards - that should do the trick.


> Thank you,
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Regards,
Peter Manev

emre....@btpsec.com

unread,
Jul 26, 2016, 8:26:24 AM7/26/16
to SELKS, emre....@btpsec.com
Thank you Peter.

As you know, there are lots of TOR rules.
This action is caught by several TOR rules.
I apply the same technique as you, I just want to learn best practice.
I looked for a solution that does not require to define suppression for several rules, something like that.

I prefer pass rule if I am not able to do what I want with suppression or threshold.
I think, disabling such a rule could be risky, since it will be blind to real attacks that are delivered through TOR.

Thanks again for your fast responses.
Reply all
Reply to author
Forward
0 new messages