Suricata not generating alerts

[Joppe Oostenrijk]

Hi,
i'm a student currently researching and PoC'ing the viability of an IPS for a company.

Currently i'm working on a Proof of Concept in a test environment at the company.

For the PoC i'm running SELKS in a docker container on OracleLinux (not ideal but the company needs it to run on OL).

Bringing up the project with docker-compose all works fine, everything is alright according to portainer.

Because the test environment is behind the company firewall, which denies traffic unless allowed, I can't use http to get the rules. To get around this I downloaded them and manually uploaded them to scirius.

Apart from that, I also create a single rule file with "Alert icmp any any -> $HOME_NET any (msg: "IMCP traffic detected"; sid:1; )" to test alerting.

My problem is, I'm not getting any alerts, not from pinging nor from replaying pcap's.

Does anyone have any idea what could be going wrong?
I understand that this is missing quite a lot of information and I would be happy to supply anything that might help with troubleshooting.

Kind regards,

Joppe

[Peter Manev]

Hi,

Thank you for trying out SELKS.

Did you restart suricata after uploading the rules?
Are there any ERR messages in /var/log/suricata/suricata.log ?

Thank you

> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/53d01898-5506-47f1-9996-8eb5e2786e4cn%40googlegroups.com.



--
Regards,
Peter Manev

[Joppe Oostenrijk]

Hi Peter,

thanks for your quick reply.

I did restart the container after applying the rules.

I does have errors: the "scirius-categories.txt" file is missing

Also (not an error but potentially important), there is no scirius.rules file that was created.

Nor does the suricata container see any files in /etc/suricata/rules/

Op vrijdag 5 november 2021 om 16:48:58 UTC+1 schreef pevma:

[Alexander Nedelchev]

Hello,

did you add them sources to a ruleset as well ?

The docker container adds ETOpen, PT Research and abuse.ch sources by default.

What do you have inside /etc/suricata/rules ?

[Joppe Oostenrijk]

Hi,

I added them to a ruleset.

The docker container only had the ETOpen ruleset added by default (without any data). Possibly because it couldn't contact the servers correctly?

/etc/suricata/rules --> when checking on the suricata container, there are no rules here. 
However, when checking on the scirius container these rulesets are present:

app-layer-events.rules  dhcp-events.rules  dns-events.rules  http-events.rules   kerberos-events.rules  nfs-events.rules  smb-events.rules   stream-events.rules

decoder-events.rules    dnp3-events.rules  files.rules       ipsec-events.rules  modbus-events.rules    ntp-events.rules  smtp-events.rules  tls-events.rules

So it looks like only the ETOpen rules are present.

Kind regards, 

Joppe

Op vrijdag 5 november 2021 om 20:03:24 UTC+1 schreef sa...@stamus-networks.com:

[Peter Manev]

Hi,

Do you have other data being generated?
For example if you open kibana would any of the SN-DNS/S-File etc
dashboards have data in them ?

Thank you for trying out the docker version!

On Mon, Nov 8, 2021 at 10:00 AM Joppe Oostenrijk

> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/556b3968-2a3a-44db-8d06-c24d784911c8n%40googlegroups.com.



--
Regards,
Peter Manev

[Peter Manev]

Hi Joppe,

There are plenty of built in ready to use dashboards that should be
available by default.

Did the first time setup run successfully ?
(https://github.com/StamusNetworks/SELKS/wiki/First-time-setup)

Thank you

On Fri, Nov 12, 2021 at 2:00 PM Joppe Oostenrijk
<j.oosten...@gmail.com> wrote:
>
> Hi,
>
> yeah, through the Scirius --> Suricata menu i find that it is scanning traffic.
> Also within Kibana I can create populated dashboards (they don't actually exist by default, not sure if this is a limitation of the docker version or if that is also unexpected behavior?)
> Both DNS data and Anomaly data actually.
> Also within the suricata menu I can confirm my pings actually reach the suricata machine, suricata speed (whatever that may be) rising from 2 to about 6.
>
> Op vr 12 nov. 2021 om 08:21 schreef Peter Manev <peter...@gmail.com>:

--
Regards,
Peter Manev

[Joppe Oostenrijk]

Hi,

after troubleshooting with a colleague, we think the problem lies in a connection the setup tries to make.

docker-compose up run correctly, then it tries to start scirius (for the first time). 
Scirius scripts set some things up, then it hangs on either creating a database user, creating the cachetable or adding the ruleset (going by the start-scirius.sh script).

Since the last console message we get is:  echo "from django.contrib.auth.models import User; User.objects.create_superuser(***)"

however it did look like it tried adding the ETOpen Ruleset (trying to add it manually resulted in This Ruleset (Name) is already in use, or something similar).

Do you have any idea what could be causing this?

Any weird ports (not 443) it tries to access?

Also it aparantly tries to connect to a google cloud server on a semi regular basis, which the firewall doesn't like. (IP's: 216.58.214.3 and 34.107.221.82)
Any idea what it tries to gather from there?

Kind Regards,

Joppe

Op zaterdag 13 november 2021 om 00:33:13 UTC+1 schreef pevma:

[Peter Manev]

Hi Joppe,

What OS and coker version is that on?

Maybe you can run it with debug and verbose mode and see where exactly
it errors?

The only reason for Scirius to connect outside is to pull rulesets or
goeip data for for the Kibana dashboards (world maps)

Thank you

On Mon, Nov 29, 2021 at 11:17 AM Joppe Oostenrijk

> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/0bd20dd3-f2f0-4e2e-b3a4-289255efff8bn%40googlegroups.com.



--
Regards,
Peter Manev

[Joppe Oostenrijk]

Hi,

it is on OracleLinux 8.5, i'm not sure what coker is?

We tried running it with debug and verbose, it doesn't give additional output at the point where it halts. (creating superuser ...) 
As it halts before finishing startup.

When running "Python manage.py addsource" by itself it won't get the rulesets either. 
I expect it runs, since it does (when running later, not at the first start-up) echo "Succesfully Created source ...", however, it doesn't echo "Succesfully updated source" which it should do were it to run correctly.

Might there be anything that would be blocked by our firewall when running that script? (We aren't seeing anything, but maybe you would know?)

Seeing the script, I would assume it tries to get the rules by https? e.g. port 443?

We really aren't sure what would be stopping it from gathering the rules, so if there is anything you might suspect, we could look into it atleast.

Kind regards,

Joppe

Op ma 29 nov. 2021 om 15:32 schreef Peter Manev <peter...@gmail.com>:

[Joppe Oostenrijk]

Additional information:

We are running on KVM on OracleLinux 8.5 with kernel version uek 5.4.17.300.7.

I have an additional machine running on a VMware ESXi (personal environment, not the environment of the company) which runs fine on the same linux & kernel version.

A colleague of mine tested it on KVM in his personal environment, which worked correctly too.

We're at a loss as to why it won't work.

Do you know of anything that might halt the process in start-scirius.sh?

I'll continue with my PoC on my ESXi machine as to conclude my project, however, for the company to implement this solution we would have to know where the problem originates from.

Kind regards,

Joppe

Op maandag 29 november 2021 om 15:57:43 UTC+1 schreef Joppe Oostenrijk:

[Alexander Nedelchev]

Ok, so I'm kinda lost here. Does the start script hang and SELKS won't start or it starts but doesn't download any rules ?

[Joppe Oostenrijk]

Start-scirius.sh hangs, which prevents the rest of the first time start-up (Logstash waits till scirius is healthy).

However, when you shut down the docker machines and boot them up again, it doesn't run the start-scirius.sh a second time, meaning it starts "correctly" and everything is up.

At that point, it hasn't downloaded the rules and hasn't populated the kibana dashboards and most probably has other problem under water.

Op dinsdag 30 november 2021 om 14:39:14 UTC+1 schreef sa...@stamus-networks.com:

[Alexander Nedelchev]

You may probably answered this already but where does it hang exactly ?

My point is so we can trace the script and potentially find the problem.

[Joppe Oostenrijk]

The last console message we get from the Scirius machine is "from django.contrib.auth.models import User; User.objects.create_superuser(***)"

Op dinsdag 30 november 2021 om 15:10:50 UTC+1 schreef sa...@stamus-networks.com:

[Peter Manev]

Hi,

If it works on another setup but not on this specific one - can it be
a FW issue?

Thank you

On Tue, Nov 30, 2021 at 12:01 PM Joppe Oostenrijk

> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/25615eb9-68cd-49c1-9602-fb681c2cf92en%40googlegroups.com.



--
Regards,
Peter Manev

[Joppe Oostenrijk]

Hi Peter,

we thought about that (hence my question for connections other than https/:443), however we don't see any traffic getting blocked by the firewall.

Also, in one of the test setups, every port was closed except for 443, so that shouldn't be a problem.

I suspect that the Django database produces an error after all, since we only get the first echo from this script:

  echo "from django.contrib.auth.models import User; User.objects.create_superuser(***)"

      if [ -n "$DJANGO_SUPERUSER_USERNAME" ] && [ -n "$DJANGO_SUPERUSER_EMAIL" ] ; then

          echo "from django.contrib.auth.models import User; User.objects.create_superuser('$DJANGO_SUPERUSER_USERNAME', '$DJANGO_SUPERUSER_EMAIL', '$DJANGO_SUPERUSER_PASSWORD')" | python manage.py shell

      else

          echo "from django.contrib.auth.models import User; User.objects.create_superuser('selks-user', 'selks...@selks.com', 'selks-user')" | python manage.py shell

      fi

      echo "from django.contrib.auth.models import User, Group; u = User.objects.filter(username='selks-user').first(); g = Group.objects.filter(name='Superuser').first(); g.user_set.add(u)" | python manage.py shell

And when we reboot the docker containers (bring them down and up again) we get a "database is locked" error.

Op dinsdag 30 november 2021 om 17:51:44 UTC+1 schreef pevma:

[Alexander Nedelchev]

Hi Joppe,

I just tested to install SELKS on Oracle linux 8.5 and I didn't have any problems. If the firewall is blocking something how do you download the containers in the first place ?

[Joppe Oostenrijk]

Hi, like I said, we did so too and it worked for us too, outside the company environment.

The containers are downloaded by the easy-setup.sh

We don't see any messages at the firewall of it blocking traffic, port 443 is open.
Hence my question if there are any other ports that it needs for installing.

Op donderdag 2 december 2021 om 09:32:09 UTC+1 schreef sa...@stamus-networks.com: