How to use SELKS in IPS mode?

666 views
Skip to first unread message

okar...@gmail.com

unread,
Dec 11, 2017, 3:23:10 AM12/11/17
to SELKS
Hello,

How do I run SELKS in IPS mode? I did the SELKS setup using "SELKS-4.0-nodesktop.iso" and  I made all the updates after installation. Currently I am working in IDS mode. How do I configure it as IPS? There is probably a value in the "suricata.yaml" file that I need to change.But I have not found a relevant guide to this topic.
I installed SELKS as a virtual server on VMware. I use the "ens160" and "ens192" interfaces. The interface that the SELKS listens to is "ens160".The interface configurations are as follows;


# The primary network interface
allow-hotplug ens192
iface ens192 inet static
        address 176.53.x.xx/27
        gateway 176.53.x.x
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 94.101.95.4 94.101.94.4 8.8.8.8
        dns-search selks.radore.com

auto ens160
iface ens160 inet manual
    pre-up ifconfig $IFACE up
    post-down ifconfig $IFACE down
    post-up /etc/network/if-up.d/idps-interface-tuneup_stamus


root@SELKS:/etc/network# suricata --build-info
This is Suricata version 4.0.0-dev (rev d363a165)
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC 
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 6.3.0 20170516, C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         yes
  Old barnyard2 support:                   no
  CUDA enabled:                            no
  Hyperscan support:                       yes
  Libnet support:                          yes

  Rust support (experimental):             no
  Experimental Rust parsers:               no
  Rust strict mode:                        no

  Suricatasc install:                      yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / gcc (real)
  GCC Protect enabled:                     yes
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: yes
  CFLAGS                                   -g -O2 -fdebug-prefix-map=/root/Work/packaging/deb-packaging/hyper-stretch/stamus-suricata/suricata-2017090101=. -fstack-protector-strong -Wformat -Werror=format-security
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security



Thank you,

okar...@gmail.com

unread,
Dec 12, 2017, 1:35:48 AM12/12/17
to SELKS
Hello again,

What values ​​do I need to change in the suricata.yaml file for IPS mode? Actually I want to dropped attack packets. Could you help me with that?

11 Aralık 2017 Pazartesi 11:23:10 UTC+3 tarihinde okar...@gmail.com yazdı:

Peter Manev

unread,
Dec 12, 2017, 5:02:32 AM12/12/17
to okar...@gmail.com, SELKS
On Tue, Dec 12, 2017 at 7:35 AM, <okar...@gmail.com> wrote:
> Hello again,
>
> What values do I need to change in the suricata.yaml file for IPS mode?
> Actually I want to dropped attack packets. Could you help me with that?

Hi,

Please have a look here and give it a try -
https://github.com/StamusNetworks/SELKS/wiki/Initial-Setup---Suricata-IPS

Please let us know how it goes!

Thank you
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Regards,
Peter Manev

okar...@gmail.com

unread,
Dec 13, 2017, 1:21:29 AM12/13/17
to SELKS
Hello Pevma,

Thank you for the interesting. I have activated the IPS mode.But I see some warnings in the suricata.log. Does this cause a problem?

[25161] 13/12/2017 -- 03:00:15 - (source-af-packet.c:748) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 14: No buffer space available
[25161] 13/12/2017 -- 03:00:15 - (source-af-packet.c:748) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 14: No buffer space available
[25161] 13/12/2017 -- 03:00:15 - (source-af-packet.c:748) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 14: No buffer space available
[25161] 13/12/2017 -- 03:00:15 - (source-af-packet.c:748) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 14: No buffer space available
[25163] 13/12/2017 -- 03:05:22 - (source-af-packet.c:748) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 8: Message too long
[25163] 13/12/2017 -- 03:05:22 - (source-af-packet.c:748) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 8: Message too long
[25159] 13/12/2017 -- 03:05:22 - (source-af-packet.c:748) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 12: Message too long
[25163] 13/12/2017 -- 03:05:22 - (source-af-packet.c:748) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 8: Message too long
[25159] 13/12/2017 -- 03:05:22 - (source-af-packet.c:748) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 12: Message too long






12 Aralık 2017 Salı 13:02:32 UTC+3 tarihinde pevma yazdı:

Peter Manev

unread,
Dec 13, 2017, 10:27:13 AM12/13/17
to okar...@gmail.com, SELKS
Could you explain a bit what type of test are you trying out - or is
it just normal end user browsing traffic ?

Also could you please paste the af-packet section of your config?

okar...@gmail.com

unread,
Dec 21, 2017, 10:05:01 AM12/21/17
to SELKS
Hello Pevma,

I apologize for my late reply.I run SELKS server on ESXI and this ESXI server has virtual servers which are used for many different purposes.SELkS monitors all traffic coming to this ESXI server. I hope that is what you are doing.
But when I checked the logs for 7 days, I noticed that the capture and drop processes stopped and started spontaneously from time to time. Unfortunately, there is no uninterrupted process.The selks4-addin.yaml and suricata.yaml  AF-Packet configuration is attached.






13 Aralık 2017 Çarşamba 18:27:13 UTC+3 tarihinde pevma yazdı:
AF-PACKET-selks4-addin.yaml.txt
Message has been deleted

Peter Manev

unread,
Dec 21, 2017, 10:50:06 AM12/21/17
to okar...@gmail.com, SELKS
On Thu, Dec 21, 2017 at 4:07 PM, <okar...@gmail.com> wrote:
>
>
> 21 Aralık 2017 Perşembe 18:05:01 UTC+3 tarihinde okar...@gmail.com yazdı:
>>
>> Hello Pevma,
>>
>> I apologize for my late reply.I run SELKS server on ESXI and this ESXI
>> server has virtual servers which are used for many different purposes.SELkS
>> monitors all traffic coming to this ESXI server. I hope that is what you are
>> doing.
>> But when I checked the logs for 7 days, I noticed that the capture and
>> drop processes stopped and started spontaneously from time to time.
>> Unfortunately, there is no uninterrupted process.The selks4-addin.yaml and
>> suricata.yaml AF-Packet configuration is attached.
>>
>>


In /etc/crontab there is a daily restart job when updating the rules -
could that be the reason for the restarts ?
Reply all
Reply to author
Forward
0 new messages