SURICATA alert suppression
698 views
Skip to first unread message
Giulio Botto
Jun 16, 2023, 10:07:53 AM6/16/23
to Wazuh mailing list
Good day everybody and thanks to the Wazuh team for their great product and their continuing efforts.
We're currently in the process of testing an all-in-one Wazuh deployment on a small (~50) of devices: as some of these are publicliy exposed pfSense firewalls with Suricata enabled on the WAN interfaces we faced several alert storms generated by 3 specific Suricata stream rules.
Every time this happened it clogged the /var/ossec/logs and the indexer filesystems until we finally managed to exactly pinpoint which Suricata rules to disable.
The actual question though is: should we desire to block those alerts in Wazuh we know we should create a level override rule in local_rules.xml so we tried that, but apparently with no success.
Here is one of the culprit alerts coming from Suricata:
{"timestamp":"2023-06-09T16:08:57.323590+0200","flow_id":1024301347523318,"in_iface":"igb2","event_type":"alert","src_ip":"10.0.0.1","src_port":64426,"dest_ip":"77.93.255.45","dest_port":1514,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2210029,"rev":2,"signature":"SURICATA STREAM ESTABLISHED invalid ack","category":"Generic Protocol Command Decode","severity":3},"app_proto":"failed","flow":{"pkts_toserver":12798321,"pkts_toclient":6556766,"bytes_toserver":18529225654,"bytes_toclient":433857952,"start":"2023-06-08T22:45:42.871158+0200"},"payload":"OqtLez6w85w5Dq5cRV4MiFqlw2UbyCV8aPtEcf/WyzUmdmnSqHnEiWaj7Hqh45qmUM/xmIF9kyIem5OE2ZczNGUyQ66Tm8nRfpMCqzElgQNFV0o5LAgUcQRywBKW7aUc4/lEoe/ezGeZDocH5QXKn2Uvex/LGBAiIa/ZcZKm0AsCEOQXwV0ieYye889PFGDnBU2naD6QxAMvU34piiC4dicl1mOd8X/XqSkbdr6hQmgPMd1q8xQ6FDb/C7WEQHJS5tHTOFP/wF5cMo0IEiP2P2VkpTbN1QdVeILLLESRd7czlo/RDJLFzzaoPvFCm6MPR0qLEfAJeTMUJZPFjSFsduw9OrJUlKIMBlHoYBm66eudOt2THPGI9tU4ie3Nwr62SoxWjR/+SV635ZXmw91H5etkZhJnWZWOYqhLOaODp4opdu1KSe4HgfVicgYvtYW2bZqJod7qC4V8dxLQKlNrMmmDhEev9t7O4Yzg+WCdaQ02leT1bGpaA8559jS2hzKWMaGH9QAlYbIjtbvr6b1eEazbCCCLU9vPr9e2NliBgrjGBeav05yjFb5bR9U0l/AeLdKGQzwDi90daLqnORhslc4eZg23c/KqdCFuZKOq25CTj/2XZEie5drMq3NwunKr47ivUuT2E3yZksFBnnta0KR0WHWR9Nj//Tw6+KjNdlDcg1Age8NUjS0s2yGXk0d2tvpH+Y23ldIUoaGFrpsbQj/GBxAOR+/E6VJvUL+BCDayCoBbmdpi108VUK3ZOHcEFCQXZDLvWNX0CAye66baZJy3AmPfhIIGhkantVX1hugXQ713yB4FEwjQGI1INp/9VQ9CI7FLszvtau2TWmYrK1cFdVrTNFpHEkvzETNR5P4kxswhXgs+ED52kcQlT2zBig+HjFMV6jZ/Ec7R0FnrmyCZGgy71G8P2XxGhANDzggVFDO78F6nH6Yk27n69kFbRQHR2ZrmmsNuHfyX3KS6zD+gDcfZ80eGDWL/0Ko7hdj3Z4M6Jal4p4aC5oZ1vVSq2y1nMZZzpe9P51IhmMZmxAxpO5gcvye+KMR7qSLiCbvbas7+v0K938kVWezwj2MwNIlXbgoJFdWrCyMsmA8M+79PzDeuXeiQVy6QxC96IDcEd451/S6KBLE/bSE6DA16oWwwx/qw8Gg8EkJ/aFaLylXFcfwIdRoptn22p7tjPNE+KpJviDh8ilzhxyB74icGjsknD6TmA4y9RX3rzkWxauvwe7qzP8+rmvm05EFnWbr0kv3vAtokS0fTq6x3CUEWqhWvvf03YNbBqWczXBlI0xwfVKTf4yXu/3x31J/C5dPZ60M1JrxwmEXB6u/+9d5W2SSsAixGtVDKF5g0DrwVR36wxibo/4MnhHqW6uc4WKyFbqI6ohpIDIx17jo23lDGKxnRS+g1iyHwsYFYhF7Ps6CAC+Awy8W6nZ4kN0TXBx6iIv9bmJw6cuAljkAK42xZTfLa4p8lpE14+FVz7tQ1jwIsvx96VAkPG+7K40NKvHGRIboCox27EkAyUFX4miv9nMd6FDMQqiLvK2TVki2WMgxxbsgYVNIinrNKuFsliNCy1C/sfsg2OFXpk2q6FcQt8nAZcvgJWrIzSqaSQzjr9dmeWCWjPcOZ1Lj/SPT60VSYwN85kHMMjCZ/JdJaMak5g8kQ3w7BpseN4kcsX4wHeG39NZhDZp3+Xq0FnRZbjPcUicbAZsPQZRtl07ItS4VxhDYFzerXKlB4y7NYGT/49kO5PTo6XUDH/hRsaZ7lbUDzoVrO2jHz1wRdoX6Ewo8xY4cBH58r3OWTl6WLWzmReUnREYyFBHESUeCDfl75tMQ8UbcU8JuUAo2mDSa7R4RG3+i4NbdDcqLENJAk35Q6JDC8JnbpSF2VZuvzy/Wqw4GO8sZV","payload_printable":":.K{>...9..\\E^..Z..e..%|h.Dq...5&vi..y..f..z....P....}.\"......34e2C.....~...1%..EWJ9,..q.r........D....g........e/{....\"!..q.........]\"y....O.`..M.h>.../S~). .v'%.c.....).v..Bh.1.j..:.6....@rR...8S..^\\2...#.?ed.6...Ux..,D.w.3.......6.>.B...GJ....y3.%...!lv.=:.T....Q.`.....:.......8......J.V...I^......G..df.gY..b.K9....)v.JI....br./...m.......|w..*Sk2i..G........`.i\r6...ljZ..y.4..2.1....%a.#.....^.... .S.....6X............[G.4...-..C<....h..9.l...f\r.s..t!nd........dH.....sp.r....R...|...A.{Z..tXu.....<:...vP..P {.T.-,.!..Gv..G............B?....G...RoP...6.\n.[..b.O.P..8w..$.d2.X........d...c.....F..U....C.w........H6..U.B#.K.;.j..Zf++W.uZ.4ZG.K..3Q..$..!^.>.>v..%Ol.....S..6.....Y.. .....o..|F..C....3..^...$....A[E.......n.......?.\r...G.\rb...;...g.:%.x.....u.T..-g1.s..O.R!..f..i;...'.(.{.\"....j...B....Y...c04.Wn\n.....#,.....O.7.]..W.../z 7.w.u.....?m!:.\rz.l0....h<.B.hV..U.q..u.).}...c<.>*.o.8|.\\.. {.'...'......E}..E.j..{..?......AgY.......$KG...w.A......7`...g3\\.H...T...%..|w.......C5&.p.E......V.$..,F.P...4...G~..&...'.z...8X..n.:..H..u.:6.P.+..K.5.!...X.^......0.....$7D....\".[..:r.%.@\n.lYM....%.Mx.Us..5..,..zT......CJ.q.!......@2PU..+...z.3..\".+d..-.2.qn..T.\"..J.[%..../.~.68U..j...-.p.r..Z.3J..C8....X%.=.....H...T...9.s..&.%.Z1.9..........G,_..xm.5.Cf..^....[......f..e.e..-K.q.6....*Px..X.?..C.=::]@...li..m@..Z..1...].~...1c....+......[9.yI.....q.Q..~^...<Q........\r&.G.F...5.Cr..4.$..:$0.&v.H].f..........U","stream":0,"packet":"GP10mWM1AA25RHLCCABFAAXI/9QAAEAGKdjZqyVNTV3/LfuqBeqr8GSG687LfoAQAIJRvAAAAQEICjU1/WfuEkjROqtLez6w85w5Dq5cRV4MiFqlw2UbyCV8aPtEcf/WyzUmdmnSqHnEiWaj7Hqh45qmUM/xmIF9kyIem5OE2ZczNGUyQ66Tm8nRfpMCqzElgQNFV0o5LAgUcQRywBKW7aUc4/lEoe/ezGeZDocH5QXKn2Uvex/LGBAiIa/ZcZKm0AsCEOQXwV0ieYye889PFGDnBU2naD6QxAMvU34piiC4dicl1mOd8X/XqSkbdr6hQmgPMd1q8xQ6FDb/C7WEQHJS5tHTOFP/wF5cMo0IEiP2P2VkpTbN1QdVeILLLESRd7czlo/RDJLFzzaoPvFCm6MPR0qLEfAJeTMUJZPFjSFsduw9OrJUlKIMBlHoYBm66eudOt2THPGI9tU4ie3Nwr62SoxWjR/+SV635ZXmw91H5etkZhJnWZWOYqhLOaODp4opdu1KSe4HgfVicgYvtYW2bZqJod7qC4V8dxLQKlNrMmmDhEev9t7O4Yzg+WCdaQ02leT1bGpaA8559jS2hzKWMaGH9QAlYbIjtbvr6b1eEazbCCCLU9vPr9e2NliBgrjGBeav05yjFb5bR9U0l/AeLdKGQzwDi90daLqnORhslc4eZg23c/KqdCFuZKOq25CTj/2XZEie5drMq3NwunKr47ivUuT2E3yZksFBnnta0KR0WHWR9Nj//Tw6+KjNdlDcg1Age8NUjS0s2yGXk0d2tvpH+Y23ldIUoaGFrpsbQj/GBxAOR+/E6VJvUL+BCDayCoBbmdpi108VUK3ZOHcEFCQXZDLvWNX0CAye66baZJy3AmPfhIIGhkantVX1hugXQ713yB4FEwjQGI1INp/9VQ9CI7FLszvtau2TWmYrK1cFdVrTNFpHEkvzETNR5P4kxswhXgs+ED52kcQlT2zBig+HjFMV6jZ/Ec7R0FnrmyCZGgy71G8P2XxGhANDzggVFDO78F6nH6Yk27n69kFbRQHR2ZrmmsNuHfyX3KS6zD+gDcfZ80eGDWL/0Ko7hdj3Z4M6Jal4p4aC5oZ1vVSq2y1nMZZzpe9P51IhmMZmxAxpO5gcvye+KMR7qSLiCbvbas7+v0K938kVWezwj2MwNIlXbgoJFdWrCyMsmA8M+79PzDeuXeiQVy6QxC96IDcEd451/S6KBLE/bSE6DA16oWwwx/qw8Gg8EkJ/aFaLylXFcfwIdRoptn22p7tjPNE+KpJviDh8ilzhxyB74icGjsknD6TmA4y9RX3rzkWxauvwe7qzP8+rmvm05EFnWbr0kv3vAtokS0fTq6x3CUEWqhWvvf03YNbBqWczXBlI0xwfVKTf4yXu/3x31J/C5dPZ60M1JrxwmEXB6u/+9d5W2SSsAixGtVDKF5g0DrwVR36wxibo/4MnhHqW6uc4WKyFbqI6ohpIDIx17jo23lDGKxnRS+g1iyHwsYFYhF7Ps6CAC+Awy8W6nZ4kN0TXBx6iIv9bmJw6cuAljkAK42xZTfLa4p8lpE14+FVz7tQ1jwIsvx96VAkPG+7K40NKvHGRIboCox27EkAyUFX4miv9nMd6FDMQqiLvK2TVki2WMgxxbsgYVNIinrNKuFsliNCy1C/sfsg2OFXpk2q6FcQt8nAZcvgJWrIzSqaSQzjr9dmeWCWjPcOZ1Lj/SPT60VSYwN85kHMMjCZ/JdJaMak5g8kQ3w7BpseN4kcsX4wHeG39NZhDZp3+Xq0FnRZbjPcUicbAZsPQZRtl07ItS4VxhDYFzerXKlB4y7NYGT/49kO5PTo6XUDH/hRsaZ7lbUDzoVrO2jHz1wRdoX6Ewo8xY4cBH58r3OWTl6WLWzmReUnREYyFBHESUeCDfl75tMQ8UbcU8JuUAo2mDSa7R4RG3+i4NbdDcqLENJAk35Q6JDC8JnbpSF2VZuvzy/Wqw4GO8sZV","packet_info":{"linktype":1}}
and here is the local rule which - to our knowledge - should work (but does not):
<group name="ids,suricata,">
<rule id="119999" level="0">
<if_sid>86601</if_sid>
<if_level>3</if_level>
<field name="signature_id">2210029</field>
<hostname>hellboy.casetttablu.com</hostname>
<description>Suppress Suricata stream errors on selected hosts.</description>
</rule>
</group>
<rule id="119999" level="0">
<if_sid>86601</if_sid>
<if_level>3</if_level>
<field name="signature_id">2210029</field>
<hostname>hellboy.casetttablu.com</hostname>
<description>Suppress Suricata stream errors on selected hosts.</description>
</rule>
</group>
Could somebody shed any light?
Thanks in advance,
Giulio
Eli Josue Rodriguez
Jun 16, 2023, 11:45:42 AM6/16/23
to Wazuh mailing list
Hello Giulio, thanks for use Wazuh! According with the log you pasted it doesn't seems to be decoded by the Wazuh decoders. Could you please take the real one? I mean, the original event/log sent by Suricata. Likewise, I can recommend the following.
There is a tool in Wazuh that you can use to check if the logs you want to ingest will be decoded or not with the default decoders or if you will need to write a custom one. This tool also lets you know if a rule would be matched or if you will need to write a custom rule to generate alerts for these events Wazuh Logtest tool. In your case, I recommend the following things:
- Get the log of the alert you want to suppress.
- Make use of the Wazuh-logtest tool and paste the log.
- If the log is decoded correctly, it will indicate which rules are activated when this type of log is received. In this way, you can know exactly which rule to suppress to avoid alerts of this type. (Here is the default ruleset for Suricata events)
- Create the custom rule that suppresses the original rule by adding level="0" to it.
- If the log is not decoded correctly you can also create your own decoders and rules, here is a guide.
Also,
you can find more information about ingesting Suricata logs in Wazuh -> Suricata
I hope that helps you!
Giulio Botto
Jun 20, 2023, 10:28:45 AM6/20/23
to Wazuh mailing list
Hello Eli and thanks for your prompt reply.
I'm sorry for the posted log: it must have been mangled as it does not seem to work even from the copy I had kept for reference, so I extracted a new log entry which gets correctly decoded by Wazuh.
This is the local_rules.xml:
<group name="ids,suricata,">
<rule id="119999" level="0">
<if_sid>86601</if_sid>
<if_level>3</if_level>
<rule id="119999" level="0">
<if_sid>86601</if_sid>
<if_level>3</if_level>
<field name="signature_id">2008581</field>
<description>Suppress Suricata stream errors on selected hosts.</description>
</rule>
</group>
The tester states an **Alert to be generated nevertheless:
Starting wazuh-logtest v4.4.3
Type one log per line
{"timestamp":"2023-06-09T16:12:02.048244+0200","flow_id":1365059577232500,"in_iface":"igb2","event_type":"alert","src_ip":"10.0.0.1","src_port":1998,"dest_ip":"77.89.37.110","dest_port":6889,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2008581,"rev":3,"signature":"ET P2P BitTorrent DHT ping request","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2010_07_30"],"updated_at":["2010_07_30"]}},"app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":107,"bytes_toclient":0,"start":"2023-06-09T16:12:02.048244+0200"},"payload":"ZDE6YWQyOmlkMjA6yQ2ctxbwHcAe8WdCIXC/0fIW3ORlMTpxNDpwaW5nMTp0Mjp3ZTE6djQ6TFQBLzE6eTE6cWU=","payload_printable":"d1:ad2:id20:.\r........gB!p......e1:q4:ping1:t2:we1:v4:LT./1:y1:qe","stream":0,"packet":"GP10mWM1AA25RHLCCABFAABdhuIAAD8Rgu7ZqyVNTVklbgfOGukAScqPZDE6YWQyOmlkMjA6yQ2ctxbwHcAe8WdCIXC/0fIW3ORlMTpxNDpwaW5nMTp0Mjp3ZTE6djQ6TFQBLzE6eTE6cWU=","packet_info":{"linktype":1}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
alert.action: 'allowed'
alert.category: 'Potential Corporate Privacy Violation'
alert.gid: '1'
alert.metadata.created_at: '['2010_07_30']'
alert.metadata.updated_at: '['2010_07_30']'
alert.rev: '3'
alert.severity: '1'
alert.signature: 'ET P2P BitTorrent DHT ping request'
alert.signature_id: '2008581'
app_proto: 'failed'
dest_ip: '77.89.37.110'
dest_port: '6889'
event_type: 'alert'
flow.bytes_toclient: '0'
flow.bytes_toserver: '107'
flow.pkts_toclient: '0'
flow.pkts_toserver: '1'
flow.start: '2023-06-09T16:12:02.048244+0200'
flow_id: '1365059577232500.000000'
in_iface: 'igb2'
packet: 'GP10mWM1AA25RHLCCABFAABdhuIAAD8Rgu7ZqyVNTVklbgfOGukAScqPZDE6YWQyOmlkMjA6yQ2ctxbwHcAe8WdCIXC/0fIW3ORlMTpxNDpwaW5nMTp0Mjp3ZTE6djQ6TFQBLzE6eTE6cWU='
packet_info.linktype: '1'
payload: 'ZDE6YWQyOmlkMjA6yQ2ctxbwHcAe8WdCIXC/0fIW3ORlMTpxNDpwaW5nMTp0Mjp3ZTE6djQ6TFQBLzE6eTE6cWU='
........gB!p......e1:q4:ping1:t2:we1:v4:LT./1:y1:qe'
proto: 'UDP'
src_ip: '10.0.0.1'
src_port: '1998'
stream: '0'
timestamp: '2023-06-09T16:12:02.048244+0200'
**Phase 3: Completed filtering (rules).
id: '86601'
level: '3'
description: 'Suricata: Alert - ET P2P BitTorrent DHT ping request'
groups: '['ids', 'suricata']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Eli Josue Rodriguez
Jun 20, 2023, 5:21:25 PM6/20/23
to Wazuh mailing list
Hello Giulio, testing your last log and rule. I made a tiny change in the rule. Here is the rule.
<group name="ids,suricata,">
<rule id="119999" level="0">
<if_sid>86601</if_sid>
<field name="alert.signature_id">2008581</field>
<description>Suppress Suricata stream errors on selected hosts.</description>
</rule>
</group>
groups: '['ids', 'suricata']'
firedtimes: '1'
mail: 'False'
<rule id="119999" level="0">
<if_sid>86601</if_sid>
<description>Suppress Suricata stream errors on selected hosts.</description>
</rule>
</group>
If you check I had change from <field name="signature_id">2008581</field> to --> <field name="alert.signature_id">2008581</field>, also the <if_level>3</if_level> is not necessary. So, I removed it.
And here is the output from the Wazuh-logtest.
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2023-06-09T16:12:02.048244+0200","flow_id":1365059577232500,"in_iface":"igb2","event_type":"alert","src_ip":"10.0.0.1","src_port":1998,"dest_ip":"77.89.37.110","dest_port":6889,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2008581,"rev":3,"signature":"ET P2P BitTorrent DHT ping request","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2010_07_30"],"updated_at":["2010_07_30"]}},"app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":107,"bytes_toclient":0,"start":"2023-06-09T16:12:02.048244+0200"},"payload":"ZDE6YWQyOmlkMjA6yQ2ctxbwHcAe8WdCIXC/0fIW3ORlMTpxNDpwaW5nMTp0Mjp3ZTE6djQ6TFQBLzE6eTE6cWU=","payload_printable":"d1:ad2:id20:.\r........gB!p......e1:q4:ping1:t2:we1:v4:LT./1:y1:qe","stream":0,"packet":"GP10mWM1AA25RHLCCABFAABdhuIAAD8Rgu7ZqyVNTVklbgfOGukAScqPZDE6YWQyOmlkMjA6yQ2ctxbwHcAe8WdCIXC/0fIW3ORlMTpxNDpwaW5nMTp0Mjp3ZTE6djQ6TFQBLzE6eTE6cWU=","packet_info":{"linktype":1}}'
full event: '{"timestamp":"2023-06-09T16:12:02.048244+0200","flow_id":1365059577232500,"in_iface":"igb2","event_type":"alert","src_ip":"10.0.0.1","src_port":1998,"dest_ip":"77.89.37.110","dest_port":6889,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2008581,"rev":3,"signature":"ET P2P BitTorrent DHT ping request","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2010_07_30"],"updated_at":["2010_07_30"]}},"app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":107,"bytes_toclient":0,"start":"2023-06-09T16:12:02.048244+0200"},"payload":"ZDE6YWQyOmlkMjA6yQ2ctxbwHcAe8WdCIXC/0fIW3ORlMTpxNDpwaW5nMTp0Mjp3ZTE6djQ6TFQBLzE6eTE6cWU=","payload_printable":"d1:ad2:id20:.\r........gB!p......e1:q4:ping1:t2:we1:v4:LT./1:y1:qe","stream":0,"packet":"GP10mWM1AA25RHLCCABFAABdhuIAAD8Rgu7ZqyVNTVklbgfOGukAScqPZDE6YWQyOmlkMjA6yQ2ctxbwHcAe8WdCIXC/0fIW3ORlMTpxNDpwaW5nMTp0Mjp3ZTE6djQ6TFQBLzE6eTE6cWU=","packet_info":{"linktype":1}}'
id: '119999'
level: '0'
description: 'Suppress Suricata stream errors on selected hosts.'
level: '0'
description: 'Suppress Suricata stream errors on selected hosts.'
groups: '['ids', 'suricata']'
firedtimes: '1'
mail: 'False'
So, it now supress the Suricata rule.
Is that enough or you need something more? Please let me know!
Regards.
Giulio Botto
Jun 21, 2023, 11:07:04 AM6/21/23
to Wazuh mailing list
Great Eli, it works perfectly.
Thanks for your great support!
Eli Josue Rodriguez
Jun 21, 2023, 2:03:57 PM6/21/23
to Wazuh mailing list
Happy to help. Have a nice day,
Regards,
Regards,
ER.
Reply all
Reply to author
Forward
0 new messages