Re: [PacketFence-users] suricata "ET TOR" violation doesn't start

Fri, 05 Apr 2019 05:37:44 -0700 

Hi all, Maybe the problem is here:
Apr  2 16:33:39 idssrv suricata[31336] [1:2522354:3636] ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 178 [Classification: Misc Attack] [Priority: 2] {TCP} *163.172.53.84:21 -> 10.25.1.1:52571** 
*
packetfence receive this information from suricata and with these ip addresses. My Home Net is 10.25.0.0/16 and the other is the remote server. With this information PF try to resolve  (IP -> MAC)  the first ip (163.172.53.84) and it fail so the violation don't start. 

Any ideas ?
Thanks a lot
Enrico


Il 02/04/2019 20:20, Enrico ha scritto:


Dear all,

I've got a question about suricata integration. My PF 8.3 works fine 
and I've got some
violation rules that using this IDS but when I try to add "ET TOR" pf 
doesn't works.


My violation.conf is here:


|[1500003] priority=2 trigger=suricata_event::ET 
TOR,suricata_md5::2522362 actions=email_admin window= max_enable=2 
desc=IDS TOR access_duration=12h template=p2p delay_by= grace=10m 
enabled=Y|


this is packetfence.log:


|packetfence.log Apr 2 16:33:38 pfsrv pfqueue: pfqueue(13249) WARN: 
[mac:unknown] Unable to match MAC address to IP '163.172.53.84' 
(pf::ip4log::ip2mac) Apr 2 16:33:38 pfsrv pfqueue: pfqueue(13249) 
INFO: [mac:unknown] violation not added, MAC 0 is invalid! trigger 
suricata_event::ET TOR Known Tor Relay/Router (Not Exit) Node Traffic 
group 178 (pf::violation::violation_trigger) Apr 2 16:33:38 pfsrv 
pfqueue: pfqueue(13249) INFO: [mac:unknown] violation not added, MAC 0 
is invalid! trigger detect::2522354 (pf::violation::violation_trigger)|


finally this is the flow that pf server receive from suricata:
cat /usr/local/pf/var/suricata | grep -i 10.25.1.1 | grep "ET TOR"


|Apr 2 16:33:38 idssrv suricata[31336] {"timestamp": 
"2019-04-02T16:33:38.845514+0200", "flow_id": 42148439405216, 
"in_iface": "eth1", "event_type": "alert", "vlan": 25, "src_ip": 
"167.114.158.148", "src_port": 443, "dest_ip": "10.25.1.1", 
"dest_port": 52569, "proto": "TCP", "metadata": {"flowbits": 
["ET.TorIP"]}, "alert": {"action": "allowed", "gid": 1, 
"signature_id": 2522362, "rev": 3636, "signature": "ET TOR Known Tor 
Relay/Router (Not Exit) Node Traffic group 182", "category": "Misc 
Attack", "severity": 2, "metadata": {"updated_at": ["2019_03_18"], 
"created_at": ["2008_12_01"], "signature_severity": ["Audit"], "tag": 
["TOR"], "deployment": ["Perimeter"], "attack_target": ["Any"], 
"affected_product": ["Any"]}}, "flow": {"pkts_toserver": 1, 
"pkts_toclient": 1, "bytes_toserver": 78, "bytes_toclient": 74, 
"start": "2019-04-02T16:33:38.733856+0200"}} Apr 2 16:33:38 idssrv 
suricata[31336] [1:2522362:3636] ET TOR Known Tor Relay/Router (Not 
Exit) Node Traffic group 182 [Classification: Misc Attack] [Priority: 
2] {TCP} 167.114.158.148:443 -> 10.25.1.1:52569 Apr 2 16:33:38 idssrv 
suricata[31336] {"timestamp": "2019-04-02T16:33:38.961806+0200", 
"flow_id": 42148439405216, "in_iface": "eth1", "event_type": "tls", 
"vlan": 25, "src_ip": "10.25.1.1", "src_port": 52569, "dest_ip": 
"167.114.158.148", "dest_port": 443, "proto": "TCP", "metadata": 
{"flowbits": ["ET.TorIP"]}, "tls": {"subject": 
"CN=www.fv7y4wi5lxxd665qqdq.net", "issuerdn": 
"CN=www.lxe75hq2mbn3nkh3.com", "serial": "12:DC:BE:E0:1C:27:E4:A9", 
"fingerprint": 
"7f:81:87:e4:c1:08:79:f4:97:69:f7:9d:a8:54:ef:9c:b8:e1:7c:c7", "sni": 
"www.cpcwlycwaywn47lxodmtk.com", "version": "TLS 1.2", "notbefore": 
"2019-03-01T00:00:00", "notafter": "2020-01-27T23:59:59", "ja3": {}}} 
Apr 2 16:33:39 idssrv suricata[31336] [1:2522354:3636] ET TOR Known 
Tor Relay/Router (Not Exit) Node Traffic group 178 [Classification: 
Misc Attack] [Priority: 2] {TCP} 163.172.53.84:21 -> 10.25.1.1:52571 
Apr 2 16:33:39 idssrv suricata[31336] {"timestamp": 
"2019-04-02T16:33:39.064745+0200", "flow_id": 1534771981369094, 
"in_iface": "eth1", "event_type": "tls", "vlan": 25, "src_ip": 
"10.25.1.1", "src_port": 52571, "dest_ip": "163.172.53.84", 
"dest_port": 21, "proto": "TCP", "metadata": {"flowbits": 
["ET.TorIP"]}, "tls": {"subject": "CN=www.ccfymx2pfsj.net", 
"issuerdn": "CN=www.pgfs7h4h3.com", "serial": 
"14:74:91:F1:63:4A:B4:4F", "fingerprint": 
"d5:b6:6b:6b:d3:9d:ad:fa:23:2f:3d:95:8b:1d:ea:04:86:40:82:64", "sni": 
"www.eigdsmv3c6.com", "version": "TLS 1.2", "notbefore": 
"2018-10-27T00:00:00", "notafter": "2019-04-23T23:59:59", "ja3": {}}}

|

||
Another rule from P2P traffic works fine. Violation.conf:


|[1500001] priority=1 trigger=suricata_event::ET P2P 
actions=email_admin window= max_enable=2 desc=IDS P2P Media traffic 
access_duration=12h template=p2p delay_by= grace=10m enabled=Y|


packetfence.log


|Apr 2 16:28:44 pfsrv pfqueue: pfqueue(11449) INFO: [mac:unknown] 
calling violation_add with vid=1500001 mac=ac:87:a3:12:81:47 
release_date=0 (trigger suricata_event::ET P2P Vuze BT UDP Connection) 
(pf::violation::violation_trigger) Apr 2 16:28:44 pfsrv pfqueue: 
pfqueue(11449) INFO: [mac:unknown] grace expired on violation 1500001 
for node ac:87:a3:12:81:47 (pf::violation::violation_add) Apr 2 
16:28:44 pfsrv pfqueue: pfqueue(11449) INFO: [mac:unknown] violation 
1500001 added for ac:87:a3:12:81:47 (pf::violation::violation_add) Apr 
2 16:28:44 pfsrv pfqueue: pfqueue(11449) INFO: [mac:unknown] executing 
action 'email_admin' on class 1500001 (pf::action::action_execute) Apr 
2 16:28:44 pfsrv pfqueue: pfqueue(11449) INFO: [mac:unknown] loading 
Net::MAC::Vendor cache from /usr/local/pf/conf/oui.txt 
(pf::util::load_oui) Apr 2 16:28:44 pfsrv pfqueue: pfqueue(11450) 
INFO: [mac:unknown] violation 1500001 (trigger suricata_event::ET P2P 
Azureus P2P Client User-Agent) already exists for ac:87:a3:12:81:47, 
not adding again (pf::violation::violation_trigger) Apr 2 16:28:46 
pfsrv pfqueue: pfqueue(11449) INFO: [mac:unknown] this is a 
non-reevaluate-access violation, closing violation entry now 
(pf::action::action_execute) Apr 2 16:28:46 pfsrv pfqueue: 
pfqueue(11449) INFO: [mac:unknown] violation 1500001 force-closed for 
ac:87:a3:12:81:47 (pf::violation::violation_force_close) Apr 2 
16:29:19 pfsrv pfqueue: pfqueue(11454) INFO: [mac:unknown] 565 grace 
remaining on violation 1500001 (trigger suricata_event::ET P2P 
BitTorrent DHT ping request) for node ac:87:a3:12:81:47. Not adding 
violation. (pf::violation::violation_trigger)|


What do you think about it?
Thanks a lot
Best Regards
Enrico

--
_______________________________________________________________________

Enrico Becchetti                    Servizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777             Mail: Enrico.Becchetti<at>pg.infn.it
_______________________________________________________________________



--
_______________________________________________________________________

Enrico Becchetti                    Servizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777             Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to