Hello,
Why Suricata-IDS doesn’t have any rule to block scanners? When I launch Arachni scanner then it cause the server CPU usage become 100%. Anyone here can help me to block it?
Provide some rules to block this kind of program make Suricata-IDS more popular.
Thank you.
Hi Jason,
You should submit a pcap to the PFPT team at either https://feedback.emergingthreats.net or via email to support@emergingthreats.net and we can see if a signature can be made for this.
Regards,
Brad
Thank you.
For pcap file, should I change my Suricata-IDS setting? Or stop Suricata-IDS service and run below command is enough?
# suricata -c /etc/suricata/suricata.yaml -r Arachni.pcap -v
If Arachni.pcap is a pcap file you have generated, yes. But if you need to generate the pcap you can either use the pcap dump feature of Suricata or just use tcpdump to capture that specific pcap from your tests.
Can you tell me how to generate? I mean is command.
For the Suricata feature, see https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html?highlight=pcap#packet-log-pcap-log how to enable the pcap log. This has an impact on performance.
For tcpdump I would recommend the manpage of tcpdump but the basic command would look like:
sudo tcpdump -i $INTERFACE -w file.pcap
Where $INTERFACE is your interface where you want to capture and ideally you add some sort of bpf filter to narrow it down to that specific traffic you test.
There are a few ET OPEN (Community/Free) rules concerning this which would live in the emerging-scan.rules file. The rules are setup as External->Internal and will not fire if you are scanning internal->internal. As @bwoodberg stated, if you find something that needs coverage, we are happy to work on it and provide the rule back to the community.
alert http $EXTERNAL_NET any -> HOME_NET any (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"Arachni/"; pcre:"/Arachni\/v?\d\.\d\.\d/i"; reference:url,arachni-scanner.com; reference:url,github.com/Zapotek/arachni; classtype:attempted-recon; sid:2014869; rev:6; metadata:created_at 2012_06_07, updated_at 2020_06_09;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:“ET SCAN Arachni Web Scan”; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
I captured the traffics. How can I send it to team?
Below lines are correct rules?
alert http $EXTERNAL_NET any -> HOME_NET any (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"Arachni/"; pcre:"/Arachni\/v?\d\.\d\.\d/i"; reference:url,[arachni-scanner.com](http://arachni-scanner.com/); reference:url,[github.com/Zapotek/arachni;](http://github.com/Zapotek/arachni;) classtype:attempted-recon; sid:2014869; rev:6; metadata:created_at 2012_06_07, updated_at 2020_06_09;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:“ET SCAN Arachni Web Scan”; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,[www.arachni-scanner.com/;](http://www.arachni-scanner.com/;) classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)Those are the rules that exist at present from a quick search. If you want to send us a pcap with some traffic, please send it to our submission portal at https://feedback.emergingthreats.net - Thanks!
The second rule use “#” sign! is it comment?
Yes — # indicates the rest of the line is ignored.
It is better to create a .rule file and copy that line into it then restart the Suricata-IDS?
Any idea?
Am I right?
Hi Jason,
It’s not clear what you’re asking.
It’s your choice whether you add a rule to an existing rule file or create a new one – Suricata supports both methods. Choose the approach that works best for you and your situation.
If you use multiple rule files, make sure that the rule file is recognized by Suricata.
In the Suricata configuration file, you’ll see
rule-files:
- suricata.rules
If you add a rule file, make sure it’s in the proper directory – ensure that new rule files are in the directory default-rule-path
rule-files:
- suricata.rules
- new-rule-file.rules
Thank you.
My Suricata-IDS configuration is:
##
## Configure Suricata to load Suricata-Update managed rules.
##
## If this section is completely commented out move down to the "Advanced rule
## file configuration".
##
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rulesIs it OK?
I have more than one .rules file:
# ls /etc/suricata/rules/
app-layer-events.rules emerging-shellcode.rules
botcc.portgrouped.rules emerging-trojan.rules
botcc.rules emerging-worm.rules
decoder-events.rules files.rules
detect-dos.rules http-events.rules
dhcp-events.rules ipsec-events.rules
dnp3-events.rules kerberos-events.rules
dns-events.rules modbus-events.rules
drop.rules nfs-events.rules
dshield.rules ntp-events.rules
emerging-attack_response.rules smb-events.rules
emerging-deleted.rules smtp-events.rules
emerging-exploit.rules stream-events.rules
emerging-malware.rules tls-events.rules
emerging-mobile_malware.rules tor.rules
emerging-scan.rules My Suricata-IDS just read one file because of below line?
rule-files:
- suricata.rulesYes.
You can either
Listing each rule file – each rule file is listed.
rule-files:
- emerging-shellcode.rules
- emerging-scan.rules
Use a wild-card character so any file matching the expression will be used
rule-files:
- "emerging-*.rules"
If I use:
rule-files:
- *.rules
Is it OK?
How can I check which rules loaded by Suricata-IDS?
Use this – note the use of the " character.
rule-files:
- "*.rules"
The number of rule files will be in suricata.log
I did:
rule-files:
- "*.rules"And after it log tell me:
# cat /var/log/suricata/suricata.log
6/10/2020 -- 14:58:53 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
6/10/2020 -- 14:58:53 - <Info> - CPUs/cores online: 4
6/10/2020 -- 14:58:53 - <Info> - fast output device (regular) initialized: fast.log
6/10/2020 -- 14:58:53 - <Info> - eve-log output device (regular) initialized: eve.json
6/10/2020 -- 14:58:53 - <Info> - http-log output device (regular) initialized: http.log
6/10/2020 -- 14:58:53 - <Info> - tls-log output device (regular) initialized: tls.log
6/10/2020 -- 14:58:53 - <Info> - stats output device (regular) initialized: stats.log
6/10/2020 -- 14:58:54 - <Info> - 1 rule files processed. 21041 rules successfully loaded, 0 rules failed
6/10/2020 -- 14:58:54 - <Info> - Threshold config parsed: 0 rule(s) found
6/10/2020 -- 14:58:55 - <Info> - 21044 signatures processed. 1227 are IP-only rules, 4001 are inspecting packet payload, 15587 inspect application layer, 103 are decoder event only
6/10/2020 -- 14:59:00 - <Notice> - Configuration provided was successfully loaded. Exiting.
6/10/2020 -- 14:59:00 - <Info> - cleaning up signature grouping structure... completeAs you see:
6/10/2020 – 14:58:54 - - 1 rule files processed. 21041 rules successfully loaded, 0 rules failed
Why “1 rule” ?