I need help about Arachni scanner

Hello,
Why Suricata-IDS doesn’t have any rule to block scanners? When I launch Arachni scanner then it cause the server CPU usage become 100%. Anyone here can help me to block it?
Scanner
Provide some rules to block this kind of program make Suricata-IDS more popular.

Thank you.

Hi Jason,

You should submit a pcap to the PFPT team at either https://feedback.emergingthreats.net or via email to support@emergingthreats.net and we can see if a signature can be made for this.

Regards,
Brad

Thank you.
For pcap file, should I change my Suricata-IDS setting? Or stop Suricata-IDS service and run below command is enough?

# suricata -c /etc/suricata/suricata.yaml -r Arachni.pcap -v

If Arachni.pcap is a pcap file you have generated, yes. But if you need to generate the pcap you can either use the pcap dump feature of Suricata or just use tcpdump to capture that specific pcap from your tests.

Can you tell me how to generate? I mean is command.

For the Suricata feature, see https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html?highlight=pcap#packet-log-pcap-log how to enable the pcap log. This has an impact on performance.

For tcpdump I would recommend the manpage of tcpdump but the basic command would look like:

sudo tcpdump -i $INTERFACE -w file.pcap

Where $INTERFACE is your interface where you want to capture and ideally you add some sort of bpf filter to narrow it down to that specific traffic you test.

There are a few ET OPEN (Community/Free) rules concerning this which would live in the emerging-scan.rules file. The rules are setup as External->Internal and will not fire if you are scanning internal->internal. As @bwoodberg stated, if you find something that needs coverage, we are happy to work on it and provide the rule back to the community.

alert http $EXTERNAL_NET any -> HOME_NET any (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"Arachni/"; pcre:"/Arachni\/v?\d\.\d\.\d/i"; reference:url,arachni-scanner.com; reference:url,github.com/Zapotek/arachni; classtype:attempted-recon; sid:2014869; rev:6; metadata:created_at 2012_06_07, updated_at 2020_06_09;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:“ET SCAN Arachni Web Scan”; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

I captured the traffics. How can I send it to team?

Below lines are correct rules?

alert http $EXTERNAL_NET any -> HOME_NET any (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"Arachni/"; pcre:"/Arachni\/v?\d\.\d\.\d/i"; reference:url,[arachni-scanner.com](http://arachni-scanner.com/); reference:url,[github.com/Zapotek/arachni;](http://github.com/Zapotek/arachni;) classtype:attempted-recon; sid:2014869; rev:6; metadata:created_at 2012_06_07, updated_at 2020_06_09;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:“ET SCAN Arachni Web Scan”; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,[www.arachni-scanner.com/;](http://www.arachni-scanner.com/;) classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

Those are the rules that exist at present from a quick search. If you want to send us a pcap with some traffic, please send it to our submission portal at https://feedback.emergingthreats.net - Thanks!

1 Like

The second rule use “#” sign! is it comment?

Yes — # indicates the rest of the line is ignored.

It is better to create a .rule file and copy that line into it then restart the Suricata-IDS?

Any idea?
Am I right?

Hi Jason,

It’s not clear what you’re asking.

It’s your choice whether you add a rule to an existing rule file or create a new one – Suricata supports both methods. Choose the approach that works best for you and your situation.

If you use multiple rule files, make sure that the rule file is recognized by Suricata.

In the Suricata configuration file, you’ll see

rule-files:
  - suricata.rules

If you add a rule file, make sure it’s in the proper directory – ensure that new rule files are in the directory default-rule-path

rule-files:
  - suricata.rules
  - new-rule-file.rules

Thank you.
My Suricata-IDS configuration is:

##
## Configure Suricata to load Suricata-Update managed rules.
##
## If this section is completely commented out move down to the "Advanced rule
## file configuration".
##

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules

Is it OK?
I have more than one .rules file:

# ls /etc/suricata/rules/
app-layer-events.rules          emerging-shellcode.rules
botcc.portgrouped.rules         emerging-trojan.rules
botcc.rules                     emerging-worm.rules
decoder-events.rules            files.rules
detect-dos.rules                http-events.rules
dhcp-events.rules               ipsec-events.rules
dnp3-events.rules               kerberos-events.rules
dns-events.rules                modbus-events.rules
drop.rules                      nfs-events.rules
dshield.rules                   ntp-events.rules
emerging-attack_response.rules  smb-events.rules
emerging-deleted.rules          smtp-events.rules
emerging-exploit.rules          stream-events.rules
emerging-malware.rules          tls-events.rules
emerging-mobile_malware.rules   tor.rules
emerging-scan.rules             

My Suricata-IDS just read one file because of below line?

rule-files:
  - suricata.rules

Yes.

You can either

  1. List each rule file
  2. Use a wildcard character

Listing each rule file – each rule file is listed.

rule-files:
  - emerging-shellcode.rules
  - emerging-scan.rules

Use a wild-card character so any file matching the expression will be used

rule-files:
  - emerging-*.rules
1 Like

If I use:

rule-files:
- *.rules

Is it OK?
How can I check which rules loaded by Suricata-IDS?

Use this – note the use of the " character.

rule-files:
  - "*.rules"

The number of rule files will be in suricata.log

I did:

rule-files:
  - "*.rules"

And after it log tell me:

# cat /var/log/suricata/suricata.log 
6/10/2020 -- 14:58:53 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
6/10/2020 -- 14:58:53 - <Info> - CPUs/cores online: 4
6/10/2020 -- 14:58:53 - <Info> - fast output device (regular) initialized: fast.log
6/10/2020 -- 14:58:53 - <Info> - eve-log output device (regular) initialized: eve.json
6/10/2020 -- 14:58:53 - <Info> - http-log output device (regular) initialized: http.log
6/10/2020 -- 14:58:53 - <Info> - tls-log output device (regular) initialized: tls.log
6/10/2020 -- 14:58:53 - <Info> - stats output device (regular) initialized: stats.log
6/10/2020 -- 14:58:54 - <Info> - 1 rule files processed. 21041 rules successfully loaded, 0 rules failed
6/10/2020 -- 14:58:54 - <Info> - Threshold config parsed: 0 rule(s) found
6/10/2020 -- 14:58:55 - <Info> - 21044 signatures processed. 1227 are IP-only rules, 4001 are inspecting packet payload, 15587 inspect application layer, 103 are decoder event only
6/10/2020 -- 14:59:00 - <Notice> - Configuration provided was successfully loaded. Exiting.
6/10/2020 -- 14:59:00 - <Info> - cleaning up signature grouping structure... complete

As you see:

6/10/2020 – 14:58:54 - - 1 rule files processed. 21041 rules successfully loaded, 0 rules failed

Why “1 rule” ?