hello,
My computer may be compromised by the installation of TV software or access to an IPTV remote service, but I managed to install suricata on my Linux machine…
I’m not an expert but a beginner…
Can you help me a little or point me to someone who could help me stop these attacks with suricata ?
Thanks in advance
Operating system : fedora 40
Suricata installation : repo @oisf/suricata-7.0
Suricata version : version 7.0.7
It seems that your system may have been compromised.
Setting up Suricata as an IPS (inline) can be done easily and is documented here. It’s not a task for a beginner and requires some knowledge of networks (routers, bridges, etc) and how network traffic traverses between endpoints.
I don’t really understand what compromised means, but if it is compromised, could Suricata stop the attacks or not, if set in IPS mode ??
Do you mean somebody can connect to my computer if its on line ?
I thought linux was stronger than Windows, but no in fact ?
Each time i connect with the ‘compromised machine’, its alone on the local network but there is always the internet box router connected (but not in wifi)… i dont want to be paranoiac but is there a risk too for the internet box , and for the other computers who connect to the same box later ?
Thanks for answering
I can’t properly assess your situation – many variables and unknowns exist.
Suricata uses a ruleset to determine what situations require action. The quality of the ruleset is essential.
When Suricata is in IDS mode, it operates passively and cannot block traffic. It’ll alert you to situations using the ruleset you provided.
When Suricata is in IPS mode, it operates actively and will handle traffic according to the ruleset you provided.
I used the word “compromised” based on the alerts you first posted indicating the possibility of malicious traffic. You’ll have to research what’s going on with the systems.
I provided you with a link to our documentation that discusses using Suricata in IPS (inline) mode. You can search these forums for help – others are using Suricata in IPS mode and have shared their experiences and can help as will we (members of the Suricata team).
If you suspect your computer is compromised, I recommend backing up your data and reinstalling the operating system.
Trying to use software to mitigate this situation is not a good idea. You can use firewall rules or Suricata in IPS mode for short term incident containment. Beyond that, you need to investigate and recover properly.
In fact, i want to investigate a little bit before reinstalling the OS.
Are there other traces of intrusion that I could see under Linux in addition to the suricata log ?
You are talking about the quality of the ruleset, but i have the rules by default in suricata-7.0…
Do i need other rules ?
What about the community.emergingthreats rules ?
I have also an important question
Can suricata do better than an antivirus because under Windows, my antivirus gave an alert then it blocked the entire TV stream too! Can suricata detect malicious packets while letting the IPTV stream pass?
Thanks for your answers.
This is well outside Suricata support. Investigating intrusions is its own discipline and honestly not for beginners, unless you’re just trying to learn.
You can get some ideas from something like this:
Or better yet get a book like Incident Response & Computer Forensics, Third Edition or similar.
Thanks for the link!
I have also an important question
Can suricata do better than an antivirus because under Windows, my antivirus gave an alert then it blocked the entire TV stream too! Can suricata detect malicious packets while letting the IPTV stream pass?
Thanks for your answers.
[/quote]
I have also an important question
Can suricata do better than an antivirus because under Windows, my antivirus gave an alert then it blocked the entire TV stream too! Can suricata detect malicious packets while letting the IPTV stream pass?
Thanks for your answers.