suricata-config.yaml (17.9 KB)
Hi Andreas,
Please have look NIDs vm connectivity arch as well have look for config of suricata.
- When we attack http attack on nids vm, it detected with signature
- When we attack the different TEST VM which is running same dc same ip pool and same vlan which we have NIDs then that’s not detected for http attack.
When we attack on NIDs vm inside for http attack → Source ip is my local machine (27.62.205.138) from where I am attacking http and NIDs machine ip is 209.10.139.203 where suricata installed as well installed vulnerable apps for http attack test
Output is →
02/11/2022-06:52:28.152274 [] [1:2019232:7] ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 27.62.205.138 :11886 → 209.10.139.203:8080
02/11/2022-06:52:28.152939 [] [1:2002034:12] ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style) [] [Classification: Information Leak] [Priority: 2] {TCP} 209.10.139.203:8080 → 27.62.205.138 :11886
02/11/2022-06:52:29.929445 [] [1:2019232:7] ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 27.62.205.138 :11887 → 209.10.139.203:8080
02/11/2022-06:52:29.930265 [] [1:2002034:12] ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style) [] [Classification: Information Leak] [Priority: 2] {TCP} 209.10.139.203:8080 → 27.62.205.138 :11887
02/11/2022-06:52:34.704194 [] [1:2019232:7] ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 27.62.205.138 :11891 → 209.10.139.203:8080
02/11/2022-06:52:34.727376 [] [1:2002034:12] ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style) [] [Classification: Information Leak] [Priority: 2] {TCP} 209.10.139.203:8080 → 27.62.205.138 :11891
When we attack on Test vm in same dc where NIDs installed copying span traffic for http attack → Source ip is my local machine (27.62.205.138) from where I am attacking http and test machine ip is 209.10.139.204 where vulnerable apps installed for http attack test.
Output is →
When I tried to attack from local machine to test vm then thats not detected logs in fast log and now i am sending here for eve.json log for reference when i attack from local machine to test vm inside for http attack.
{“timestamp”:“2022-02-11T06:59:58.483758+0000”,“flow_id”:1650313413526165,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:11949,“dest_ip”:“209.10.139.204”,“dest_port”:8080,“proto”:“TCP”,“flow”:{“pkts_toserver”:6,“pkts_toclient”:0,“bytes_toserver”:551,“bytes_toclient”:0,“start”:“2022-02-11T06:57:12.524949+0000”,“end”:“2022-02-11T06:57:13.759201+0000”,“age”:1,“state”:“new”,“reason”:“timeout”,“alerted”:false},“tcp”:{“tcp_flags”:“1b”,“tcp_flags_ts”:“1b”,“tcp_flags_tc”:“00”,“syn”:true,“fin”:true,“psh”:true,“ack”:true,“state”:“syn_sent”}}
{“timestamp”:“2022-02-11T07:00:01.308051+0000”,“flow_id”:1897203153661722,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:12170,“dest_ip”:“209.10.139.204”,“dest_port”:22,“proto”:“TCP”,“flow”:{“pkts_toserver”:15,“pkts_toclient”:0,“bytes_toserver”:1298,“bytes_toclient”:0,“start”:“2022-02-11T06:54:02.159514+0000”,“end”:“2022-02-11T06:59:00.934468+0000”,“age”:298,“state”:“new”,“reason”:“timeout”,“alerted”:false},“tcp”:{“tcp_flags”:“00”,“tcp_flags_ts”:“00”,“tcp_flags_tc”:“00”}}
{“timestamp”:“2022-02-11T07:00:03.145203+0000”,“flow_id”:1793821155596519,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[99],“src_ip”:“209.10.139.204”,“src_port”:8080,“dest_ip”:" 27.62.205.138 ",“dest_port”:11947,“proto”:“TCP”,“flow”:{“pkts_toserver”:6,“pkts_toclient”:0,“bytes_toserver”:1299,“bytes_toclient”:0,“start”:“2022-02-11T06:57:09.661735+0000”,“end”:“2022-02-11T06:57:10.344741+0000”,“age”:1,“state”:“new”,“reason”:“timeout”,“alerted”:false},“tcp”:{“tcp_flags”:“00”,“tcp_flags_ts”:“00”,“tcp_flags_tc”:“00”}}
{“timestamp”:“2022-02-11T07:00:05.100368+0000”,“flow_id”:2009185855278980,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:11987,“dest_ip”:“209.10.139.204”,“dest_port”:8080,“proto”:“TCP”,“flow”:{“pkts_toserver”:6,“pkts_toclient”:0,“bytes_toserver”:551,“bytes_toclient”:0,“start”:“2022-02-11T06:58:57.135044+0000”,“end”:“2022-02-11T06:58:58.439133+0000”,“age”:1,“state”:“new”,“reason”:“timeout”,“alerted”:false},“tcp”:{“tcp_flags”:“1b”,“tcp_flags_ts”:“1b”,“tcp_flags_tc”:“00”,“syn”:true,“fin”:true,“psh”:true,“ack”:true,“state”:“syn_sent”}}
{“timestamp”:“2022-02-11T07:00:05.163979+0000”,“flow_id”:1974250591078075,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:11986,“dest_ip”:“209.10.139.204”,“dest_port”:8080,“proto”:“TCP”,“flow”:{“pkts_toserver”:7,“pkts_toclient”:0,“bytes_toserver”:617,“bytes_toclient”:0,“start”:“2022-02-11T06:58:53.902843+0000”,“end”:“2022-02-11T06:58:54.944103+0000”,“age”:1,“state”:“new”,“reason”:“timeout”,“alerted”:false},“tcp”:{“tcp_flags”:“1b”,“tcp_flags_ts”:“1b”,“tcp_flags_tc”:“00”,“syn”:true,“fin”:true,“psh”:true,“ack”:true,“state”:“syn_sent”}}
{“timestamp”:“2022-02-11T07:00:09.150345+0000”,“flow_id”:1515900264702435,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[99],“src_ip”:“209.10.139.204”,“src_port”:8080,“dest_ip”:" 27.62.205.138 ",“dest_port”:11950,“proto”:“TCP”,“flow”:{“pkts_toserver”:6,“pkts_toclient”:0,“bytes_toserver”:1299,“bytes_toclient”:0,“start”:“2022-02-11T06:57:14.057827+0000”,“end”:“2022-02-11T06:57:14.892518+0000”,“age”:0,“state”:“new”,“reason”:“timeout”,“alerted”:false},“tcp”:{“tcp_flags”:“00”,“tcp_flags_ts”:“00”,“tcp_flags_tc”:“00”}}
{“timestamp”:“2022-02-11T07:00:10.482107+0000”,“flow_id”:390528646097599,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[99],“src_ip”:“209.10.139.204”,“src_port”:8080,“dest_ip”:" 27.62.205.138 ",“dest_port”:11994,“proto”:“TCP”,“flow”:{“pkts_toserver”:6,“pkts_toclient”:0,“bytes_toserver”:1299,“bytes_toclient”:0,“start”:“2022-02-11T06:59:05.961215+0000”,“end”:“2022-02-11T06:59:06.658103+0000”,“age”:1,“state”:“new”,“reason”:“timeout”,“alerted”:false},“tcp”:{“tcp_flags”:“00”,“tcp_flags_ts”:“00”,“tcp_flags_tc”:“00”}}
{“timestamp”:“2022-02-11T07:00:12.485291+0000”,“flow_id”:1095442300258421,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[99],“src_ip”:“209.10.139.204”,“src_port”:8080,“dest_ip”:" 27.62.205.138 ",“dest_port”:11986,“proto”:“TCP”,“flow”:{“pkts_toserver”:6,“pkts_toclient”:0,“bytes_toserver”:1299,“bytes_toclient”:0,“start”:“2022-02-11T06:58:53.903285+0000”,“end”:“2022-02-11T06:58:54.603277+0000”,“age”:1,“state”:“new”,“reason”:“timeout”,“alerted”:false},“tcp”:{“tcp_flags”:“00”,“tcp_flags_ts”:“00”,“tcp_flags_tc”:“00”}}
{“timestamp”:“2022-02-11T07:00:14.988024+0000”,“flow_id”:247418190490192,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“dest_ip”:“209.10.139.204”,“proto”:“ICMP”,“icmp_type”:8,“icmp_code”:0,“flow”:{“pkts_toserver”:2,“pkts_toclient”:0,“bytes_toserver”:196,“bytes_toclient”:0,“start”:“2022-02-11T06:59:38.518736+0000”,“end”:“2022-02-11T06:59:39.514919+0000”,“age”:1,“state”:“new”,“reason”:“timeout”,“alerted”:true}}
{“timestamp”:“2022-02-11T07:00:15.775089+0000”,“flow_id”:35656973375260,“in_iface”:“ens192”,“event_type”:“flow”,“vlan”:[99],“src_ip”:“209.10.139.204”,“src_port”:8080,“dest_ip”:" 27.62.205.138 ",“dest_port”:12000,“proto”:“TCP”,“flow”:{“pkts_toserver”:6,“pkts_toclient”:0,“bytes_toserver”:1299,“bytes_toclient”:0,“start”:“2022-02-11T06:59:07.481052+0000”,“end”:“2022-02-11T06:59:08.203725+0000”,“age”:1,“state”:“new”,“reason”:“timeout”,“alerted”:false},“tcp”:{“tcp_flags”:“00”,“tcp_flags_ts”:“00”,“tcp_flags_tc”:“00”}}
Now same thing If i tried to attack ICMP and NMAp from local machine to test vm inside which is detected in nids but not http attack.
Output for ICMP and NMAp attack from local machine to test vm---------------------------->
{“timestamp”:“2022-02-11T07:03:12.156324+0000”,“flow_id”:247418204356856,“in_iface”:“ens192”,“event_type”:“alert”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:0,“dest_ip”:“209.10.139.204”,“dest_port”:0,“proto”:“ICMP”,“icmp_type”:8,“icmp_code”:0,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2100368,“rev”:7,“signature”:“GPL ICMP_INFO PING BSDtype”,“category”:“Misc activity”,“severity”:3,“metadata”:{“created_at”:[“2010_09_23”],“updated_at”:[“2010_09_23”]}},“flow”:{“pkts_toserver”:3,“pkts_toclient”:0,“bytes_toserver”:294,“bytes_toclient”:0,“start”:“2022-02-11T07:03:10.098552+0000”}}
{“timestamp”:“2022-02-11T07:03:13.112248+0000”,“flow_id”:247418204356856,“in_iface”:“ens192”,“event_type”:“alert”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:0,“dest_ip”:“209.10.139.204”,“dest_port”:0,“proto”:“ICMP”,“icmp_type”:8,“icmp_code”:0,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2100368,“rev”:7,“signature”:“GPL ICMP_INFO PING BSDtype”,“category”:“Misc activity”,“severity”:3,“metadata”:{“created_at”:[“2010_09_23”],“updated_at”:[“2010_09_23”]}},“flow”:{“pkts_toserver”:4,“pkts_toclient”:0,“bytes_toserver”:392,“bytes_toclient”:0,“start”:“2022-02-11T07:03:10.098552+0000”}}
{“timestamp”:“2022-02-11T07:03:14.115676+0000”,“flow_id”:247418204356856,“in_iface”:“ens192”,“event_type”:“alert”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:0,“dest_ip”:“209.10.139.204”,“dest_port”:0,“proto”:“ICMP”,“icmp_type”:8,“icmp_code”:0,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2100368,“rev”:7,“signature”:“GPL ICMP_INFO PING BSDtype”,“category”:“Misc activity”,“severity”:3,“metadata”:{“created_at”:[“2010_09_23”],“updated_at”:[“2010_09_23”]}},“flow”:{“pkts_toserver”:5,“pkts_toclient”:0,“bytes_toserver”:490,“bytes_toclient”:0,“start”:“2022-02-11T07:03:10.098552+0000”}}
{“timestamp”:“2022-02-11T07:03:15.157895+0000”,“flow_id”:247418204356856,“in_iface”:“ens192”,“event_type”:“alert”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:0,“dest_ip”:“209.10.139.204”,“dest_port”:0,“proto”:“ICMP”,“icmp_type”:8,“icmp_code”:0,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2100368,“rev”:7,“signature”:“GPL ICMP_INFO PING BSDtype”,“category”:“Misc activity”,“severity”:3,“metadata”:{“created_at”:[“2010_09_23”],“updated_at”:[“2010_09_23”]}},“flow”:{“pkts_toserver”:6,“pkts_toclient”:0,“bytes_toserver”:588,“bytes_toclient”:0,“start”:“2022-02-11T07:03:10.098552+0000”}}
{“timestamp”:“2022-02-11T07:03:22.719692+0000”,“flow_id”:500649476946764,“in_iface”:“ens192”,“event_type”:“alert”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:12089,“dest_ip”:“209.10.139.204”,“dest_port”:3306,“proto”:“TCP”,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2010937,“rev”:3,“signature”:“ET SCAN Suspicious inbound to mySQL port 3306”,“category”:“Potentially Bad Traffic”,“severity”:2,“metadata”:{“created_at”:[“2010_07_30”],“former_category”:[“HUNTING”],“updated_at”:[“2018_03_27”]}},“flow”:{“pkts_toserver”:1,“pkts_toclient”:0,“bytes_toserver”:78,“bytes_toclient”:0,“start”:“2022-02-11T07:03:22.719692+0000”}}
{“timestamp”:“2022-02-11T07:03:23.712045+0000”,“flow_id”:500649476946764,“in_iface”:“ens192”,“event_type”:“alert”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:12089,“dest_ip”:“209.10.139.204”,“dest_port”:3306,“proto”:“TCP”,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2010937,“rev”:3,“signature”:“ET SCAN Suspicious inbound to mySQL port 3306”,“category”:“Potentially Bad Traffic”,“severity”:2,“metadata”:{“created_at”:[“2010_07_30”],“former_category”:[“HUNTING”],“updated_at”:[“2018_03_27”]}},“flow”:{“pkts_toserver”:2,“pkts_toclient”:0,“bytes_toserver”:156,“bytes_toclient”:0,“start”:“2022-02-11T07:03:22.719692+0000”}}
{“timestamp”:“2022-02-11T07:03:24.183393+0000”,“flow_id”:1576470065237089,“in_iface”:“ens192”,“event_type”:“alert”,“vlan”:[3],“src_ip”:" 27.62.205.138 ",“src_port”:12094,“dest_ip”:“209.10.139.204”,“dest_port”:3306,“proto”:“TCP”,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2010937,“rev”:3,“signature”:“ET SCAN Suspicious inbound to mySQL port 3306”,“category”:“Potentially Bad Traffic”,“severity”:2,“metadata”:{“created_at”:[“2010_07_30”],“former_category”:[“HUNTING”],“updated_at”:[“2018_03_27”]}},“flow”:{“pkts_toserver”:1,“pkts_toclient”:0,“bytes_toserver”:78,“bytes_toclient”:0,“start”:“2022-02-11T07:03:24.183393+0000”}}
suricata-config.yaml (17.9 KB)
Uploading: nids-arch.png…
suricata-config.yaml (17.9 KB)