Hi,
I am using suricata with ET Pro Telemetry rules on opnsense, as IDS/IPS mode.
While experimenting with “unreal_ircd_3281_backdoor” exploit using Kali, suricata cannot catch
unreal_ircd_3281_backdoor activity.
I used “smb_ms17_010” before and suricata can easily drops it.
What am i missing?
Suricata runs as hyperscan mode with medium detect profile.
Since it is a test suite for now, there is not so much traffic on it.
Thanks,
Can you a share a pcap?
Thanks Victor,
I got the capture but forum doesnt allow cap file upload, which way do you prefer?
We accept pcap and pcapng file format, so try to rename it and upload again.
I tried another exploit: “windows/smb/ms08_067_netapi”
suricata couldnt detect this also.
This exploit uses port 445,same port with “smb_ms17_010” which can be detected by suricata.
Suricata will not magically detect malicious traffic. Specific rules have to be written for each malicious traffic pattern.
Have you configured Suricata to start with a rule file containing rules for attacks you are performing?
Sure, i dont expect zero day protection but these 2 samples are very very old exploits which should have been in the rule set. These samples are just picks from internet not special selection.
There are so many traffic pattern out there and it is impossible for an individual to know and implement
each of them, so it should be user’s right to expect an acceptable amount of success.
Infact i think that suricata can get them, but i may have problem with the configuration.
For example pattern matcher type or detect profile can give a hint.
For example i have enabled Promiscuous mode etc
I am only using ET Telemetry rules which has 22770 entries in my system.
As i mentioned it can catch up ms17_010.
Or an expert can say that an IDS system can not detect these types of traffic
i am just a beginner
Thanks
Feel free to contact the folks at Emerging Threats so that they can see if it’s worth to include in the ruleset.
Regarding the Unreal IRCd exploit, that is likely one that was looked at a long time ago and deemed not a good candidate for a signature. The signature reliability would be poor and there are other ways to control IRC.
MS08-67 has a number of rules in the ET Open set. I would am curious if those rules are enabled in your configuration @Ali_Kanarya ? If you could share a pcap of the ms08-67 traffic you generated and could share that would be appreciated.
Thanks in advance!
JT
Thanks for clear explanation.
I found some rules for irc and ms08-67 and applied them manually.
As i mentioned before I am using only ET Telemetry rules, not ET Open.
All telemetry rules are enabled but ms08-67 can not be detected by default.
I didnt try ET Open rules.