Comments (14)
Hello,
You are seeing the alert in scirius.rules. So scirius has done most of his job. Now you have two possibilities. Or Suricata has not been restarted or DNS is not active.working in your config.
To be sure of 1. restart Suricata service with 'service suricata restart'. For 2. check if you see the DNS request in the log. As it seems to be the case, I think 1 is more likely.
from scirius.
Hello,
Thank you for your quick answer.
- : As I did "Update + Build + Push", Suricata should be restarted. I have issued the Suricata restart, without any improvement.
- Do you mean in the eve.json file?
<Notice> - This is Suricata version 2.1beta3 RELEASE
Could this be a bug in the beta release? How could I troubleshoot further. I am stuck for now! :(
Thank you so much.
Best Regards,
from scirius.
Hi,
- Yes, you can look in the eve.main file or in kibana. You should see some '"event_type":"dns" entry.
I don't think this is a bug in this suricata version.
from scirius.
Yes, I see envents in Kibana or eve.json, who match my rule!
I restarted all the components, even the VM but it does not work for now.
What would be the next step to troubleshoot?
Thank you very much.
Best Regards,
from scirius.
Hi,
Open that record, find the "flow_id" and filter on that in the "ALL" dashboard - that would give you the whole flow view.
It could be that it might be related to the rule syntax.
Try to remove the dns query keyword (restart and update etc..) and see if that will trigger any difference ?
Thank you
from scirius.
Hi again,
I simplified the rule, without any improvement.
What I also did is, copy from a SSLBL abuse.ch rule, modify the fingerprint to the on from one of my server. I did see the traffic in eve.json but no alert... It is driving me crazy.
I would like to know what I am doing wrong in my process:
- Create a .txt file with only one "alert" rule.
- Create a source, importing this .txt.
- Include this source+unique category in Default Ruleset.
- Tab "Suricata", build+push.
- Test it by generating traffic. No alert showing on scirius, no hit on the specific rule.
Do you confirm it is the right way to achieve my goal?
from scirius.
Filename of my uploaded file:
test.txt
Content of the file:
alert tls any any -> any any (msg:"SSL Fingerprint of domain"; tls.fingerprint:"af:92:c3:40:b9:d9:3d:e8:b3:29:d0:93:ac:e0:ae:67:07:05:ed:70"; sid:9025444043; rev:1;)
from scirius.
I've just used the same DNS rule with the same version of suricata (and same scirius although not on SELKS) and it fires nicely. So this is not a bug in suricata.
Idea: did you change the hostname ? If this is the case then you need to do it by editing suricata object too. Or you won't see anything in scirius. Simple test: do you have info in suricata performance graph ?
from scirius.
Hi,
No I did not change it.
Moreover, the default rules are working just fine, fact that rules out this idea:
The only thing not working is importing custom rules.
Does the imported file need some specific values or data? I am quite sure that it is not the case as scirius is understanding and applying my rule.
from scirius.
Is there any err related to that rule (or rule loading) in /var/log/suricata.log ?
Are you using Scirius on SELKS or stand alone (latest)?
from scirius.
Hello again,
Sorry for the delay. I made good progress and managed to get it working by disabling every other sources in the ruleset.
So now, the following rule is triggered:
alert ip any any -> any 502 (msg:"Modbus traffic detected!"; sid:123596;)
Be the TCP/IP Modbus exchange, confirmed by Wireshark:
(1) -> TCP SYN
(2) <- TCP SYN, ACK
(3) -> TCP ACK
(4) -> TCP with Modbus Payload
My current problem is that this alert is only triggered for packet (1) and not (3) or (4). I think it should. In the end, I would like to alert for (4), and eventually parse the Modbus payload.
Do you have and idea on my problem?
Thanks again for your help.
from scirius.
What will be the result if you use this rule with your particular pcap:
alert tcp any any -> any 502 (msg:"Modbus traffic detected!"; sid:123596;)
This and the previous rule are not really doing much than detecting IP or TCP traffic on dst port 502.
from scirius.
You mean with this rule I won't be able to see and test payload for specific content? So how should I do?
from scirius.
Depends what exactly is it that you are looking for. Please find below some guidelines you can use:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords
from scirius.
Related Issues (20)
- No Capture stats, Memory usage and problem indicators statisctics using the new scirius version HOT 8
- Error add public source HOT 7
- KeyError on Hunt whith latest django-webpack-loader (v1.0.0)
- First start issue HOT 5
- Python 2.7???? HOT 5
- does scirius fetch dashboard from kibana? HOT 1
- Scirius CE v3.7.0 GUI problem in safari 15 HOT 2
- docker: Get cyberchef pre-installed in the docker image HOT 2
- Failed to minify the code from this file: ./node_modules/patternfly-react/dist/esm/common/helpers.js:14 HOT 1
- Logging with python requests library error: Forbidden(403) CSRF verification failed HOT 1
- USE_KIBANA/ELASTICSEARCH=0 ignored, still tries to connect HOT 2
- Set python_requires and clarify Python support
- Number of rules on the source page never increments during updates in Scirius
- How to show more than 20 last rules activity in scirius?
- Batch activate commented rules
- Unable to Build Docker Image
- Fails on sources updating HOT 3
- Suricata won't restart after build & push ruleset HOT 3
- Install issues
- Error reading webpack-stats.prod.json
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scirius.