Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules dont work Nmap version 7.93 #5

Open
julioliraup opened this issue Sep 5, 2024 · 2 comments
Open

Rules dont work Nmap version 7.93 #5

julioliraup opened this issue Sep 5, 2024 · 2 comments

Comments

@julioliraup
Copy link

This out:

$ nmap 172.19.0.2
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-05 17:08 -03
Nmap scan report for 172.19.10.2
Host is up (0.024s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
1198/tcp open  cajo-discovery

Nmap done: 1 IP address (1 host up) scanned in 4.80 seconds

Logs:

09/05/2024-17:11:34.995490  [Drop] [**] [1:3400020:2] POSSBL SCAN SHELL M-SPLOIT TCP [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.01.2:42088 -> 172.19.0.2:4444
09/05/2024-17:11:35.255068  [Drop] [**] [1:3400020:2] POSSBL SCAN SHELL M-SPLOIT TCP [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.01.2:42090 -> 172.19.10.2:4444

I'm running test in with suricata -T and dont show errors, but the rule dont recongize nmap scan.

Obs.: I test with -sS, etc
@aleksibovellan
Copy link
Owner

Hi, thanks for your post.

That is very interesting. I did a test after reading your post using the latest NMAP 7.94 with a standard scan like yours, and also as a SYN scan -sS, and the rules seemed to work perfectly here, as illustrated below in the logs.

It might help to check the Suricata logs (and OPNsense's too if one is used there) for more details of possible errors or conflicts somewhere. Or if there are perhaps some other devices or software in the way between the NMAP end and your Suricata, which could already catch such massive fast port floods when they happen, but still let more "normal speeded" traffic pass. Doing a raw packet capture from Suricata's end might also prove either way if the whole NMAP flood is actually really reaching the Suricata's end. The interesting bit there - and some positive at least - is that one of the detection rules is catching stuff, which is clear from that Suricata log indicating the usage of port 4444. So, the rules file is loaded and in use, so it kind of works, but for some reason the other detection rules did not fire to your NMAP scan. Without more information at hand right now, it's somewhat hard to determine the root cause, although I really would like to, but I hope you understand.

Here below are my results from the test I just did now to check it myself. It blew up my Suricata log file as was expected. :-) I tested on a dedicated OPNsense computer, running Suricata, and using the installation method following the readme. All software used were with the latest updates at the time of writing.

All the best,

  • Aleksi

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-06 01:28 ****
Nmap scan report for ..*** (.*..)
Host is up (0.0039s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
MAC Address: :::::* (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.95 seconds

2024-09-06T01:28:21.051985 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 3517 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:21.051985 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 3517 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:21.049863 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 50000 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:21.049863 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 50000 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.955057 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 16001 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.955057 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 16001 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.952637 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 777 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.952637 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 777 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.950382 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 25735 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.950382 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 25735 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.948257 ***** 3400002 blocked LAN .*..*** 39588 .*..*** 12174 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.948257 ***** 3400002 blocked LAN .*..*** 39588 .*..*** 12174 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.948163 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 1107 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.948163 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 1107 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.941033 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 1721 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.941033 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 1721 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.938796 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 2301 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.938796 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 2301 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.852254 ***** 3400002 blocked LAN .*..*** 39588 .*..*** 50636 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.852254 ***** 3400002 blocked LAN .*..*** 39588 .*..*** 50636 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.852254 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 1175 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.852254 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 1175 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.852254 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 5902 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.852254 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 5902 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.852005 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 7100 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.852005 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 7100 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.851941 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 6699 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.851941 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 6699 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.848889 ***** 3400002 blocked LAN .*..*** 39588 .*..*** 5033 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.848889 ***** 3400002 blocked LAN .*..*** 39588 .*..*** 5033 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.848889 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 497 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.848889 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 497 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.846338 ***** 3400002 blocked LAN .*..*** 39588 .*..*** 8082 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.846338 ***** 3400002 blocked LAN .*..*** 39588 .*..*** 8082 POSSBL PORT SCAN (NMAP -sS)
2024-09-06T01:28:20.846273 ***** 3400002 blocked LAN .*..*** 39590 .*..*** 9500 POSSBL PORT SCAN

.....and so on it went. :-)

@julioliraup
Copy link
Author

I am testing Suricata on pfSense (FreeBSD), and the ruleset is designed according to Suricata's patterns. I wrote a rule to detect segmented and unsuccessful TCP/SYN requests, and it worked.
Is there something specific in OPNsense that makes the rules work? We haven't tested it on other firewalls or directly on a Suricata system yet, right? I might be mistaken in trying to use the rules on pfSense or natively.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aleksibovellan @julioliraup