Interesting issue arose today while trying to validate an installation of SecurityOnion 16.04. I was not seeing any traffic except SURICATA rules (even though ET PRO is installed). I decided to make my own rule in local.rules.
Get ready for some fun here, cause about 6Gb of ingest and I decided to write this without thinking:
alert any any -> any any (msg:"TEST TEST"; flow:established; classtype:misc_attack; sid:"999999"; rev:1;)
Then I ran sudo rule-update
Not starting that any any will just about kill the system as it alerts everything, but I also think the SID number was too low to use, which might have caused other issues.
Five minutes into it and I am seeing in Squert 1K alert, 10 minutes I am at 40K alerts, but interesting enough some ET PRO rules also are now firing. I removed the local.rules alert, reran sudo rule-update (no more TEST rules).
TEST Alert is now showing 150K in Squert.
Here are the commands I typed (From Suricata gone wild)
- sudo so-sguild-stop
- sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db
- SELECT COUNT(*) AS cnt, signature, signature_id FROM event WHERE status=0 GROUP BY signature ORDER BY cnt DESC LIMIT 20; (Top 20)
Interesting find here now under uncategorized events :
TEST Rule 150K 999999
Snort Alert [1:999999:1] 999999
So I have two alerts now for the same issues (This is because mid-stream I removed the TEST rule from my local.rules which deleted it out of my download.rules
- UPDATE event SET status=1, WHERE event.status=0 and event.signature LIKE 'TEST%';
- exit
- sudo so-squid-start
- sudo so-sguild-stop
- sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db
- UPDATE event SET status=1, WHERE event.status=0 and event.signature_id='999999';
- exit
- sudo so-squid-start
No comments:
Post a Comment