Re: Help with determining if IPS is updateing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Help with determining if IPS is updateing

breda
Hi, does anyone know how I can confirm if the snort rules are being updated on my sheld? looking at the logs I see few errors

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Help with determining if IPS is updateing

breda
Here is my log also System_Log.txt

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Help with determining if IPS is updateing

Roadrunnere42
breda

when the fw_upgrade script is run, which is set to nightly by default, the snort rules are updated from  web sites automatically if you what to check look at the dates of the files in /etc/snort/rules

snort.rules are where the rules live and when new ones gets released fw_upgrade will either add only the new rules to this file or if it's been more than 14 days since the last complete download will download a completely new file, this is to make sure that any deleted rules are removed from the file.

This method helps to prevent wear to the memory on the shield and is why i started to modify the script in the first place and has just continued to evolve.

roadrunnere42
Reply | Threaded
Open this post in threaded view
|

Re: Help with determining if IPS is updateing

breda
Hi, Roadrunnere42 thanks for getting back to me I will take look at the files here some are erorrs

hu May 26 01:01:15 2016 daemon.crit dnsmasq[12173]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf
Thu May 26 01:01:15 2016 daemon.crit dnsmasq[12173]: FAILED to start up
Thu May 26 01:01:17 2016 daemon.err snort[11555]: *** Caught Term-Signal


Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.Evil' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ETPRO.RTF' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'et.MCOFF' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'et.JavaArchiveOrClass' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'et.http.PK' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'et.WinHttpRequest' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.QuickenUpdater' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.wininet.UA' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'et.MS.WinHttpRequest.no.exe.request' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.Adobe.Site.Download' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.CompIP' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.http.javaclient.SakuraPorts' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'SunDown.EK' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.http.javaclient.vulnerable' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.RIGEKExploit' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.http.binary' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.http.rtf.download' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'EXE2' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.ZoneAlarm.Site.Download' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.http.javaclient' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'et.MS.XMLHTTP.no.exe.request' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.DshieldIP' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.JS.Obfus.Func' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'et.MS.XMLHTTP.ip.request' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.pdf.in.http' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.BotccIP' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'NuclearEK' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'AnglerEK' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'et.DocVBAProject' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'FlimKit.SWF.Redirect' is checked but not ever set.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: WARNING: flowbits key 'ET.CottonCastle.Exploit' is set but not ever checked.
Thu May 26 01:01:33 2016 daemon.notice snort[12216]: 81 out of 1024 flowbits in use.
Thu May 26 01:01:36 2016 daemon.crit dnsmasq[12225]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf
Thu May 26 01:01:36 2016 daemon.crit dnsmasq[12225]: FAILED to start up
Thu May 26 01:01:41 2016 daemon.crit dnsmasq[12226]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf
Thu May 26 01:01:41 2016 daemon.crit dnsmasq[12226]: FAILED to start up
Thu May 26 01:01:41 2016 daemon.info procd: Instance dnsmasq::instance1 s in a crash loop 6 crashes, 0 seconds since last crash
Thu May 26 01:02:21 2016 daemon.notice snort[12216]:
Thu May 26 01:02:21 2016 daemon.notice snort[12216]: [ Port Based Pattern Matching Memory ]
Reply | Threaded
Open this post in threaded view
|

Re: Help with determining if IPS is updateing

Roadrunnere42
Hi

not sure why this is happening  illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf as i'm not a network guy i can not help

also
WARNING: flowbits key 'FlimKit.SWF.Redirect' is checked but not ever set.  

I have pull this information from the net

 Resolving Flowbit dependancies
Recently I've noticed an increase in emails asking about flowbits, so I thought I'd write a quick blog post about how to fix this, so people can have a reference for these error messages.

So you'll notice one of two conditions:
Warning: flowbits key 'http.rtf' is set but not ever checked.
or
Warning: flowbits key 'http.rtf' is checked but not ever set.

I'll break these warnings down and explain them, but first allow me to explain what a flowbit is for those that may not know.

The manual states the following:

    "The flowbits keyword is used in conjunction with conversation tracking from the Stream preprocessor. It allows rules to track states during a transport protocol session. The flowbits option is most useful for TCP sessions, as it allows rules to generically track the state of an application protocol.
    There are eight keywords associated with flowbits. Most of the options need a user-defined name for the specific state that is being checked. This string should be limited to any alphanumeric string including periods, dashes, and underscores. The keywords set and toggle take an optional argument which specifies the group to which the keywords will belong. When no group name is specified the flowbits will belong to a default group. All the flowbits in a particular group (with an exception of default group) are mutually exclusive. A particular flow cannot belong to more than one group."

In other words, flowbits allow you to set and track the state of a flow in between one or more rules.

Let me explain the two "warning" messages above.

First, the group name of the flowbit that has the "problem" is "http.rtf".  In the VRT, we have a naming convention that we use for flowbits, and this name above tells me that this is an "RTF" document being downloaded over HTTP.  In other words, the way the rules are going to be written means that someone on your network has requested an "rtf" document.

Warning: flowbits key 'http.rtf' is set but not ever checked.
The above warning means that there is one rule that uses the syntax: "flowbits:set,http.rtf", but the rule that "checks" the flowbit isn't turned on.  We are using the condition of the first rule that "set"s the flowbit to use later in other rules.  Let me give you an example rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC rtf download attempt"; flow:to_server,established; content:".rtf"; http_uri; flowbits:set,http.rtf;)

Someone on your network, connecting to "$EXTERNAL_NET" on an HTTP port, making a web request for a .rtf file.  Finally, we set the flowbit tracking the state.

We can then use an additional rule to check for a vulnerability inside of the ".rtf" file by using the "isset" keyword.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT .rtf file is bad!"; flowbits:isset,http.rtf; flow:from_server,established; content:"bad stuff";)

The above rule checks to see that the flowbit "isset" before checking the rest of the rule.  Essentially, in order for the second rule to fire, the first one has to have already fired.

The other warning above is the opposite.

Warning: flowbits key 'http.rtf' is checked but not ever set.


This indicates that the rule that reads "isset,http.rtf" is turned on, but the rule that reads "set,http.rtf" is not.

The above "Warnings" aren't fatal.   Meaning Snort will still start, even if you have these errors.  However, if you don't have one or the other "set" or "isset" rules turned on and you are receiving these errors, this indicates that effectively you aren't using that set of rules, or multiple rules.

The advantage of flowbits is that rule writers can write several different rules that check for vulnerabilities inside the rtf document file format, all checking to see if the "http.rtf" flowbit has been set first.  This will cause entire rule chains to not fire if an "rtf" file isn't downloaded first (for example).

There are two ways to fix this problem.  You can either:

    Go through the rules files individually to turn on the rules that will fix the flowbits.
    Use a tool that automates this process for you.

these appear in both router and bridge mode with not side effect that i can see

roadrunnere42
Reply | Threaded
Open this post in threaded view
|

Re: Help with determining if IPS is updateing

breda

Thanks, Roadrunnere42 where are the files located to change the  fix the flowbits? and Use a tool that automates this process would that be some program that would have to be installed on the shield

Go through the rules files individually to turn on the rules that will fix the flowbits.


Use a tool that automates this process for you.