Support #1533
closedPotential problem with detecting Windows EXE download
Description
Hi,
I am using SELKS 2.0, recently upgraded, no changes to default settings.
I have noticed something strange with the ET Policy alert related to Windows download.
Basically, if I update one of my Windows box, it downloads around 30 exe/DLL Suricata only generates 2 alerts: 2018959
There should be dozens of alert generated!
On a different NSM using Snort, monitoring the same network I get what is expected an 30 or 40 alerts. the alerts I get are in fact different, they fire rule: 2000419
Something a bit more confusing, If I look for rule 2000419 in Suricata, I can't find it!
but rule 2018959 does reference rule 2000419 as show here:
scirius.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:2;)
I don't understand why:
- I can't find rule 2000419 in Suricata (has it been superseeded by 2018959? but I thought Suricata and Snort were using the same ET rule set
- Why don't I get all the warnings in Suricata? Is it some kind of setting in /etc/suricata/suricata.yaml? if so could you please help me how to see all the warnings and not just 2?
This is Suricata version 2.1dev (rev 834c366)
Thanks.
B.
Files
Updated by Guru Medidation almost 10 years ago
By the way, if I do a
wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
then it will fire the 2018959 rule
seems that it is just Windows Update that is not detected with Suricata...
Will try again tomorrow and get a pcap
Updated by Guru Medidation almost 10 years ago
- File windows_2000419.pcap windows_2000419.pcap added
Issue confirmed and pcap attached.
Using tcpreplay with this pcap triggers alert 2000419 in snort but nothing in Suricata...
I think I noticed the same issue with OSX download not being detected in Suricata either... so might be a bigger problem?
Updated by Victor Julien almost 10 years ago
- Tracker changed from Bug to Support
It looks like the issue here is that SELKS (and/or ET) doesn't enable this rule by default. I don't know how SELKS handles this, perhaps you can report it to the SELKS project https://github.com/StamusNetworks/SELKS/issues
Updated by Guru Medidation almost 10 years ago
Thanks Victor, I have just done that and will let you know if it is indeed a problem with SELKS.
But you are right, the rule is just not there...
And 2000419 is different from 2018959, slightly but I suspect enough for not triggering those events!
Updated by Andreas Herz over 9 years ago
- Status changed from New to Closed
This is solved, see https://github.com/StamusNetworks/SELKS/issues/26 so closing the issue.