Support #1533
closedPotential problem with detecting Windows EXE download
Description
Hi,
I am using SELKS 2.0, recently upgraded, no changes to default settings.
I have noticed something strange with the ET Policy alert related to Windows download.
Basically, if I update one of my Windows box, it downloads around 30 exe/DLL Suricata only generates 2 alerts: 2018959
There should be dozens of alert generated!
On a different NSM using Snort, monitoring the same network I get what is expected an 30 or 40 alerts. the alerts I get are in fact different, they fire rule: 2000419
Something a bit more confusing, If I look for rule 2000419 in Suricata, I can't find it!
but rule 2018959 does reference rule 2000419 as show here:
scirius.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:2;)
I don't understand why:
- I can't find rule 2000419 in Suricata (has it been superseeded by 2018959? but I thought Suricata and Snort were using the same ET rule set
- Why don't I get all the warnings in Suricata? Is it some kind of setting in /etc/suricata/suricata.yaml? if so could you please help me how to see all the warnings and not just 2?
This is Suricata version 2.1dev (rev 834c366)
Thanks.
B.
Files
Updated by Guru Medidation over 9 years ago
By the way, if I do a
wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
then it will fire the 2018959 rule
seems that it is just Windows Update that is not detected with Suricata...
Will try again tomorrow and get a pcap
Updated by Guru Medidation over 9 years ago
- File windows_2000419.pcap windows_2000419.pcap added
Issue confirmed and pcap attached.
Using tcpreplay with this pcap triggers alert 2000419 in snort but nothing in Suricata...
I think I noticed the same issue with OSX download not being detected in Suricata either... so might be a bigger problem?
Updated by Victor Julien over 9 years ago
- Tracker changed from Bug to Support
It looks like the issue here is that SELKS (and/or ET) doesn't enable this rule by default. I don't know how SELKS handles this, perhaps you can report it to the SELKS project https://github.com/StamusNetworks/SELKS/issues
Updated by Guru Medidation over 9 years ago
Thanks Victor, I have just done that and will let you know if it is indeed a problem with SELKS.
But you are right, the rule is just not there...
And 2000419 is different from 2018959, slightly but I suspect enough for not triggering those events!
Updated by Andreas Herz almost 9 years ago
- Status changed from New to Closed
This is solved, see https://github.com/StamusNetworks/SELKS/issues/26 so closing the issue.