I am trying to configure suricata in my network. When I set one HOME_NET in /etc/suricata/suricata.yml as :
HOME_NET: "[172.20.5.0/24]"
everything works fine. But when I try to define more than one pool of addresses as:
HOME_NET: "[172.20.5.0/24,172.16.0.0/16,172.20.1.0/24]"
I cannot observe any events in /var/log/suricata/log.fast.
How to properly define a few networks in HOME_NET variable?
The problem was that I was trying to ping and Home_Net(172.20.5.12) from a Home_Net(172.20.5.18). And the property External_Net was set as !$Home_Net. The rule triggering ping alert:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING
*NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:2100366; rev:8;
metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Alerts only from EXTERNAL_NET to HOME_NET and I was pinging from HOME_NET to HOME_NET.
To see this "internal" ping alerts you need to define EXTERNAL_NET as any.
Related
I want to resolve an IP address.
For that I'm creating a DNS query (of type A record). Lets say some DNS server gets this query and then send it to one of my servers to resolve it.
Now I want to know which of my servers answer this request.
To do that, I though about adding a TXT record to the response.
Is it possible to add a TXT record to a query with A record?
And is there a better way to discover which of my server answered the request?
EDIT:
As for the server IP -
I have an app, which query a DNS server (lets say it's Google's public DNS server - 8.8.8.8). When Google gets this query, it's not returning the answer, but ask one of my servers for the answer. Only then it will return the correct answer to my app. Now, if I'll check the server IP, I will get 8.8.8.8, but what I want to know is which of my server gave Google the answer.
The client knows which server replied, see this dig example:
$ dig com. #f.root-servers.net +noall +stat
; <<>> DiG 9.12.0 <<>> com. #f.root-servers.net +noall +stat
;; global options: +cmd
;; QUERY SIZE: 44
;; Query time: 140 msec
;; SERVER: 192.5.5.241#53(192.5.5.241)
;; WHEN: Tue Sep 04 12:04:30 EST 2018
;; MSG SIZE rcvd: 856
I see that the server at IP 192.5.5.241 replied to me (this one is anycasted by the way).
Now about
Is it possible to add a TXT record to a query with A record?
No, that is against the specification. The answer section should only have the answer to the query that is the A record. Resolvers are not expected to take into account anything else. You could try/think/imagine using the "Additional" section for that, but it is not fit for it, and again you would have mixed results.
But in fact I am not sure to understand the goal you are trying to reach. Do you control the DNS server? the DNS client?
If you control the DNS server you have access to its logs so you know what it was requested with and who it replied to. If you control the client you see obviously which server replied to you.
Before expanding too much on points that may be irrelevant, look also at the NSID option (RFC5011) this is used today. This is more relevant when you have anycasted nameservers or any cloud of it, as under a single IP you may reach a lot of different instances, so it is important to have something more than the IP to identify them (which shows that an IP address is more of a location than an identication token in fact).
For example if I redo above query with dig com. #f.root-servers.net +nsid +nocookie I now get:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 70 61 6f 31 61 2e 66 2e 72 6f 6f 74 2d 73 65 72 76 65 72 73 2e 6f 72 67 ("pao1a.f.root-servers.org")
I see that in that specific case it was a server identifying itself (this can be trivially spoofed of course without DNSSEC) as pao1a.f.root-servers.org.
Doing same query from another vantage point could answer instead with:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
; NSID: 41 4d 53 2e 63 66 2e 66 2e 72 6f 6f 74 2d 73 65 72 76 65 72 73 2e 6f 72 67 (A) (M) (S) (.) (c) (f) (.) (f) (.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)
(decoding is different because older dig version)
I currently have the following DNS Query Alert rule set up in Suricata (for test purposes):
alert dns any any -> any any (msg:”Test dns_query option”; dns_query; content:”google”; nocase; sid:1;)
Which is triggered when it captures DNS events which contain the word "google", such as in this packet:
{"timestamp":"2017-06-08T15:58:59.907085+0000","flow_id":1798294020028434,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":52385,"proto":"UDP","dns":{"type":"answer","id":57334,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":300,"rdata":"172.217.12.164"}}
However, instead of searching for resource record names that contain "google", I want to use this same kind of alert to trigger on IP addresses that resolve to loopback, as is the case with the following packet (Notice the rdata field):
{"timestamp":"2017-06-08T15:59:37.120927+0000","flow_id":36683121284050,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":62260,"proto":"UDP","dns":{"type":"answer","id":53553,"rcode":"NOERROR","rrname":"outlook1.us","rrtype":"A","ttl":120,"rdata":"127.0.0.1"}}
As I have noticed, the contentsection of a Suricata rule searches only for a string.
My current rule triggers on a text match with the rrname/domain, how would I make it so that the rule triggers on rdata/IP address?
p.s.
Just out of curiosity I tried replacing the "google" in the content section of my alert with "127.0.0.1" and that didn't work either, as expected.
The ip address is just a 32 bit number. In the rule the IP should be represented as a hex value and not a string, for purposes of efficiency and saving bandwidth (a string will be 8+ bytes as opposed to 4 bytes).
Here is my final Suricata rule to alert whenever somebody gets sent to loopback on my network:
alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)
I'm trying to install an applet on a SIM card wich supports java card V3.0.4. When I try to establish a secure channel to load the applet, the card returns an error:
mode_211
enable_trace
establish_context
card_connect
select -AID A000000151000000
Command --> 00A4040008A000000151000000
Wrapped command --> 00A4040008A000000151000000
Response <-- 6F108408A000000151000000A5049F6501FF9000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 79AA24D80FF0056101F1D9AB6DCAF0E6
-enc_key 79AA24D80FF0056101F1D9AB6DCAF0E6
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 664A734806072A864886FC6B01600B06092A864886FC6B020202630906072A86488
6FC6B03640B06092A864886FC6B048000640B06092A864886FC6B040255640B06092A864886FC6B0
481079000
Command --> 8050000008F05E65BF5254BC9F00
Wrapped command --> 8050000008F05E65BF5254BC9F00
Response <-- 00005147A5190C5352322002001C1F47B6C76BABFD305EBBC2CD1BB39000
mutual_authentication() returns 0x8030F00A (The Secure Channel Protocol passed and reported do not match.)
I'm using GPShell-1.4.4. I guess the problem is using wrong key set! Am I true or there is something else I cannot guess what?!
Thanks for your response,
(I am partly reusing an answer I wrote for your previous question which you suddenly deleted)
Error code GP211_ERROR_INCONSISTENT_SCP means that GPShell's intended SCP version mismatches with the real SCP version given by the card (see here).
Check the 12th byte of card response to INITIALIZE UPDATE -- Secure Channel Protocol identifier (see e.g. GP Card Specification 2.3, section E5.1.6) and use parameter -scp.
Alternatively you might want to use GlobalPlatformPro as GPShell is quite outdated...
Beware that you can block your card by issuing multiple INITIALIZE UPDATE commands without successful authentication!
As your current question contains the complete log it is possible to parse the Card Data tag giving (according to GP 2.2.1):
66 Card Data
73 Card Recognition Data / Discretionary Data Objects
06 OID
2A864886FC6B01 {globalPlatform 1} // Card Recognition Data
60 Application Tag 0
06 OID
2A864886FC6B020202 {globalPlatform 2 2 2} // GP 2.2 Card
63 Application Tag 3
06 OID
2A864886FC6B03 {globalPlatform 3} // Card Identification Scheme
64 Application Tag 4
06 OID
2A864886FC6B048000 {globalPlatform 4 128 0x00} // SCP80 i=0x00
64 Application Tag 4
06 OID
2A864886FC6B040255 {globalPlatform 4 2 0x55} // SCP02 i=0x55
64 Application Tag 4
06 OID
2A864886FC6B048107 {globalPlatform 4 129 0x07} // SCP81 i=0x07
So you might want to use -scp 2 -scpimpl 0x55 or -scp 2 -scpimpl 85 (which happens to be the same).
Or use GlobalPlatformPro.
Alternatively -scpimpl 0x15 should work as well as the Well-known pseudo-random algorithm
(card challenge) bit in 'i' should not matter...
Good luck!
I am new to snmp and after some readings I have 2 questions:-
1) Does net-snmp AUTOMATICALLY sends trap when we configure agent's snmpd.conf file with directives like trapsink, monitor, etc. for inbuilt OIDs like cpu and disk??
I am asking because I am trying to send a trap when cpu goes beyond 90%.
My agent and master are on the same linux box.
My snmptrad.conf file:-
authCommunity log aaa
authCommunity log public
My snmpd.conf file (removing extra comment lines):-
master agentx com2sec notConfigUser default public
group notConfigGroup v1 notConfigUser group
notConfigGroup v2c notConfigUser
view systemview included .1.3.6.1.2.1.1 view systemview
included .1.3.6.1.2.1.25.1.1 view all included .1 view mib2
included .iso.org.dod.internet.mgmt.mib-2 fc
access notConfigGroup "" any noauth exact systemview
none none
createUser internalMonitoringName SHA mysecretpassword AES rouser
internalMonitoringName iquerySecName internalMonitoringName
com2sec local localhost aaa
com2sec net-27 10.0.0.0/8 aaa
com2sec net-46 10.9.46.0/24 aaa
com2sec net-60 10.9.60.0/24 aaa
com2sec net-10 10.20.0.0/16 aaa
group MyRWGroup any local
group MyROGroup any net-27
group MyROGroup any net-46
group MyROGroup any net-60
group MyROGroup any net-10
access MyROGroup "" any noauth 0 all none none
access MyRWGroup "" any noauth 0 all mib2 mib2
syslocation "Somewhere in testlab"
syscontact Root root#localhost
dontLogTCPWrappersConnects yes
trap2sink localhost aaa
monitor -r 30 machineTooBusy hrProcessorLoad > 90
When I run some process to increase cpu load, the cpu load goes beyond 90% (I can see that in top command) but I can't see the trap message in /var/log/messages.
What I am doing wrong here?
2) Also, my next question is, if I have a custom MIB file for which I have wrtten an agent, Can I add the variable/OID from that custom MIB with "monitor" directive in snmpd.conf file to send trap AUTOMATICALLY? OR I must send trap from within my agent???
Please help on my confusion...
No, it doesn't send anything automatically. You have two steps to follow:
1) define where you want to send traps or informs. That's what the trapsink and similar lines do.
2) then define what you want sent. That's what the monitor and similar directives do. The monitor directive can be used to monitor just about anything, including your own custom MIB variables.
When you include both of these, then it'll send out traps automatically (by doing internal monitoring, and then sending a trap to each configured trapsink or other destination).
I cannot get reverse DNS lookup configured correctly in Amazon Route 53 for a block of ATT IP's that have been delegated to Amazon Name Servers.
So, I have a block of IP's assigned to me by ATT. The block is 12.237.40.64/27. ATT has delegate the block to Amazon Name Servers. I start by doing a dig -x on one of the IP's in the block - .65, and get the following:
;; ANSWER SECTION:
65.40.237.12.in-addr.arpa. 86400 IN CNAME 65.64/27.40.237.12.in-addr.arpa.
So I start to create a zone in Amazon Route 53 with the name 65.64/27.40.237.12.in-addr.arpa < this value is being entered into the 'Domain Name' field with in Amazon Route 53 in the UI. Once created and saved, Route 53 actually names the zone:
65.64\05727.40.237.12.in-addr.arpa
Not sure why this is happening. It seems that the CNAME entry from ATT about will never find the zone 65.64/27.40.237.12.in-addr.arpa ?? So I continue and assume that some sort of translation will occur from the CNAME entry to the zone name I view on screen within route 53. Once the zone is created. I proceed to try to add a PTR record in Route 53. Route 53 will only allow me to prepend the zone name with an ip so the result is:
65.65.64\05727.40.237.12.in-addr.arpa PTR server.mydomain.com
The result I want would be:
65.40.237.12.in-addr.arpa. PTR server.mydomain.com.
So I add a new zone file and name the zone 40.237.12.in-addr.arpa. I then add the PTR record for .65 with in the block. I then dig -x 12.237.40.65 #amz.name.server, and I get the desired result:
;; ANSWER SECTION:
65.40.237.12.in-addr.arpa. 300 IN PTR server.mydomain.com.
So the problem seems to be that I cannot name the Route 53 zone to agree with the CNAME delegation from ATT ??
I found an article (PDF) on ATT delegated IP blocks.
Can anyone give me some direction on setting up reverse DNS on Amazon route 53 correctly? Or do I need to contact ATT to change the CNAME entry to a different format that I can add and save in route 53?
65.64/27.40.237.12.in-addr.arpa. and 65.65.64\05727.40.237.12.in-addr.arpa PTR server.mydomain.com are just slightly differently formatted names for the same thing. \057 is the octal code for /. It looks like you've configured the domain correctly ...
colmmacc#colmmac] dig NS 64/27.40.237.12.in-addr.arpa. #ns-1175.awsdns-18.org
<snip>
;; QUESTION SECTION:
;64/27.40.237.12.in-addr.arpa. IN NS
;; ANSWER SECTION:
64/27.40.237.12.in-addr.arpa. 3600 IN NS ns-1175.awsdns-18.org.
64/27.40.237.12.in-addr.arpa. 3600 IN NS ns-1967.awsdns-53.co.uk.
64/27.40.237.12.in-addr.arpa. 3600 IN NS ns-281.awsdns-35.com.
64/27.40.237.12.in-addr.arpa. 3600 IN NS ns-593.awsdns-10.net.
and the reverse DNS entry seems to be working too:
colmmacc#colmmacc] dig -x 12.237.40.65
;; QUESTION SECTION:
;65.40.237.12.in-addr.arpa. IN PTR
;; ANSWER SECTION:
65.40.237.12.in-addr.arpa. 86400 IN CNAME 65.64/27.40.237.12.in-addr.arpa.
65.64/27.40.237.12.in-addr.arpa. 300 IN PTR smtpwin.omnilink.com.
Route 53 merely escapes all non-alpha-numerical characters for display, but the / and \057
are equivalent.