Warnungen in der Einbruchdetektierung

Tripwire, Guardian, Snort, Squidclamav
Post Reply
barczs
Posts: 33
Joined: February 28th, 2019, 1:10 pm

Warnungen in der Einbruchdetektierung

Post by barczs » March 23rd, 2019, 4:19 pm

Hallo Community,

ich betreibe meine IPFire seit Januar 2019 und wenn ich das Ergebnis betrachte, bin ich ziemlich weit gekommen. Trotzdem tauchen immer wieder Probleme auf, die ich aus eigener Kraft nicht lösen kann.
Es geht konkret um die Einbruchdetektierung. Erst habe ich mit den Emergingthreats.net Community Rules gearbeitet. Dann habe ich mich bei snort.org registriert und setze ich die Rules für registrierte User ein.
Im Bereich 'Regeln für die Einbruchsdetektierung' sind die vormaligen Emergingthreats.net Rules immer noch aufgeführt, obwohl die nicht angekreuzt sind. Ich dachte, die würden automatisch verschwinden.
Vielleicht aus Unwissenheit, habe ich IDS auf Rot, Grün und Blau eingeschaltet. Ressourcen habe ich genug, ich habe für IPFire einen alten nicht mehr gebrauchten PC genommen.
Mein Problem:
Wenn ich die Systemprotokolldateien prüfe, sehe ich bei der Einbruchdetektierung folgende Warnungen

Code: Select all

WARNING: flowbits key 'file.mime' is set but not ever checked.
WARNING: flowbits key 'vnc.server.auth.types' is set but not ever checked.
WARNING: flowbits key 'kit.blackhole' is set but not ever checked.
WARNING: flowbits key 'spyrat_bd' is set but not ever checked.
WARNING: flowbits key 'file.pub' is set but not ever checked.
WARNING: flowbits key 'file.xbm' is set but not ever checked.
WARNING: flowbits key 'file.motn' is set but not ever checked.
WARNING: flowbits key 'file.rmf' is set but not ever checked.
WARNING: flowbits key 'file.rjs' is set but not ever checked.
WARNING: flowbits key 'file.m4a' is set but not ever checked.
WARNING: flowbits key 'file.xfdl' is set but not ever checked.
WARNING: flowbits key 'tivoli.backup' is set but not ever checked.
WARNING: flowbits key 'dorkbot.ircinit' is set but not ever checked.
WARNING: flowbits key 'file.cue' is set but not ever checked.
WARNING: flowbits key 'file.xwd' is set but not ever checked.
WARNING: flowbits key 'file.mcl' is set but not ever checked.
WARNING: flowbits key 'file.realplayer' is set but not ever checked.
WARNING: flowbits key 'backdoor.tongkeylogger' is set but not ever checked.
WARNING: flowbits key 'trojan.ircbot_fc' is set but not ever checked.
WARNING: flowbits key 'backdoor.agent.dcir' is set but not ever checked.
WARNING: flowbits key 'file.pptx' is set but not ever checked.
WARNING: flowbits key 'asteriskmi' is set but not ever checked.
WARNING: flowbits key 'file.xspf' is set but not ever checked.
WARNING: flowbits key 'file.gzip' is set but not ever checked.
WARNING: flowbits key 'file.cnt' is set but not ever checked.
WARNING: flowbits key 'file.mny' is set but not ever checked.
WARNING: flowbits key 'file.cell' is set but not ever checked.
WARNING: flowbits key 'file.bak' is set but not ever checked.
WARNING: flowbits key 'file.cov' is set but not ever checked.
WARNING: flowbits key 'file.csd' is set but not ever checked.
WARNING: flowbits key 'file.reg' is set but not ever checked.
WARNING: flowbits key 'file.dir' is set but not ever checked.
WARNING: flowbits key 'file.m3u' is set but not ever checked.
WARNING: flowbits key 'ipp.application' is set but not ever checked.
WARNING: flowbits key 'file.manifest' is set but not ever checked.
WARNING: flowbits key 'cocsoft.stream' is set but not ever checked.
WARNING: flowbits key 'file.rpt' is set but not ever checked.
WARNING: flowbits key 'w32.perflogger' is set but not ever checked.
WARNING: flowbits key 'server.mdaemon' is set but not ever checked.
WARNING: flowbits key 'file.jar.agent_helper' is set but not ever checked.
WARNING: flowbits key 'sccp.callstate' is set but not ever checked.
WARNING: flowbits key 'sybase.tds.connection' is set but not ever checked.
WARNING: flowbits key 'file.s3m' is set but not ever checked.
WARNING: flowbits key 'file.m4p' is set but not ever checked.
WARNING: flowbits key 'trojan.linkbot_alr' is set but not ever checked.
WARNING: flowbits key 'file.smi' is set but not ever checked.
WARNING: flowbits key 'file.regf' is set but not ever checked.
WARNING: flowbits key 'adzok.rat' is set but not ever checked.
WARNING: flowbits key 'file.tga' is set but not ever checked.
WARNING: flowbits key 'NetDemon_FileManager' is set but not ever checked.
WARNING: flowbits key 'file.ogg' is set but not ever checked.
WARNING: flowbits key 'file.rt' is set but not ever checked.
WARNING: flowbits key 'file.wrf' is set but not ever checked.
WARNING: flowbits key 'tlsv1.0_handshake' is set but not ever checked.
WARNING: flowbits key 'trojan.ircbrute_i' is set but not ever checked.
WARNING: flowbits key 'vnetd.bpspsserver.connection' is set but not ever checked .
WARNING: flowbits key 'file.fon' is set but not ever checked.
WARNING: flowbits key 'malware.ircbotkkr.a' is set but not ever checked.
WARNING: flowbits key 'file.wma' is set but not ever checked.
WARNING: flowbits key 'file.webm' is set but not ever checked.
WARNING: flowbits key 'file.xml' is set but not ever checked.
WARNING: flowbits key 'smb.null_session' is set but not ever checked.
WARNING: flowbits key 'file.m4b' is set but not ever checked.
WARNING: flowbits key 'file.avi.video' is set but not ever checked.
WARNING: flowbits key 'file.mppl' is set but not ever checked.
WARNING: flowbits key 'file.engtesselate' is set but not ever checked.
WARNING: flowbits key 'acunetix-scan' is set but not ever checked.
WARNING: flowbits key 'file.blend.little.32' is set but not ever checked.
WARNING: flowbits key 'file.pac' is set but not ever checked.
WARNING: flowbits key 'itunes.serverinfo.request' is set but not ever checked.
WARNING: flowbits key 'file.udf' is set but not ever checked.
WARNING: flowbits key 'file.hta' is set but not ever checked.
WARNING: flowbits key 'file.123' is set but not ever checked.
WARNING: flowbits key 'file.jnlp' is set but not ever checked.
WARNING: flowbits key 'BaiduToolbar_detection' is set but not ever checked.
WARNING: flowbits key 'file.cy3' is set but not ever checked.
WARNING: flowbits key 'file.ani' is set but not ever checked.
WARNING: flowbits key 'file.r' is set but not ever checked.
WARNING: flowbits key 'file.screensaver' is set but not ever checked.
WARNING: flowbits key 'groupwise.request' is set but not ever checked.
WARNING: flowbits key 'file.pmd' is set but not ever checked.
WARNING: flowbits key 'file.3dm' is set but not ever checked.
WARNING: flowbits key 'file.crammd5' is set but not ever checked.
WARNING: flowbits key 'file.asf' is set but not ever checked.
WARNING: flowbits key 'file.vwr' is set but not ever checked. 
Kann mir jemand sagen, was diese bedeuten und was ich machen soll, damit die nicht mehr auftauchen?
Ich wäre für jeden Hinweis sehr dankbar.
Viele Grüße S.B.
Best regards,
barczs
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1025
Joined: November 2nd, 2011, 12:28 pm

Re: Warnungen in der Einbruchdetektierung

Post by FischerM » March 23rd, 2019, 6:43 pm

Ahmt,

das ist idR nichts, vorüber man sich ernsthafte Gedanken machen muss, 'snort' arbeitet trotzdem.

Aber: du hast bestimmte Regeln gesetzt, die andere Regeln implizieren bzw. benötigen, um final greifen zu können.

Eine recht gute Erklärung der Hintergründe dieser Meldung(en) findest Du z.B. hier.

HTH,
Matthias

barczs
Posts: 33
Joined: February 28th, 2019, 1:10 pm

Re: Warnungen in der Einbruchdetektierung

Post by barczs » March 24th, 2019, 10:46 am

Hallo Matthias,
herzlichen Dank für den schnellen Tipp. Ich muss mich tiefer in Snort einarbeiten.
Weisst Du zufällig wie man PulledPork in IPFire implementiert? :o

Viele Grüße S.B.
Best regards,
barczs
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1025
Joined: November 2nd, 2011, 12:28 pm

Re: Warnungen in der Einbruchdetektierung

Post by FischerM » March 24th, 2019, 11:37 am

Moin,

Kenne ich, aber: nein.

Da 'suricata' für IPFire 2.x "auf dem Weg" ist, würde ich da im Übrigen keine weitere Arbeit reinstecken.

Gruß,
Matthias

barczs
Posts: 33
Joined: February 28th, 2019, 1:10 pm

Re: Warnungen in der Einbruchdetektierung

Post by barczs » March 24th, 2019, 12:57 pm

Hallo Matthias,
OK, ich weiß suricata ist Open Source, das wäre für mich auch lieber als ein Cisco-Ableger. Ich glaube, in der Zwischenzeit kehre ich zu Emergency Threats zurück. :)
Viele Grüße, S.B.
Best regards,
barczs
Image

Post Reply