弁財天

ゴフマン「専門家を信じるのではなく、自分自身で考えて判断せよ」

suricata-5.0.3が東品川からの大量の偽ACKと偽RST攻撃を検知w update15

【nf_conntrack_】daq-2.0.7のaclocal-1.15とlibnetfilter_queue-1.0.5の実況w

snort-2.9.16 → suricata-5.0.3-1.fc32.x86_64

IPSモードのsnortがカーネルを巻き込んで自爆テロを起こしてしまうので代わりにsuricataを投入w
構成としてNFQを使うとこは同じ…

/etc/sysconfig/suricata

#OPTIONS="-i enp1s0 -q 2 --user suricata "
OPTIONS="-q 2 --user suricata "

20/6/2020 -- 17:42:32 - - [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(126)] - more than one run mode has been specified

「-i enp1s0 -q 2」のNFQモードなのにインターフェイスが指定されてるのはおかしいのでエラーなるのだとーかw

suricata.readthedocs.io→12. Setting up IPS/inline for Linux — Suricata unknown documentation

nft> add chain filter IPS { type filter hook forward priority 10;}
プライオリティを下げた(priority 10)フィルターフックにNFQを仕掛けるとこもsnortと同じw

わが家はsnortとsuricataの2匹構成になったw

suricata-5.0.3-1.fc32.x86_64 ✕ nftables v0.9.6 ✕ kernel-5.6.19-300.fc32.x86_64 でテストちうw

/var/log/suricata/fast.logを見るとだな

06/20/2020-20:39:59.661209 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.6 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:36073 -> 我が家.11 benzaiten.dyndns.org ZZ:80
06/20/2020-20:39:59.661209 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.6 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:36073 -> 我が家.11 benzaiten.dyndns.org ZZ:80

このメッセージが大量に見つかるw。うーむ、ふつうに電通だろw

豪政府の国家基盤へのサイバー攻撃が強化されたが「どの国が関与しているかを特定しない」と表明w

/etc/suricata/rules/stream-events.rules

# egrep '(2210045|2210046)' /etc/suricata/rules/stream-events.rules
alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid ack"; stream-event:pkt_invalid_ack; classtype:protocol-command-decode; sid:2210045; rev:2;)
alert tcp any any -> any any (msg:"SURICATA STREAM SHUTDOWN RST invalid ack"; stream-event:rst_invalid_ack; classtype:protocol-command-decode; sid:2210046; rev:2;)

20:39:57→20:40:01の4秒間に214件を検出。こんなのが延々とログに記録されるw

20:39から20:51までの約10分間に同じIPアドレス(37.120.154.6)から944件かぁ…

この大量攻撃をカーネルのnf_conntrackで処理していたsnortがパンクして落ちたと思われw

suricanaがfast.logに記録した37.120.154.6からの攻撃w

Jun 15 06:34:01 localhost kernel: RIP: 0010:nf_conntrack_update+0x134/0x350 [nf_conntrack]
Jun 15 06:34:01 localhost kernel: Code: fd ff ff 49 89 c6 48 85 c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29 48 01 d0 74 24 48 8b 00  80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8 02 0f 84 32 01 00
Jun 15 06:34:01 localhost kernel: RSP: 0018:ffffbf2a0078b920 EFLAGS: 00010286
Jun 15 06:34:01 localhost kernel: RAX: 0000000100000000 RBX: ffff9fdc0e036640 RCX: 0000000080190015
Jun 15 06:34:01 localhost kernel: RDX: 0000000000000055 RSI: 0000000080190015 RDI: ffff9fdd6783d180
Jun 15 06:34:01 localhost kernel: RBP: ffffbf2a0078b990 R08: 0000000000000000 R09: 0000000000000001
Jun 15 06:34:01 localhost kernel: R10: ffffbf2a0078b900 R11: fffff7eb0b380da0 R12: ffff9fda9184b300
Jun 15 06:34:01 localhost kernel: R13: 0000000000000002 R14: ffff9fdc0e036780 R15: 0000000000000000
Jun 15 06:34:01 localhost kernel: FS:  00007f7fc1e05880(0000) GS:ffff9fdd6f900000(0000) knlGS:0000000000000000
Jun 15 06:34:01 localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 15 06:34:01 localhost kernel: CR2: 0000000100000084 CR3: 000000040c3de000 CR4: 00000000000406e0
Jun 15 06:34:01 localhost kernel: Call Trace:
Jun 15 06:34:01 localhost kernel: ? nfqnl_reinject+0x38/0x50 [nfnetlink_queue]
Jun 15 06:34:01 localhost kernel: ? __nla_validate_parse+0x41/0x880
Jun 15 06:34:01 localhost kernel: nfqnl_reinject+0x38/0x50 [nfnetlink_queue]
Jun 15 06:34:01 localhost kernel: nfqnl_recv_verdict+0x27d/0x4b0 [nfnetlink_queue]

豪政府の国家基盤へのサイバー攻撃が強化されたが「どの国が関与しているかを特定しない」と表明w

suricataはsnortみたいにカーネルを巻き込んで落ちることはないけどハングアップw

suricataがハングアップすると /proc/net/netfilter/nfnetlink_queue の3番目の値、キューで処理待ちのパケット数が増えていく…。 この値を監視して、障害時にNFQを外さないかぎりサーバーのNFQポートはハングアップw

20/6/2020 -- 23:34:57 - <Info> - binding this thread 0 to queue '2'
20/6/2020 -- 23:34:57 - <Error> - [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed
20/6/2020 -- 23:34:57 - <Error> - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] - nfq thread failed to initialize

つか、VLCで音楽を聞いてたのか悪かったのか?w、Torを使えばいいのか?w

# suricata-update update-sources
# suricata-update list-sources
# suricata-update enable-source et/open

06/21/2020-08:13:34.022599  [**] [1:2400011:2763] ET DROP Spamhaus DROP Listed Traffic Inbound group 12 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 156.96.150.87 engraver.agedkites.com アメリカ合衆国 ニューヨーク州 US Pennsylvania Philadelphia (North Philadelphia) [ASN393504 XNS Technology Group Inc. 156.96.0.0/16]:54774 -> 我が家.11 benzaiten.dyndns.org ZZ:80
06/21/2020-10:58:24.960690  [**] [1:2400017:2763] ET DROP Spamhaus DROP Listed Traffic Inbound group 18 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 181.177.112.242 アメリカ合衆国 ニューヨーク州 サファーン US New York Suffern [ASN263735 BUENA HOSTING, S.A. 181.177.64.0/18]:40721 -> 我が家.11 benzaiten.dyndns.org ZZ:80
06/21/2020-10:58:46.707456  [**] [1:2402000:5581] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 37.49.224.6 エストニア共和国 NL Drenthe Meppel [ASN133229 HostPalace Web Solution Pvt Ltd 37.49.224.0/24]:52091 -> 我が家.11 benzaiten.dyndns.org ZZ:80

ET DROP Spamhaus DROP Listed Traffic Inbound group 12
ET DROP Spamhaus DROP Listed Traffic Inbound group 18
ET DROP Dshield Block Listed Source group 1

Jun 21 10:42:00 localhost systemd-coredump[35352]: Process 4055 (Suricata-Main) of user 475 dumped core.#012#012Stack trace of thread 4055:#012#0  0x0000556df1dc2c13 BpfMapsInfoFree (suricata + 0x221c13)#012#1  0x0000556df1e1597e StorageFreeAll (suricata + 0x27497e)#012#2  0x0000556df1dc206e LiveDeviceListClean (suricata + 0x22106e)#012#3  0x0000556df1bc9dbd main (suricata + 0x28dbd)#012#4  0x00007f1201927042 __libc_start_main (libc.so.6 + 0x27042)#012#5  0x0000556df1bcb0ae _start (suricata + 0x2a0ae)
Jun 21 10:42:02 localhost abrt-notification[35407]: Process 52418 (suricata) crashed in BpfMapsInfoFree()

# /usr/sbin/suricata --build-info|grep " NF"
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC RUST 
  NFQueue support:                         yes
  NFLOG support:                           no

NFQはハングアップしてしまうのでNFLOGモードで運用ちうw

table ip filter {
	chain NFQ_INPUT_BLOCK {
		type filter hook input priority filter + 10; policy accept;
		#meta l4proto { tcp, udp, tlsp } @th,16,16 { 25, 80, 443,8443 } queue num 2
		meta l4proto { tcp, udp, tlsp } th dport { 25, 80, 443, 8443 } log group 2
	}

moutane.net→Suricata/Victor Julien/OISF/July 7, 2014 PDF)

NFLOG support 3
IDS
iptables -A FORWARD -j NFLOG --nflog-group 7
suricata --nflog=7
IPS
iptables -A FORWARD -j NFQUEUE --queue-num 10
suricata -q 10

libnetfilter_log-1.0.1.tar.bz2
suricata-5.0.3.tar.gz

# dnf install libyaml-devel
# dnf install file-devel
# dnf install epel-release
# dnf install lz4-devel
# dnf install rustc cargo
# dnf install libcap-ng-devel

# make;make install;make install-full

You can now start suricata by running as root something like:
  /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0

If a library like libhtp.so is not found, you can run suricata with:
  LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0

The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.

21/6/2020 -- 18:28:27 -  - [ERRCODE: SC_WARN_NFLOG_MAXBUFSIZ_REACHED(257)] - Maximum buffer size (36864) in NFLOG has been reached. Please, consider raising `buffer-size` and `max-size` in nflog configuration

ハングアップしたのは単純にバッファーがパンクしたから?w

elixir.bootlin.com→source/net/netfilter/nfnetlink_log.c

static int seq_show(struct seq_file *s, void *v)
{
	const struct nfulnl_instance *inst = v;

	seq_printf(s, "%5u %6u %5u %1u %5u %6u %2u\n",
		   inst->group_num,
		   inst->peer_portid, inst->qlen,
		   inst->copy_mode, inst->copy_range,
		   inst->flushtimeout, refcount_read(&inst->use));

	return 0;
}

# cat /proc/net/netfilter/nfnetlink_log
    2  68436     0 2 65531    100  1
NFLOGのグループ#、ポートID#、キュー長、モード、範囲、タイムアウト、カウンタ

OPTIONS="-q 2 --nflog=2 --user suricata "で、

table ip filter {
	chain NFQ_INPUT_BLOCK {
		type filter hook input priority filter + 10; policy accept;
		meta l4proto { tcp, udp, tlsp } th dport { 25, 80, 443, 8443 } log group 2
		meta l4proto { tcp, udp, tlsp } th dport { 25, 80, 443, 8443 } queue num 2
	}
}

NFQを使ったIPS設定のsuricataもsnort同様にカーネル内部でクラッシュを起こして処理を停止w。 しかしハイブリッド設定にしておくと、カーネル・クラッシュが起きたあとでも、NFLOGでモニターを継続できる仕様なのだと思われw

suricataの/var/log/suricata/fast.logの集約実況スクリプトw

#!/usr/bin/perl

use strict;

my %FROM;

while (<>) {
    my $line = $_;
    if ($line =~ /\[\*\*\]/) {
        chomp $line;
        my @it0 = split(/ /);
        my $code = $it0[3];
        $code =~ s/[\[\]]//g;
        my @it4 = split(/:/, $code);
        $code = $it4[1];
        my @it1 = split(/\[Priority:/);
        my @it2 = split(/ /, $it1[1]);
        my @it3 = split(/:/, $it2[3]);
        my $ip = $it3[0];
        $FROM{$ip}{$code}{line} = $line;
        $FROM{$ip}{$code}{cnt}++;
    }
    else {
        print;
    }
}

print "--- fast.log ...\n";
foreach my $ip (keys %FROM) {
    foreach my $code (keys %{$FROM{$ip}}) {
        print "[x".$FROM{$ip}{$code}{cnt}."] ".$FROM{$ip}{$code}{line}."\n";
    }
}
print "--- fast.log .\n";

# End of FILE.

2020年6月21日〜22日のsuricataのfast.log

[x472]06/20/2020-20:51:54.737702 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.6 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:39743 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x472]06/20/2020-20:51:54.737702 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.6 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:39743 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x341]06/20/2020-20:32:36.080205 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.86 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:44308 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x341]06/20/2020-20:32:36.080205 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.86 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:44308 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x139]06/21/2020-12:52:58.914639 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 我が家.11 benzaiten.dyndns.org ZZ benzaiten.dyndns.org ZZ:47934 -> 我が家.11:8443
[x129]06/21/2020-12:52:58.914639 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 我が家.11 benzaiten.dyndns.org ZZ benzaiten.dyndns.org ZZ:47934 -> 我が家.11:8443
[x111]06/22/2020-15:56:16.441113 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 1.72.0.136 sp1-72-0-136.msc.spmode.ne.jp 日本 東京都 東京 JP Tokyo Chiyoda [ASN9605 NTT DOCOMO, INC. 1.72.0.0/22]:15496 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x111]06/22/2020-15:56:16.441113 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 1.72.0.136 sp1-72-0-136.msc.spmode.ne.jp 日本 東京都 東京 JP Tokyo Chiyoda [ASN9605 NTT DOCOMO, INC. 1.72.0.0/22]:15496 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x104]06/21/2020-13:15:41.103712 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 220.11.10.110 softbank220011010110.bbtec.net 日本 JP Tokyo Minato-ku [ASN17676 SoftBank BB Corp. 220.0.0.0/10]:63135 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x104]06/21/2020-13:15:41.103712 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 220.11.10.110 softbank220011010110.bbtec.net 日本 JP Tokyo Minato-ku [ASN17676 SoftBank BB Corp. 220.0.0.0/10]:63135 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x82]06/21/2020-06:02:50.297912 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 180.14.61.65 p6091065-ipngn29501marunouchi.tokyo.ocn.ne.jp 日本 東京都 町田市 JP Tokyo Chiyoda (Marunouchi) [ASN4713 NTT Communications Corporation 180.0.0.0/10]:63350 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x82]06/21/2020-06:02:50.297912 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 180.14.61.65 p6091065-ipngn29501marunouchi.tokyo.ocn.ne.jp 日本 東京都 町田市 JP Tokyo Chiyoda (Marunouchi) [ASN4713 NTT Communications Corporation 180.0.0.0/10]:63350 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x75]06/21/2020-17:53:02.061246 [**] [1:2200074:2] SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 我が家.11 benzaiten.dyndns.org ZZ benzaiten.dyndns.org ZZ:38636 -> 我が家.11:80
[x63]06/22/2020-15:02:21.325793 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 61.193.92.218 eAc1Aak218.osk.mesh.ad.jp 日本 青森県 青森市 JP Tokyo Chiyoda [ASN2518 BIGLOBE Inc. 61.193.0.0/17]:52900 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x63]06/22/2020-15:02:21.325793 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 61.193.92.218 eAc1Aak218.osk.mesh.ad.jp 日本 青森県 青森市 JP Tokyo Chiyoda [ASN2518 BIGLOBE Inc. 61.193.0.0/17]:52900 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x63]06/21/2020-11:48:45.860834 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 115.36.20.195 115-36-20-195.chubu1.commufa.jp 日本 長野県 飯田市 JP Mie Yokkaichi (Chubu) [ASN18126 Chubu Telecommunications Company, Inc. 115.36.0.0/16]:50121 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x63]06/21/2020-11:48:45.860834 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 115.36.20.195 115-36-20-195.chubu1.commufa.jp 日本 長野県 飯田市 JP Mie Yokkaichi (Chubu) [ASN18126 Chubu Telecommunications Company, Inc. 115.36.0.0/16]:50121 -> 我が家.11 benzaiten.dyndns.org ZZ:80

投稿されたコメント:

コメント
コメントは無効になっています。