What Are Normal Users Supposed to Do with IDS Alerts from Network Gear?
2024-10-12 01:37:0 Author: taosecurity.blogspot.com(查看原文) 阅读量:3 收藏

Probably once a week, I see posts like this in the r/Ubiquiti subreddit. Ubiquiti makes network gear that includes an "IDS/IPS" feature. I own some older Ubiquiti gear so I am familiar with the product.

When you enable this feature, you get alerts like this one, posted by a Redditor:

This is everything you get from Ubiquiti.

The Redditor is concerned that their system may be trying to compromise someone on the Internet.

This is my answer to how to handle these alerts.

==

This is another example of this sort of alert being almost worthless for most users.

The key is trying to understand what COULD have caused the alert to trigger. CVEs, whatever, are irrelevant at this point.

Here is one way to get SOME idea of what is happening.

Go to

https://rules.emergingthreats.net/open/suricata-7.0.3/rules/

Download the file that is named as the first part of the alert. Here that is EXPLOIT.

https://rules.emergingthreats.net/open/suricata-7.0.3/rules/emerging-exploit.rules

Find the rule that fired. This can take some digging. Here is what I ended up doing.

grep -i possible emerging-exploit.rules | grep -i log4j | grep -i obfuscation | grep -i udp | grep -i outbound

Here it is.

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:3; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, signature_severity Major, tag Exploit, updated_at 2023_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

You can ignore 90% of this. The key is here:

content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100

and here:

udp $HOME_NET any -> any any

Now, you have to guess how likely it might be there you could have ANY UDP traffic from your home network to anywhere, on any ports, that contain this string

24 7b

followed by this string

24 7b 3a 3a

within the next 100 bytes?

I'm guessing there's a decent chance that could happen in random, normal traffic.

Therefore, without any other evidence, I think you can ignore this alert.

If you want to have a better chance at understanding this in the future, please feel free to check out anything I've written about network security monitoring. Good luck!

==

This problem is why I have promoted network security monitoring since 1998 and subtitled my first book "Beyond Intrusion Detection." Network intrusion detection, by itself, with no supporting data and without even rule explanations, is almost worthless.

Thankfully in this case the vendor is at least using an open rule set, enabling this feeble exploration.


文章来源: https://taosecurity.blogspot.com/2024/10/what-are-normal-users-supposed-to-do.html
如有侵权请联系:admin#unsafe.sh