An Intrustion Detection System (IDS) can be helpful to identify suspicious activity. The information recieved from these tools needs to be tuned to the environment so the tool can highlight what is unusual. When looking at honeypot data, it is anticipated to see internet scanners and malicious traffic. What's the point of looking at IDS data for a honeypot? Well, it can be useful to test and IDS or compare different IDS tools. In my lab environment, network data is captured and analyzed with Suricata[1] (via Corelight[2]) and is also behind a Palo Alto[3] firewall.

Figure 1: Example Dashboard of Suricata IDS data

Figure 2: Example Dashboard of Palo Alto threat data

Suricata Data

Let's take a look at the last three (3) months of Suricata alert data. The data is split up into categories and signatures.

alert.signature	alert.category	Count	Percentage
ET DROP Dshield Block Listed Source group 1	Misc Attack	144228	30.16%
ET DROP Dshield Block Listed Source group 1	Unknown Classtype	54374	16.28%
ET SCAN Potential SSH Scan	Attempted Information Leak	22889	8.19%
ET SCAN MS Terminal Server Traffic on Non-standard Port	Attempted Information Leak	14903	5.81%
ET INFO SSH-2.0-Go version string Observed in Network Traffic - Inbound	Misc activity	6572	2.72%
GPL TELNET Bad Login	Potentially Bad Traffic	6066	2.58%
ET SCAN Potential SSH Scan	Unknown Classtype	4287	1.87%
ET INFO SSH-2.0-Go version string Observed in Network Traffic - Inbound	Unknown Classtype	3929	1.75%
ET CINS Active Threat Intelligence Poor Reputation IP group 84	Misc Attack	3363	1.52%
ET SCAN Suspicious inbound to MSSQL port 1433	Potentially Bad Traffic	3315	1.52%
GPL TELNET Bad Login	Unknown Classtype	3016	1.41%
ET 3CORESec Poor Reputation IP group 18	Misc Attack	2767	1.31%
ET CINS Active Threat Intelligence Poor Reputation IP group 81	Misc Attack	2701	1.30%
ET CINS Active Threat Intelligence Poor Reputation IP group 83	Misc Attack	2514	1.22%
ET SCAN Sipvicious Scan	Attempted Information Leak	2448	1.20%
ET SCAN Sipvicious User-Agent Detected (friendly-scanner)	Attempted Information Leak	2420	1.21%
ET CINS Active Threat Intelligence Poor Reputation IP group 78	Misc Attack	2305	1.16%
ET 3CORESec Poor Reputation IP group 17	Misc Attack	2263	1.15%
ET CINS Active Threat Intelligence Poor Reputation IP group 77	Misc Attack	2113	1.09%
ET 3CORESec Poor Reputation IP group 19	Misc Attack	1997	1.04%

Figure 3: Suricata Top 20 Signatures

We see a variety of alerts related to Emerging Threats (ET) [4] and many of these are related to DShield honeypot data [5]. This is not a big surprise in this case since this data is directly generated from DShield honeypot traffic. Collective Intelligence Network Security (CINS) entries are also similar using a variety of network sensors and other network data to generate their reputation lists. Some consumers of this data may simply user these signatures to block suspicious sources when using Suricata or other products as an Intrusion Prevention System (IPS).

Looking at this list, we can see a few items of note:

• Potential SSH Scan
• MS Terminal Server Traffic on Non-Standard Port
• TELNET Bad Login
• Suspicious Inbound to MSSQL port 1433
• Sipvicious Scan
• Sipvicious User-Agent Detected (friendly-scanner)

SSH and telnet attacks are very common and anticipated. How about the least common signatures seen?

Suricata alert.signature	Suricata alert.category	Count	Percentage
ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02	Unknown Classtype	1	0.00%
ET DROP Spamhaus DROP Listed Traffic Inbound group 10	Unknown Classtype	1	0.00%
ET DROP Spamhaus DROP Listed Traffic Inbound group 12	Unknown Classtype	1	0.00%
ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Unknown Classtype	1	0.00%
ET DROP Spamhaus DROP Listed Traffic Inbound group 14	Misc Attack	1	0.00%
ET DROP Spamhaus DROP Listed Traffic Inbound group 17	Unknown Classtype	1	0.00%
ET DROP Spamhaus DROP Listed Traffic Inbound group 7	Unknown Classtype	1	0.00%
ET DROP Spamhaus DROP Listed Traffic Inbound group 8	Misc Attack	1	0.00%
ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi	Attempted Information Leak	1	0.00%
ET EXPLOIT AVTECH Unauthenticated Command Injection in DVR Devices	Attempted Information Leak	1	0.00%
ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M1	Attempted Administrator Privilege Gain	1	0.00%
ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1	Attempted Administrator Privilege Gain	1	0.00%
ET EXPLOIT Fortra MFT Deserialization Remote Code Execution Attempt (CVE-2023-0669) M3	A Network Trojan was detected	1	0.00%
ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)	Attempted Administrator Privilege Gain	1	0.00%
ET EXPLOIT Linksys E-Series Device RCE Attempt	Attempted Administrator Privilege Gain	1	0.00%
ET CINS Active Threat Intelligence Poor Reputation IP group 52	Misc Attack	530	0.11%
ET EXPLOIT Possible Vacron NVR Remote Command Execution	Unknown Classtype	1	0.00%
ET CINS Active Threat Intelligence Poor Reputation IP group 93	Misc Attack	529	0.11%
ET MALWARE BPFDoor V2 UDP Magic Packet Inbound	A Network Trojan was detected	1	0.00%
ET DROP Spamhaus DROP Listed Traffic Inbound group 3	Misc Attack	529	0.11%

Figure 4: Top 20 least common Suricata signatures

These are a bit more interesting that may call for further investigation since they're less seen, even for a device we anticipate to be attacked regularly.

Palo Alto Data

Now digging into the last three (3) months of Palo Alto Threat log data.

Palo Alto Threat Signature	Count	Percentage
SSH2 Login Attempt	788446	83.97%
Suspicious HTTP Evasion Found	29816	3.18%
Non-RFC Compliant TELNET Traffic on Port 23	28997	3.09%
SSH2 Failed Login Attempt	18040	1.92%
SSH User Authentication Brute Force Attempt	15273	1.63%
Compromised username found in inbound Telnet login	8881	0.95%
Ncrack RDP scan	6062	0.65%
SIPVicious Scanner Detection	5410	0.58%
Possible HTTP Malicious Payload Detection	4300	0.46%
Suspicious File Downloading Detection	3395	0.36%
Suspicious TLS Evasion Found	3380	0.36%
LinkSys E-series Routers Remote Code Execution Vulnerability	3057	0.33%
Microsoft Communicator INVITE Flood Denial of Service Vulnerability	2207	0.24%
ZGrab Application Layer Scanner Detection	1993	0.21%
Non-RFC Compliant DNS Traffic on Port 53/5353	1631	0.17%
ELF File	1263	0.13%
DNS ANY Request	1159	0.12%
DER Encoded X509 Certificate	1023	0.11%
Hypertext Preprocessor PHP File	907	0.10%
trojan/Linux.mirai.dxxe	814	0.09%

Figure 5: Top 20 most common Palo Alto threats

These threats are more specific and not necessarily related to a particular threat list/feed. Let's take a look at the least common threats.

Palo Alto Signature	Count	Percentage
DoS/Linux.xorddos.c	1	0.00%
GTPv1-C Create PDP Context Request Message	1	0.00%
Tunneling:zhangsh08.com	1	0.00%
BZIP2	2	0.00%
Bash Remote Code Execution Vulnerability	2	0.00%
JavaServer Pages JSP File	2	0.00%
Kolibri WebServer HTTP GET Request Buffer Overflow Vulnerability	2	0.00%
Shellshock Bash Remote Code Execution Vulnerability	2	0.00%
Suspicious or malformed HTTP Referer field	2	0.00%
TP-Link Archer Router Command Injection Vulnerability	2	0.00%
Virus/Linux.WGeneric.dymlyv	2	0.00%
Virus/Linux.WGeneric.dyoqem	2	0.00%
Virus/Linux.WGeneric.dypncj	2	0.00%
Windows Executable	2	0.00%
new:ap-5590.com	2	0.00%
new:nar7878.com	2	0.00%
new:qphgcrh.cn	2	0.00%
Encrypted ZIP	3	0.00%
Non-RFC Compliant HTTP Traffic on Port 80	3	0.00%
ASUS/Netcore Router Default Credential Remote Code Execution Vulnerability	4	0.00%

Figure 6: Top 20 least common Palo Alto Threats

Comparing Attack Data and Signatures

There was only one "ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02" signature alert, which should give some good data points to pivot with.

Figure 7: Suricata alert data for Possible NTP DDoS attack

Looking into the Palo Alto data, the traffic logs are seen that may correlate, but no specific threat data showed up in the collected logs.

Figure 8: Traffic logs from Palo Alto nearest to Suricata alert

Luckily, I also collect full PCAPs of my honeypot using tcpdump. While there have been issues noted with some of these captures in the past[7], it can be useful in just these kinds of sutations since no additional information is logged directly by the honeypot itself.

Figure 9: PCAP data that generated Suricata alert

Since we have the full packet capture, we can also compare this with the Suricata rule [8].

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2;)

The rule appears to be from late 2017, but for whatever reason this information wasn't logged by the Palo Alto. There could be several reasons for this, like any tool:

• Palo Alto did not have this traffic content identified as an alert on the day/time of the event
• This may have not been deemed suspicious traffic by Palo Alto
• Information was not logged properly
• Resource contraints caused problems processing or storing the data
• The Suricata rule may not be accurate

An IDS can help identify traffic of interest, but must be tailored to the environment. In addition, different tools have different results. Testing your tools by replicating traffic of interest can help identify whether they work as desired. This is also an interesting comparison between different tools, of which Suricata has more community supplied content. Community supplied rules may not always be accurate, although that does not mean this was the case in the last NTP example.

[1] https://suricata.io/
[2] https://corelight.com/
[3] https://www.paloaltonetworks.com/
[4] https://rules.emergingthreats.net/open/suricata-5.0/
[5] https://www.dshield.org/block.txt
[6] https://cinsarmy.com/active-threat-intelligence/
[7] https://isc.sans.edu/diary/Network+Data+Collector+Placement+Makes+a+Difference/29664
[8] https://github.com/seanlinmt/suricata/blob/master/files/rules/emerging-dos.rules

--
Jesse La Grew
Handler