While reviewing Security logs, you've noticed a significant amount of IPS packet drops. For example:
IPS: Packet drop, severity: Blacklist, Rule ID: 1:2402000 ET DROP Dshield Block Listed Source group 1, proto:TCP, ip/port:194.26.x.x:41404 -> 10.251.x.x:33011
IPS: Packet drop, severity: Blacklist, Rule ID: 1:2500022 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 12, proto:TCP, ip/port:185.176.x.x:47740 -> 10.251.x.x:3387
IPS: Alert, severity: High, Rule ID: 1:2525014 ET 3CORESec Poor Reputation IP TCP group 8, proto:TCP, ip/port:185.175.x.x:55964 -> 10.251.x.x:8787 (control)
This article provides detailed explanations about these IPS entries.
Kerio Control is using the Snort library for identifying potential network intrusions. Snort can perform real-time traffic analysis and packet logging. Snort uses thousands of rules to identify compromised or potentially compromised systems.
For more information, please refer to Snortology 101.
Every snort alert uses the following format:
[1:2007588:2] that stands for [(detection mechanism):(signature ID):(signature revision)]
The middle number (SID) can be used for finding extended details about the particular intrusion.
- If the SID number is less than 1000000, it is a SourceFire rule (the company that maintains the snort source code). In this case, you can get more information about the rule by going to Snort Rule Doc Search.
- If the number is between 1000000 and 2000000, it is a snort community rule. In this case, the best source of information will be the rule itself which can be downloaded from Community Rules. These rules are rarely updated.
- If the number is between 2000000 and 3000000, it comes from Emergingthreats and you can get more information at https://doc.emergingthreats.net/<sid number>, for example, https://doc.emergingthreats.net/2007588
Kerio Control IPS logs use a similar format:
[action][severity][Rule ID][protocol][sourceIP][sourcePort] -> [destinationIP][destinationPort]
Action can be Alert or Drop. Severity might show High, Medium, Low, and Blacklist values.
Important: by default, Low severity and Tor Exit Nodes blacklist are not being captured by IPS ("Do nothing" action).
The IPS packet drop entries mentioned in the beginning report the following intrusions:
- This signature 2402000 simply drops packets when any inbound traffic matches any IP from the Drop Dshield block list. This ruleset takes a daily list of the top attackers reported to Dshield and converts them into Snort signatures, Bro Signatures, and Firewall rules.
- This signature 2500022 drops packets from hosts that are known to be compromised by bots, phishing sites, etc, or known to be spewing hostile traffic.
- This signature 2525014 alerted to a host that is not likely sending malicious intent but just hitting a bad reputation from the 3CORESEC database.