cesnet / nemea-detectors Goto Github PK

Detection modules of the Nemea system.

License: Other

C++ 43.37% C 36.11% Shell 1.16% R 0.19% Python 14.13% Makefile 1.03% M4 3.97% Mathematica 0.04%

nemea-detectors's Introduction

NEMEA Detectors

Detection modules of the NEMEA system provide mechanisms for automatic detection of malicious network traffic. This repository contains modules with the following detection capabilities:

amplification_detection: universal detector of DNS/NTP/... amplification attacks
blacklistfilter: module that checks whether observed IP addresses are listed in any of given public-available blacklists
hoststatsnemea: universal detection module based on computation of statistics about hosts, it can detect some types of DoS, DDoS, scanning
sip_bf_detector: detector of brute-force attacks attempting to breach passwords of users on SIP (Session Initiation Protocol) devices
tunnel_detection: detector of communication tunnels over DNS (e.g. using iodine or tcp2dns)
voip_fraud_detection: detector of guessing dial scheme of Session Initiation Protocol (SIP)
vportscan_detector: detector of vertical scans based on TCP SYN

nemea-detectors's People

Contributors

Stargazers

Watchers

Forkers

tomassrnka qha ladislavmacoun sustefil gaojie-wang virgotong petrmiculek suchaja7 hernannh krkos jirkaseta ccdev-labs f0xmulder sphill007

nemea-detectors's Issues

Palevo Tracker has been discontinued

The blacklistfilter/ipdetect tries to download data from https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist, however, it gets 403 error code. By looking at https://palevotracker.abuse.ch/ one can see that the palevo tracker has been discontinued. Therefore, it should be removed from the default configuration.

Urlblacklistfilter slow blacklist file reloading

Prefix tree used in urlblacklistfilter is being deleted and reloaded everytime new blacklist file is available, this is ineffective. We should adapt the urlblacklistfilter to work with diffs (adding, removing elements from prefix tree). This also affects the blacklist downloader which has to create diff files.

Help of dnstunnel_detection - output IFCs

There is missing documentation of output TRAP IFCs.

Help shows that there are 2 output, but the second one is not described in help string nor readme.

SIP BF detector: Build fails on F24

sip_bf_detector.cpp:544:60: error: call of overloaded 'abs(long unsigned int)' is ambiguous
       if (((uint64_t) abs(time_actual - user->m_last_action)) > g_free_mem_interval) {

Output from copr:

make[3]: Entering directory '/builddir/build/BUILD/nemea-detectors-1.3.0/sip_bf_detector'
  CXX    sip_bf_detector-sip_bf_detector.o
  CC     fields.o
sip_bf_detector.cpp:822:24: warning: C++11 requires a space between string literal and macro [-Wc++11-compat]
          sscanf(optarg,"%"SCNu64"", &g_alert_threshold);
                        ^
sip_bf_detector.cpp:830:24: warning: C++11 requires a space between string literal and macro [-Wc++11-compat]
          sscanf(optarg,"%"SCNu64"", &g_check_mem_interval);
                        ^
sip_bf_detector.cpp:838:24: warning: C++11 requires a space between string literal and macro [-Wc++11-compat]
          sscanf(optarg,"%"SCNu64"", &g_free_mem_interval);
                        ^
sip_bf_detector.cpp:846:24: warning: C++11 requires a space between string literal and macro [-Wc++11-compat]
          sscanf(optarg,"%"SCNu8"", &g_skip_alerts);
                        ^
sip_bf_detector.cpp: In member function 'bool AttackedServer::free_unused_users(time_t)':
sip_bf_detector.cpp:544:60: error: call of overloaded 'abs(long unsigned int)' is ambiguous
       if (((uint64_t) abs(time_actual - user->m_last_action)) > g_free_mem_interval) {
                                                            ^
In file included from /usr/include/c++/6.1.1/cstdlib:75:0,
                 from /usr/include/c++/6.1.1/stdlib.h:36,
                 from /usr/include/libtrap/jansson.h:12,
                 from /usr/include/libtrap/trap.h:57,
                 from sip_bf_detector.h:56,
                 from sip_bf_detector.cpp:44:
/usr/include/stdlib.h:774:12: note: candidate: int abs(int)
 extern int abs (int __x) __THROW __attribute__ ((__const__)) __wur;
            ^~~
In file included from /usr/include/c++/6.1.1/stdlib.h:36:0,
                 from /usr/include/libtrap/jansson.h:12,
                 from /usr/include/libtrap/trap.h:57,
                 from sip_bf_detector.h:56,
                 from sip_bf_detector.cpp:44:
/usr/include/c++/6.1.1/cstdlib:180:3: note: candidate: long long int std::abs(long long int)
   abs(long long __x) { return __builtin_llabs (__x); }
   ^~~
/usr/include/c++/6.1.1/cstdlib:172:3: note: candidate: long int std::abs(long int)
   abs(long __i) { return __builtin_labs(__i); }
   ^~~
Makefile:407: recipe for target 'sip_bf_detector-sip_bf_detector.o' failed
make[3]: Leaving directory '/builddir/build/BUILD/nemea-detectors-1.3.0/sip_bf_detector'
make[3]: *** [sip_bf_detector-sip_bf_detector.o] Error 1
make[2]: *** [all] Error 2
Makefile:262: recipe for target 'all' failed
make[2]: Leaving directory '/builddir/build/BUILD/nemea-detectors-1.3.0/sip_bf_detector'
Makefile:346: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/builddir/build/BUILD/nemea-detectors-1.3.0'
Makefile:273: recipe for target 'all' failed
make: *** [all] Error 2

Bruteforce detection does not report targets

The bruteforce detector puts input and output targets to the NOTE output field. Would it make sense to add some target fields instead? Possibly a dynamic one from which the reporter could extract all IP addresses? It would help to improve the quality of the reported incidents.

BTW what is the meaning of input/output targets? What is the difference?

Move sup files from supervisor to detectors

According to the mailing list (the following messages), sup files will be moved from the Nemea-Supervisor repo into this repo.

https://random.cesnet.cz/pipermail/nemea/2016-November/000016.html
https://random.cesnet.cz/pipermail/nemea/2016-November/000017.html
https://random.cesnet.cz/pipermail/nemea/2016-November/000018.html

A macro NEMEASUPDIR must be defined to specify default path for installation of the sup files.

@thorgrin suggested to use /etc/nemea/sup-available/ as a default value for NEMEASUPDIR.

Horizontal scan detector address aggregation

This is feature request. Would it be possible to devise an algorithm to aggregate IP addresses for some detection modules, most importantly the horizontal scan detection to whole subnets?

The reason is that when an attacker scans an entire /16 network, we only see a handful of IPs. Reporting subnets would make a lot of sense here. I can imagine that reporting subnets with > 90+% scanned would be really useful.

Miner detector does not detect minergate.com

i've been running miner_detector in order to detect connection to the minergate pool at xmr.pool.minergate.com:45560. However, even when I lowered the threshold to 7 (default was 9, the readme seems to be outdated), it did not detect the communication. Moreover, I was running tcpdump the whole time looking for communication to the port 45560 and it seems that the active stratum check was never performed.

I think that this module needs to be updated so that it detects current crypto miners, otherwise it is of no use to anybody.