Suricata IDS -- OpenVAS Vulnerability Scan

Introduction

This article describes an OpenVAS vulnerability scan of a Linux - Exchange 2010 messaging and collaboration system.  A Linux workstation will perform the scan of a Linux security appliance in the DMZ that protects an Exchange infrastructure in the private network.

Several articles are prerequisite reading for this one:
Postfix Mail Gateway to Exchange
Apache Reverse Proxy Server to Exchange Client Access Web Services
Linux Security Appliance for Microsoft Services
Installing Suricata, Barnyard2 and Snorby

Background

The illustration below depicts the test environment. A Linux workstation equipped with OpenVAS will scan the address servicing HTTP/HTTPS and SMTP services.  A Linux Security appliance is located in the DMZ and services these traffic types and then forwards them to the Exchange Edge Services (also HTTP/HTTPS and SMTP).  This traffic is then managed by the Exchange infrastructure.

Suricata is installed on a hub in the DMZ.  Hubs operate at Layer 1 of the OSI model and forward all traffic to every port on the device.  The attached servers and workstations then decide what traffic to accept or reject based upon the destination MAC address in the Ethernet frame; they also negotiate media access.

Switches operate at Layer 2 of the OSI model.  They maintain a table of connected MAC addresses and forward traffic only to the port to which the destination MAC address is attached.  In this example, a switch would only forward inbound Internet traffic to the port to which the Linux Security Device is attached.  However, higher-end switches also support port forwarding, in which specified traffic is also forwarded to a defined port, which in this case would be the Suricata server's port.

For an IDS to see traffic if interest, it must either be on a hub or a switch with port forwarding enabled and configured to forward to the Suricata server's port.

OpenVAS Results

OpenVAS operates primarily at Layer 3 (Network - IP) and Layer 4 (Transport - TCP) of the OSI mode.  It first determines which well-known ports are listening on the target IP address.

Open TCP ports: 80, 443, 25

It then attempts to fingerprint the applications running on those ports.  In this case it determined the web server is Apache version 2.2.22, but it was unable to fingerprint the mail server (Postfix).

Detected Apache version: 2.2.22
Location: 80/tcp
CPE: cpe:/a:apache:http_server:2.2.22
Concluded from version identification result:
Server: Apache/2.2.22

Nmap service detection result for this port: smtp
This is a guess. A confident identification of the service was not possible.

Once OpenVAS has narrowed the potential ports and applications, it then runs checks for only those vulnerabilities associated with the fingerprinted applications.   For this scan, it identified 4 Medium Risk and 2 Low Risk Vulnerabilities of Apache and logged 27 other results.

A PDF of the scan results is available here.

Suricata Results

Suricata was able to detect suspicious traffic signatures.  It first identified the OpenVAS port scans.  It then identified several different attempts to identify Apache server weaknesses (such as malformed requests).  It also identified HTTP traffic targeting specific application vulnerabilities (e.g. ColdFusion and Magneto), such as attempts to gain elevated privileges and access user names and passwords.  It also detected an attempt to exploit a Heartbleed vulnerability.

Suricata detected a total of 43 High, 1 Medium and 60 Low Severity intrusion attempts.

Discussion

The overall performance of the Linux-Apache-Postfix gateway to Microsoft Exchange 2010 services was good.  OpenVAS focused on the Linux-Apache server when attempting to identify vulnerabilities.  These were identified and are of no more than Medium risk and relatively easy to fix.  Better still, the scan did not identify Microsoft Exchange web and mail services at all.

The video below documents the OpenVAS scan and Suricata-Barnyard2-Snorby IDS logging.