Intrusion Detection Update - v1.0-1000 Craziness

Topics pertaining to SRM usage, usability and management
Forum rules
Synology Community is the new platform for the enthusiasts' interaction, and it will soon be available to replace the Forum.
Connected
Student
Student
Posts: 67
Joined: Sun Feb 18, 2018 12:12 am

Re: 1.1.7-6941 update causing weird issues

Unread post by Connected » Tue Jun 12, 2018 6:10 am

sanctrum wrote:
Mon Jun 11, 2018 8:55 pm

Please write what you think...
Sanctrum, what you are seeing are very likely false positives.

Something changed with IPS v1.0-1000; either with the Suricata engine that powers IPS, or in the rulesets provided to IPS by Proofpoint for Synology. To this point Tech Support has declined to explain, and I don't think they really know. Their first line of defense has been that you need to refine the rules (which wasn't as necessary prior to v1.0 of IPS, and in any case can be a considerable undertaking for end users), or take it up with Proofpoint. But Proofpoint isn't in the business of supporting Synology end users (Tech Support doesn't seem to be aware of that). After two weeks the issue has garnered enough attention to get Development involved, and I see they logged on to my router this evening (business hours in Taipei) to take a look at what's going on here.

So stand by. Hope springs eternal...
We live in a world of things that mostly sorta work.

KeepItSimple
I'm New!
I'm New!
Posts: 2
Joined: Wed Jun 13, 2018 4:06 am

Intrusion Prevention - False positives?

Unread post by KeepItSimple » Wed Jun 13, 2018 4:24 am

Hi all,

I have a Synology RT2600AC and I recently installed Intrusion Prevention package.

I started receiving notifications some of which are scary but I'm not entirely sure if they are actual threats or false positives. For example I get this :

Code: Select all

Event Type: A Network Trojan was Detected
Signature: ET TROJAN Zberp receiving config via image file - SET
Severity: High
Source IP: {My computer LAN IP}
Destination IP: 104.83.0.104 
When I reverse DNS lookup the IP I get this: a104-83-0-104.deploy.static.akamaitechnologies.com

Is this a safe domain?

In one case it resolved to lhr25s11-in-f14.1e100.net. Since 1e100.net is owned by Google I thought this was safe.

I also keep getting warning emails sometimes when I connect to GitHub with the message "ET POLICY curl User-Agent Outbound"

What's your experience with this package like?

If it's something I cannot trust there's no point in running it as soon enough I'll be numb to its warnings and start to ignore all of them. Currently it's in Beta stage so that might explain this too but at this point my main concern is are they really false positives or should I do something about it?

Please let me know what you think.

Thanks.

Connected
Student
Student
Posts: 67
Joined: Sun Feb 18, 2018 12:12 am

Re: Intrusion Prevention - False positives?

Unread post by Connected » Wed Jun 13, 2018 5:10 pm

Very likely a false positive. Check out other threads on the forum, esp. https://forum.synology.com/enu/viewtopi ... 5&t=143188 and https://forum.synology.com/enu/viewtopi ... 5&t=142850

If it's something I cannot trust there's no point in running it as soon enough I'll be numb to its warnings and start to ignore all of them.
Yes indeed. After the last round with Tech Support (going on since 5/28) I've reluctantly come to a similar conclusion.

Best thing to do is complain to Synology. I don't think they pay attention to the forums...
We live in a world of things that mostly sorta work.

KeepItSimple
I'm New!
I'm New!
Posts: 2
Joined: Wed Jun 13, 2018 4:06 am

Re: Intrusion Prevention - False positives?

Unread post by KeepItSimple » Thu Jun 14, 2018 4:48 am

Thank you for this. I think I'll give it some more time before I start using it again.

Connected
Student
Student
Posts: 67
Joined: Sun Feb 18, 2018 12:12 am

Re: Intrusion Detection Update - v1.0-1000 Craziness

Unread post by Connected » Sat Jun 16, 2018 2:54 am

It's been 16 days, so for those of you experiencing problems since the release of IPS v1.0-1000, an update.

Tech Support invoked Development, but that resolved nothing.

The following questions have been forwarded to Development for answers:
  • What exactly changed with version 1.0-1000? The Suricata engine, configuration options, rulesets, all of the above?
  • Is there a pending IPS update that might take us back to pre-v1.0 behavior?
  • When you point users to Proofpoint, where exactly are they supposed to go? Proofpoint deals with OEMs, not end users. Certain rules in the ET Open ruleset provided by Proofpoint cannot be researched at the Emerging Threats website, and the Proofpoint website is opaque to non-subscribers.
  • Who is using ET Pro, what is it's impact on the RT2600ac, and exactly how would we get it?
  • Is SRM immune to, or does Security Advisor detect, the VPNFilter malware?
And these questions are also pending:
  • Is there a way to see the ET Open ruleset residing on the RT2600?
  • Is there a way to list the rules for which the user has changed the default Action Policy (like changed from "Drop" to "Do nothing")?
As Synology keeps pointing us to Proofpoint (the provider of the ET Open and ET Pro rulesets) I contacted them by phone today (email hadn't gotten me far). Expected a callback - never happened.

I've downgraded a total of 10 rules from "Drop" to "Do nothing". That has reduced high-severity events to 50 - 100 daily. 1 - 2 new rules seem to get triggered each day.

Not much progress...
We live in a world of things that mostly sorta work.

sanctrum
I'm New!
I'm New!
Posts: 9
Joined: Mon Jun 11, 2018 7:20 pm

Re: Intrusion Detection Update - v1.0-1000 Craziness

Unread post by sanctrum » Sun Jun 17, 2018 8:31 am

Thanks Connected for the update.

It's quite poor that Synology tries to deny their responsibility for the IP package... and it's poor design/architecture.

However it does not stop them to advertise the product with working IP...
Somehow they just forget to mention that actually user can't manage hundreds of false-positives that are in fact dropping legit packages making entire network unusable! And dropping not only what is false-positives but more frames = producing lags and random network dropouts...

Since user can’t effectively manage/tune up IP... as the only possibility is to entirely disable the specific false-positive rule regardless of the source/target IP addresses. And it's making entire network vulnerable to disabled rules... So we can't disable rules for specific list of IPs, eg. ESET LiveGrid, microsoft.com, etc...

What is the point of having Intrusion Prevention system with completely disabled rules without the possibility to tune them by IP address?

Let's hope they will fix/improve Intrusion Prevention... in no time... since the current situation makes Synology statements the false advertising!

unknownip
I'm New!
I'm New!
Posts: 3
Joined: Tue Jun 19, 2018 3:53 am

Re: Intrusion Prevention - False positives?

Unread post by unknownip » Tue Jun 19, 2018 3:55 am

It appears that tonight's update fixed the issues. Literally within seconds of the update, my malicious traffic dropped to almost zero, and several apps worked as they had before the "bad" update.

sanctrum
I'm New!
I'm New!
Posts: 9
Joined: Mon Jun 11, 2018 7:20 pm

Re: Intrusion Prevention - False positives?

Unread post by sanctrum » Tue Jun 19, 2018 6:17 am

unknownip wrote:
Tue Jun 19, 2018 3:55 am
It appears that tonight's update fixed the issues. Literally within seconds of the update, my malicious traffic dropped to almost zero, and several apps worked as they had before the "bad" update.
Rather placebo effect. Udate of rules makes IP engine restart which takes several minutes. Check next day...

Connected
Student
Student
Posts: 67
Joined: Sun Feb 18, 2018 12:12 am

Re: Intrusion Prevention - False positives?

Unread post by Connected » Tue Jun 19, 2018 9:22 pm

unknownip wrote:
Tue Jun 19, 2018 3:55 am
It appears that tonight's update fixed the issues.
Interesting. I have auto-update enabled, but had to manually download the 6/19 ruleset.

There are no differences in the number of rules, or in the number of enabled rules, with the prior 6/16 ruleset that I can see.

So is it still fixed unknownip?
We live in a world of things that mostly sorta work.

unknownip
I'm New!
I'm New!
Posts: 3
Joined: Tue Jun 19, 2018 3:53 am

Re: Intrusion Detection Update - v1.0-1000 Craziness

Unread post by unknownip » Tue Jun 19, 2018 9:43 pm

Yes, still fixed. The constant "ET TROJAN Zbot Download Config" errors are now gone.

I saw a bunch of "new" notifications pop up, just to realize that they are actually fairly recurrent but were hidden/masked by the sheer number of ET TROJAN messages.

I hope this fixed it for everyone, and that Synology listens to us re: more granular control of the app settings.

Connected
Student
Student
Posts: 67
Joined: Sun Feb 18, 2018 12:12 am

Re: Intrusion Detection Update - v1.0-1000 Craziness

Unread post by Connected » Tue Jun 19, 2018 11:29 pm

Synology has responded to the questions I posed last week. With their permission, here it is...
We appreciate your patience in this matter. Our developers have reached out and provided the following answers to your questions:

What exactly changed with version 1.0-1000? Suricata engine, configuration options, rulesets, all of the above?
The Intrusion Prevention 1.0 update updated the Suricata engine, the ruleset update is in the package setting itself under Intrusion Prevention > Settings.

Is there a pending IDS update that might take us back to pre-v1.0 behavior?
Since the behavior is based on the ruleset provided by ET Open and how the user fine-tunes the signature based on their real environment, we cannot revert the behavior.

When you point users to Proofpoint, where exactly are they supposed to go? Proofpoint deals with OEMs, not end users. Certain rules in the ET Open ruleset provided by Proofpoint cannot be researched at the Emerging Threats website, and the Proofpoint website is opaque to non-subscribers as far as I can tell.
Unfortunately, the difference between free ET open and paid ET pro is that for ET open you get longer ruleset update period and higher false positives.

Who is using ET Pro, what is it's impact on the RT2600ac, and exactly how would we get ET Pro? When the user attempted to contact Proofpoint regarding access to the ET Pro ruleset he was sent a boilerplate response thanking him for attending a conference that he never knew about.
ET pro is intended for business customers that can cooperate with Proofpoint, so it may not be a good option for normal consumers. With that said, our developers found that users can purchase ET pro if the user has registered an account on Emerging Threats here: https://portal.emergingthreats.net/purchase/etpro

Is SRM immune to, or does Security Advisor detect, the VPNFilter malware?
Yes, any unauthorized modifications to SRM will be detected by our Security Advisor, similar to DSM on our NAS products.


Finally, our developers noted that Intrusion Prevention is still in beta because it a package requiring high experience in IT skills, as you've discovered when fine-tuning it previously. With that said, our developers value your feedback on this matter and we our discussing ways to make Intrusion Prevention more user-friendly in future releases.
So, we apparently don't need to worry about VPNFilter. But IPS users will need to keep an eye on events and become adept at researching false positives.

If you have ideas about how IPS could be better, take a few minutes to let Synology know...
We live in a world of things that mostly sorta work.

User avatar
Shadow771
Enlightened
Enlightened
Posts: 473
Joined: Sun Jan 28, 2018 11:48 pm
Location: the Netherlands

Re: Intrusion Detection Update - v1.0-1000 Craziness

Unread post by Shadow771 » Wed Jun 20, 2018 5:28 pm

Looks like IP V1.0-1000 even doesn't trust Synology products who wants to check for updates..?? :lol: :lol: :lol:

Image

I'm really thinking of abandoning Intrustion Prevention since this 'update' introduced new problems and no solution has been provided for this:
https://forum.synology.com/enu/viewtopi ... 5&t=142139
Synology DS216+II <--> Synology RT1900AC <--> <site-to-site VPN tunnel> <--> Synology RT1900AC <--> Synology DS118

sanctrum
I'm New!
I'm New!
Posts: 9
Joined: Mon Jun 11, 2018 7:20 pm

Re: Intrusion Detection Update - v1.0-1000 Craziness

Unread post by sanctrum » Wed Jun 20, 2018 6:22 pm

unknownip wrote:
Tue Jun 19, 2018 9:43 pm
Yes, still fixed. The constant "ET TROJAN Zbot Download Config" errors are now gone.

I saw a bunch of "new" notifications pop up, just to realize that they are actually fairly recurrent but were hidden/masked by the sheer number of ET TROJAN messages.

I hope this fixed it for everyone, and that Synology listens to us re: more granular control of the app settings.
Sorry, but for me it is NOT fixed... But I was not having ET TROJAN Zbot Download Config... but other types of false-possitives:
ET Trojan Zberp receiving config via image file - to flipboard.com server
ET Trojan Sage Ransomeware Checkin Primer - to all servers at ESET LiveGrid = ESET antivirus NOD32 AI servers.
ET Info Windows Update/Microsoft FP Flowbit - *.windowsupdate.com akamai servers.

ddg
Rookie
Rookie
Posts: 33
Joined: Mon Aug 11, 2014 9:09 pm

Re: Intrusion Detection Update - v1.0-1000 Craziness

Unread post by ddg » Thu Jun 21, 2018 12:04 am

I had updated IP the day after the latest update (v. 1.0-1000 on 2018-05-28) and essentially no resolution of the false positives issue.

However, I find it curious and probably not coincidental that my false positives problem began the day after the latest SRM update (1.1.7-6941) became available (2018-05-24)

Connected
Student
Student
Posts: 67
Joined: Sun Feb 18, 2018 12:12 am

Re: Intrusion Detection Update - v1.0-1000 Craziness

Unread post by Connected » Sun Jun 24, 2018 2:39 am

For what it's worth, I've reduced alerts to tolerable levels by setting the following rules to "Do nothing":
  • 2021067 Dotted Quad Host M1 (noalert). Android devices running Tune-in or other apps.
    2021068 Dotted Quad Host M2 (noalert).
    2021071 Dotted Quad Host M5 (noalert).
    2021381 Zberp receiving config via image file - SET. Android apps requesting jpgs for banners or thumbnails. Also seen on Windows accessing Skype and Valve/Steam.
    2023818 Windows Update/Microsoft FP Flowbit. Microsoft Windows updates.
    2020573 .exe download with no referer (noalert). Microsoft Windows updates.
    2016537 Minimal HTTP Headers Flowbit Set.
    2025333 Successful Generic .EDU Phish (Legit Set). Browsers accessing Cal State University web stes.
    2023184 Possible Android Stagefright MP4 (CVE 2016-3861) Set. Android devices accessing Amazon servers for MP4s.
    2022317 Zbot download config - SET. Samsung tablets posting a GET to MMS messaging. Windows updates "OfficeClickToRun".
    2016149 Session Traversal Utilities for NAT (STUN Binding Request). Android and Windows devices doing real-time voice, video, messaging.
    2016150 Session Traversal Utilities for NAT (STUN Binding Response).
    2018908 Session Traversal Utilities for NAT (STUN Binding Response).
    2023892 MP4 in HTTP Flowbit Set M2.
    2522184 Known Tor Relay/Router (Not Exit) Node Traffic group 93. RainMachine sprinkler ctlr receiving NTP response.
    2022080 form-data flowbit set (noalert). Blizzard games.

New Problems: IPS logs

Changing IPS log memory size (IPS > Settings / Advanced) from 1 GB to 2 GB caused the IPS log to become fragmented. Stopping and restarting the sensor did nothing. Clearing the log resulted in IPS not recording events. Stopping and restarting IPS (Package Center > Installed > Intrusion Prevention / Action) resolved the problem at the cost of the seeming loss of the log file. Following a scheduled reboot IPS now shows summary results on the Overview page for the new log (400 events), while the Events page shows 28,000 entries from the "lost" log file. Reported to Tech Support.


New Problem: Incorrect IP address reported

About 400 packets dropped to a heretofore unseen rule (ET TROJAN Backdoor family PCRat/Gh0st CnC? traffic (OUTBOUND) 12 SET [SID 2017935]). The Source IP is the address of an Access Point, another RT2600ac. IPS is reporting its IP address rather than that of the actual source, a PC trying to run a Blizzard Entertainment game. Reported.
We live in a world of things that mostly sorta work.

Post Reply

Return to “Installation and Configuration”