Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Alias for Suricata variables

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    3
    242
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      I generally make use of the suricata variables page for each interface to further customize the deployment

      I have applications that run backend sql databases. I have installed the emerging-sql.rules ruleset. I noticed going through the list of enabled rules that its looking for $ORACLE_PORTS which wont do in my environment as the default port is not enabled.
      I created a port alias for 1024:65535 to cover all the ranges a DB even if custom-built, could be listening on. I added the alias to the $ORACLE_PORTS value.
      Is it safe to say this is the correct way of doing it and if a signature is matched on the rule with any port in that range it should produce an alert?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @michmoor
        last edited by

        For SHELLCODE_PORTS i see the default value is !80
        Can i add that in for ORACLE_PORTS? So in the field add !1521
        Curious as to how the negation works within the GUI or do i need to add a port alias.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          I doubt negation is what you want. That means every other port EXCEPT 1521 would be considered an Oracle Port. Negation literally means "not 1521, so it is an Oracle Port". Usually that broad of a range is not desired.

          In your case, create a pfSense firewall alias containing the needed port or ports, and assign it to the ORACLE_PORTS variable on the VARS tab.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post