NEW - Suricata 1.4.6 IDS pkg. v0.2-BETA Released

A Former User

Time to update the blueprint with the removed rules then. Open to suggestions for lists to replace those.

BBcan177

For ET changes, these three seem to still be online -

pfBlocker ET Blocker
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

For Snort/Suricta, I would always recommend that people start with as many rules as their box can handle (Memory and CPU) and start in non-blocking mode, remove all the false positives over several weeks of review. And then putting it into Blocking mode. With Bills new tweeks removing Rules from the Alert Page makes it easier. If we had the endablesid.conf and disablesid.conf files we could populate those files with our settings and it would be even easier to manage.

–-----------------------------------------

Here is a list for pfBlocker.

I like to keep the lists separate so I can see what is triggering a block. This helps to weed out False Positives.

pfblockerlists

pfBlocker iBlockList
http://list.iblocklist.com/?list=bt_hijacked&fileformat=p2p
http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p
http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p
http://list.iblocklist.com/?list=tbnuqfclfkemqivekikv&fileformat=p2p
http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p
http://list.iblocklist.com/?list=bt_templist&fileformat=p2p

pfBlocker ET Blocker
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

Spamhaus
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt

pfBlocker Other
http://www.ciarmy.com/list/ci-badguys.txt
http://danger.rulez.sk/projects/bruteforceblocker/blist.php
http://www.us.openbl.org/lists/base_30days.txt
http://malc0de.com/bl/IP_Blacklist.txt

pfBlocker Zeus/SpyEye/Palevo
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist

pfBlocker dShield
http://feeds.dshield.org/top10-2.txt

pfBlocker Arbor Networks - Atlas
https://atlas.arbor.net/summary/attacks.csv
https://atlas.arbor.net/summary/botnets.csv
https://atlas.arbor.net/summary/fastflux.csv
https://atlas.arbor.net/summary/phishing.csv
https://atlas.arbor.net/summary/scans.csv
http://atlas-public.ec2.arbor.net/public/ssh_attackers

pfBlocker Malware Domain List
http://www.malwaredomainlist.com/hostslist/ip.txt

pfBlocker No Think!
http://www.nothink.org/blacklist/blacklist_malware_http.txt
http://www.nothink.org/blacklist/blacklist_ssh_week.txt
http://www.nothink.org/blacklist/blacklist_malware_dns.txt

pfBlocker SRI
http://cgi.mtc.sri.com/download/attackers/01-17-2014/Get_Top-51_30-Day_Filterset.html
http://cgi.mtc.sri.com/download/cc_servers/01-17-2014/Get_Top-1_30-Day_Filterset.html

pfBlocker Infiltrated
http://www.infiltrated.net/blacklisted

pfBlocker AlienVault
https://reputation.alienvault.com/reputation.snort

DRG
http://www.dragonresearchgroup.org/insight/sshpwauth.txt
http://www.dragonresearchgroup.org/insight/vncprobe.txt
http://www.dragonresearchgroup.org/insight/http-report.txt

pfBlocker Feodo
https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
https://feodotracker.abuse.ch/blocklist/?download=badips

pfBlocker Blocklist.de
http://lists.blocklist.de/lists/all.txt
http://www.senderbase.org/static/spam/#tab=2

pfBlocker StopForumSpam
Local List (.CSV script to convert)

pfBlocker Autoshun
Local List (.CSV script to convert)

A Former User

http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

I think that's the one that was causing problems for a number of people, so I switched from that to the "new" RBN list (now obsolete).

A couple of interesting lists there, will test them out. If you are ok with it, I'll add them in due time to the blueprint and credit you.

BBcan177

I had that link with the other ET links and never noticed that it wasn't updating properly.

If you use the pffetch script that I wrote previously, you can add that to the script and add a link in pfBlocker to the local file.

fetch http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
It will download as "RussianBusinessNetworkIPs.txt"

The more effort we all make the better off we all are. Open Source all the way!

** SORRY Bill for taking over this Thread… ***

BBcan177

I took another look at the RBN text document in VI, and noticed that each line has a "^M" carriage return. This is probably what was causing issues with pfBlocker not reading the file properly. The RBN list is out of date, but there are still alot of hits on my Router from Russia!!

You can filter the ^M with -

fetch http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
returncode=$?
echo $returncode

if [ "$returncode" -eq "0" ]; then
        cat RussianBusinessNetworkIPs.txt | tr -d '\r' > RBN.txt
fi

and use the RBN.txt in pfBlocker local file.

A Former User

The funny thing is that I personally never had a problem with that list. It downloaded and added the IPs in the table  (checked it myself, and the IPs were there), as well as updated for over a year with no issues at all. Some other people though always had problems with it.

That list belongs to the ET guys, so I'm assuming that it too will be made obsolete. I know that you should never assume but…

yea, sorry Bill for taking over the thread  :P

felesaerius

Not sure if this is the place to post, but I figure it's a good starting point if nothing else, is there an easy way to get Suricata to throw the logs to Kibana like Suricata shows on their site?
http://idsips.files.wordpress.com/2014/03/kibana300.png

Per this walkthrough:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output

It wants Suricata to have libjansson support enabled… the only thing they're missing is how to get Suricata and the install of Kibana, etc to talk to each other, but this all may be way too much to ask this early on in the game, not sure if anyone has any tips on it. Thank you for helping if possible!

bmeeks

@felesaerius:

Not sure if this is the place to post, but I figure it's a good starting point if nothing else, is there an easy way to get Suricata to throw the logs to Kibana like Suricata shows on their site?
http://idsips.files.wordpress.com/2014/03/kibana300.png

Per this walkthrough:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output

It wants Suricata to have libjansson support enabled… the only thing they're missing is how to get Suricata and the install of Kibana, etc to talk to each other, but this all may be way too much to ask this early on in the game, not sure if anyone has any tips on it. Thank you for helping if possible!

I am not familiar with Kibana but will check it out.  So long as an external log stash package can accept data over a network connection then pushing Suricata logs should be possible.  It gets much more dicey to try and add another package to pfSense itself.  Besides, it's not a good idea to run a bunch of applications on your firewall because that increases the security vulnerability exposure substantially.

Bill

simby

any options to have suricata 2.0 and have options to block ip?

can i have only to drop packet, not to block ip (snort or. suricata)?

bmeeks

@simby:

any options to have suricata 2.0 and have options to block ip?

can i have only to drop packet, not to block ip (snort or. suricata)?

Suricata 2.0 was not in the FreeBSD ports repository last time I checked (about a week ago).  So we will need to wait for FreeBSD ports to update Suricata to 2.0 before it can come to pfSense.

I am working on the blocking code for Suricata now.

Bill

Supermule

Thanks a billion Bill!! Youre SO much the man of this project right now!

bmeeks

@Supermule:

Thanks a billion Bill!! Youre SO much the man of this project right now!

Thank you.  One caveat for Suricata blocking.  Initially it will have to operate the same way as Snort does using libpcap.  Thus it won't be true inline-mode IPS.  Ermal has to make some changes in the ipfw code within pfSense in order to accommodate true inline IPS mode.  However, due to the problem of context switching between kernel mode and user-land, IPS mode when it comes won't be nearly as fast as the pseudo-IPS mode Snort uses (and that Suricata will use initially).  So true inline IPS is probably not going to be very useful for heavily loaded firewalls.  That's just the nature of the beast unless you go to highly customized code, and if you do that then you can't easily follow the upstream updates.

The kernel changes to support true IPS may or may not make it into 2.2.  That is not up to me.  It is up to the pfSense team.  However, I can include the pseudo-IPS mode without those kernel changes.  That means pseudo-IPS can work with 2.1.x releases.  The pseudo-IPS mode is what I am working on now.

Bill