Taming the beasts… aka suricata blueprint

Cino

@jflsakfja next time you speak to that user, tell them to use nslookup on windows. you can look up by hostname or ip…

dmitripr

@jflsakfja:

You need to remove the regular ports from the rule and only select the negated range. It wouldn't be any use anyway to include 1:1024. If you don't allow that range, the rule will still alert for those ports, since that's what you told the IDS to do. Alert on any port other than the open ports (used ports). Any port you don't specifically allow, will generate the alert.

Thanks jflsakfja. That makes sense. However, the reason I stated 1:1024 is because I want ports 1024: onwards to remain open as well. Basically I would like to block all destination privileged port, except a few (IPsec, OpenVPN, etc.), but also leave non-privileged ports open as well (as you suggested :) ). What would be the appropriate syntax for the port part of the rule? Based on the documentation I found online, my proposed syntax should work, but it doesn't and I get the error that I mentioned.

Maybe I'm over-thinking this. Can I use pfsense port alias here?

Also, I've been using snort for a while before this, and it seems that suricata is utilizing more CPU than snort. I got a 50/10 line at home, and during speedtests while with snort my CPU utilization would spike to 30-40% (I have an Atom D2550). However, with suricata during the same test the CPU spikes to 85-95%. And during regular Netflix/youtube streaming suricata seems to use 2x more CPU (snort: ~2-4% avg, suricata: ~5-7%). Anyone else notice that?

Again, thanks for the help!

A Former User

@dmitripr:

Thanks jflsakfja. That makes sense. However, the reason I stated 1:1024 is because I want ports 1024: onwards to remain open as well. Basically I would like to block all destination privileged port, except a few (IPsec, OpenVPN, etc.), but also leave non-privileged ports open as well (as you suggested :) ). What would be the appropriate syntax for the port part of the rule? Based on the documentation I found online, my proposed syntax should work, but it doesn't and I get the error that I mentioned.

As suggested, keep the rule alerting on all unused ports: ![port1,port2,port3,port4:port25,port1024:port65535]
You just need to set up the ports you use inside that [ ]. I highly suggest to include all the unprivileged ports in there, unless you manually go into every program you use and tell it to use a specific unprivileged range.

@dmitripr:

Maybe I'm over-thinking this. Can I use pfsense port alias here?

Nope. I used to be able to declare the variables at the start of the custom rules tab (eg USED_PORTS) but last time I tried it, it didn't work. Didn't fiddle with it anymore, since it's not that many ports you need to open up anyway.

@dmitripr:

Also, I've been using snort for a while before this, and it seems that suricata is utilizing more CPU than snort. I got a 50/10 line at home, and during speedtests while with snort my CPU utilization would spike to 30-40% (I have an Atom D2550). However, with suricata during the same test the CPU spikes to 85-95%. And during regular Netflix/youtube streaming suricata seems to use 2x more CPU (snort: ~2-4% avg, suricata: ~5-7%). Anyone else notice that?

Again, thanks for the help!

Yeap seen that too. I'm putting my money on the old version of suricata as being the culprit for this.

@Cino: Will do, thanks.

dmitripr

Thanks, jflsakfja. That rule syntax worked.

I see that the latest Suricata release is 2.0.3. Any ideas when pfsense package will be upgraded to that version? Is there a way to manually update?

I have noticed that as of late I'm being pinged from multiple hosts for several minutes at a time. Feels like an attack from hijacked hosts. I put a rule to block those, and I was able to block almost 500 hosts in 24 hours via suricata.

Thanks again!

A Former User

@dmitripr:

Thanks, jflsakfja. That rule syntax worked.

I see that the latest Suricata release is 2.0.3. Any ideas when pfsense package will be upgraded to that version? Is there a way to manually update?

I have noticed that as of late I'm being pinged from multiple hosts for several minutes at a time. Feels like an attack from hijacked hosts. I put a rule to block those, and I was able to block almost 500 hosts in 24 hours via suricata.

Thanks again!

I think 2.x is coming with the next release of the suricata package. How long that takes, dunno though.

The pings are regular internet noise. Don't worry about it. As long as you are not responding back, then you are still flying under the radar.

dmitripr

After doing some testing of Snort vs Suricata, I've decided to go back to Snort.

For whatever reason, looks like Comcast upgraded my line to 100/10 tier in the last couple of days. Now, with my D2550 Atom CPU Suricata was maxing out my CPU cycles and my max throughput was 95 mbps (@100% CPU load). I've tried snort and @45% CPU load I'm getting about 108 mbps (plus it's a more stable/smooth download vs suricata, which was more "jumpy"). I've ran the test 2x between the two, and same result. Suricata came to be the bottleneck for me. And Suricata couldn't download Snort VRT rule set, so, snort had a larger rule set running as well. (although I've never seen a single VRT rule triggered, only the custom rules and the ET rules).

I'll try Suricata again once the 2.0 comes to pfsense. Hopefully that'll perform better.

Just my 2 cents. Thanks for the help!

A Former User

It would be interesting to see more details about your setup. Did you disable the rules I recommended in this topic? Even the amazon one (yes that single rule does matter)? How much RAM was used? Nice to see that a dual core atom @ 1.86Ghz can (nearly) max out 100Mbps. I'm sure with a bit of tuning it could get there, unless you have already removed suricata and installed snort.

Don't worry about the VRT rules.

Cino

I have TWC. I'm currently 100/5. I have both snort and suricata running on my D510 Atom with no issue. Running speed test, I can max out at 107-110mbps. CPU% anywhere from 45% to 100%. If I download torrents, cpu will peg at 100% but i'm still able to browse with no issues.

A Former User

Respect for the little atoms that could  ;D. The newer 4 core models (technically a celeron, or is it the other way around?) are interesting, thinking about getting a couple for testing. A fully loaded psfsense system based on those should be close to 30W (cpu+cards+hdd).

Cino

I want to say my D510 box is running around 20-25watts. Have to find my build notes to confirm. off topic but I have a few interfaces, traffic shaping, snort, pfblocker, suricta, squid, ntop, vnstat… she runs good... Need to change her it 64bit so I can use all of the 4gb of memory but I think i'll wait for 2.2 to be release then do a fresh install and rebuild the config for fun  :o

A Former User

@Cino:

I want to say my D510 box is running around 20-25watts. Have to find my build notes to confirm. off topic but I have a few interfaces, traffic shaping, snort, pfblocker, suricta, squid, ntop, vnstat… she runs good... Need to change her it 64bit so I can use all of the 4gb of memory but I think i'll wait for 2.2 to be release then do a fresh install and rebuild the config for fun  :o

Ah, the Debian bug. Nothing happens to it, to the point where you want to upgrade to testing just for the hope of something breaking? :p

Atoms are perfect for personal use, IMHO.

bmeeks

@jflsakfja:

@dmitripr:

Thanks, jflsakfja. That rule syntax worked.

I see that the latest Suricata release is 2.0.3. Any ideas when pfsense package will be upgraded to that version? Is there a way to manually update?

I have noticed that as of late I'm being pinged from multiple hosts for several minutes at a time. Feels like an attack from hijacked hosts. I put a rule to block those, and I was able to block almost 500 hosts in 24 hours via suricata.

Thanks again!

I think 2.x is coming with the next release of the suricata package. How long that takes, dunno though.

The pings are regular internet noise. Don't worry about it. As long as you are not responding back, then you are still flying under the radar.

I am hopefully just a week or so away from posting the Pull Request for 2.0.x Suricata.  I ran into a small snag compiling the new package for 2.2 of pfSense, but I think I have a solution for that now.  I have been developing/testing with 2.0.2, but if it's not too big of a change I will bump it to 2.0.3 before I post the Pull Request.

Bill

Mr. Jingles

@bmeeks:

I am hopefully just a week or so away from posting the Pull Request for 2.0.x Suricata.  I ran into a small snag compiling the new package for 2.2 of pfSense, but I think I have a solution for that now.  I have been developing/testing with 2.0.2, but if it's not too big of a change I will bump it to 2.0.3 before I post the Pull Request.

Bill

Hi Bill  ;D

Would that also include the suggestion from one of the biggest noobs on this board to have an easy way to multi-enable/disable the rules per category (the same check boxes you see in the left side of the firewall rules screens)?

That would be quite lovely, so to speak :P

Mr. Jingles

A most stupid question, for which I am by now famous: wat is the OpenVPN-interface; WAN or LAN?

Virtual Private Network would suggest LAN, but on the other hand: it is connected to the WAN  ???

dmitripr

@jflsakfja:

It would be interesting to see more details about your setup. Did you disable the rules I recommended in this topic? Even the amazon one (yes that single rule does matter)? How much RAM was used? Nice to see that a dual core atom @ 1.86Ghz can (nearly) max out 100Mbps. I'm sure with a bit of tuning it could get there, unless you have already removed suricata and installed snort.

Don't worry about the VRT rules.

My setup is pretty simple, bough off the newegg:
** OEM Production 2550L2D-MxPC Intel NM10 Black Mini / Booksize Barebone System - OEM (http://www.newegg.com/Product/Product.aspx?Item=N82E16856205007)
** 4GB of RAM
** 32GB SSD
** Latest version of pfsense
** 1 LAN+ 1 WAN + IPsec + OpenVPN
** Bind, snort/suricata (not at the same time), pfblocker

It has dual Broadcom nics, which is not too bad. If I disable the snort/suricata IPS, then @108 mbps down the CPU load is only 33% or so. So, theoretically this thing should be able to push 250 mbps easily. Not too shabby.

On the suricata setup, I followed your instructions for the rules. So, I did turn off the ones you mentioned in the posts here. However, I did have dshield and DROP categories enabled – apparently pfblocker doesn't have all the latest IPs for those, and some get though to IPS and are blocked there. For comparison sake, I have the same rules enabled for snort (just keeping it apples-to-apples).

I'm a believer in suricata, based on what I read, but probably not quite prime-time ready (at least in my setup, based on my limited testing). I have not uninstalled it, just disabled it at this point. I'll try again once 2.x.x comes out, hopefully soon.

Double K

@BBcan177:

…
The High Level function of the script:

Download Individual List
  Extract IPs
  Save copy to /orig Folder
  Check for Ranges that have 255 IPs and mark a single /24 Range
  Process /24 (Which looks for repeat Offenders in a /24 Range) (max variable) Individual Blocklist Only.
  Duplication Check

Once all of the Downloads are completed that were scheduled to run:

The Following is performed Globally on ALL Lists, except for the ones that were marked as "p24=no" on the Collect Line.

p-Deduplication - Looks for Repeat Offenders that are over the pmax variable regardless of Country Code.

d-DeDuplication - Looks for Repeat Offenders that are over the dmax variable but uses the Country Code Whitelist function.

If the Sanity Checks passes, it will create the TIER (Group) lists and perform the "pfctl" commands to update the pfSense Alias Tables.

If you decide to remove a list, you need to add "remove" after the collect line. When the script runs at its next scheduled run, it will remove the list from the database properly. Don't try to do this manually.

If you follow the High level steps, when you use the p24 process in d-deduplicaton, it will look for a repeat range of malicious IPs and find all of the Blocklists that have this IP listed.

The FIRST blocklists get a single x.x.x.0/24 Block and all of the other Lists that have the range are deleted.

So if a List is removed, and it happens to be a list that had the p24 process and was the first list processed as above, then you have no Blocklists for that range. This will correct itself on when the Lists are re-downloaded but that could be 1-4hrs depending on when the Lists are scheduled to run.

To get back into Sync, you can run this function:

[  [b]./pfiprep killdb  ]

Which will wipe the Database (Settings are not touched) and it will resync the database.

Out of Curiosity, which Lists did you disable?

Another Function is to use the "IR_Match" Alias in the Floating Rules as a "Match" Rule. This will show you activity for the IP Ranges that passed the Country Code Whitelist process. Because its a "Match" rule, it will not block, but just log the activity.

Since I have been running the script, I have not found too many False Positives, but I always recommend not to disable a list but to create a "SAFE Alias" Rule that is defined above the "Block/Reject" Rules. And just add the IPs that you want to allow.

The Patch for diag_dns.php will also work when looking at the Snort/Suricata Alert Logs.

If you are running Snort/Suricata, when you click on the "!" ICON to Resolve an IP, you will find that most of the IPs are already listed in the BlockLists. You will also see over time that it will pickup an Alert for an IP but the Blocklists do not have the specific IP but there are several IPs within the same Range that are being Blocked.

Also in diag_dns.php, there are several IP Reputation Links that can help you determine the Reputation of any Blocked IP before you remove a list, or Add an IP to the SAFE Alias list.

Let me know if you need any clarification or any other help.

Hi BBcan177, thanks for all your help setting up the scripts.  I managed to get everything setup, including the widgets & the DNS patch.

Could you please shed some more light on the max, dmax, and pmax variables?  Not completely clear on the differences between them and how they operate.
For example, upon first run (using max=5, dmax=5, pmax=50), I had 7 unique addresses in the 104.28.7.x range in the IR_Match alias file.  This also created a 104.28.7.0/24 entry as well.  I tried accessing a site that was not one of the unique addresses (ie. not blocked by the lists), but it was blocked by the /24 range.  When I changed max=10 and dmax=10, not only does the /24 range not appear (good) but the 7 unique blocked addresses don't appear either (bad).
Thus, just need a better understanding of how max, dmax, and pmax work, and what happens when you change the values.

BBcan177

@Double:

Hi BBcan177, thanks for all your help setting up the scripts.  I managed to get everything setup, including the widgets & the DNS patch.

Good job!

Could you please shed some more light on the max, dmax, and pmax variables?

1. Using a "max" variable, if it finds over the Max variable it will perform a Maxmind Geoip Database lookup and will process a /24 block for configured Foreign Countries on an individual Blocklist Basis.

2. Using a "dmax" variable  if it finds over the dmax variable it will perform a Maxmind Geoip Database lookup and will process a /24 block for configured Foreign Countries at the end of the download process on all of the Blocklists together.

3. Using a "pmax" variable, if it finds over the dmax variable it will process a /24 Block excluding Country Code whitelist at the end of the download process on all of the Blocklists together.

I had 7 unique addresses in the 104.28.7.x range in the IR_Match alias file.  This also created a 104.28.7.0/24 entry as well.  I tried accessing a site that was not one of the unique addresses (ie. not blocked by the lists), but it was blocked by the /24 range.

You are referencing "Match" aliases here.

Here is a snipet from the pfiprep script-

# country Code p24 Process (pass/match)
ccwhite=match
# Define what to do with IP Ranges found that are in the
# Country Code p24 Process (block/match)
ccblack=block
# For pfSense, the "Match" IPs can be "Monitored" with
# "Floating Rules" which can log packets from these IP Ranges,
# but still allow the Blocking of the Individual IPs found in the
# same /24 Range.

So the script will Block a whole /24 range depending if you select ccblack=block.
ccwhite=match will put the IP ranges that are in the Safe Country list into a match alias.

So the match file has all of the IPs that are being blocked with a "!" at the start of the IP to tell pfSense not to match the "!" excluded IPs, and match on anything else in the /24 range.

I would suggest leaving the "match" alone until you get everything else working. Change the ccwhite=match  to  ccwhite=pass

So at a high level, the max,dmax and pmax variables look at how many IPs are repeat offenders in all of the blocklists. And then depending on these settings block/match as required.

BBcan177

@dmitripr:

However, I did have dshield and DROP categories enabled – apparently pfblocker doesn't have all the latest IPs for those, and some get though to IPS and are blocked there.

I don't believe that this is correct.

In pfBlocker or in my pfiprep script, you can use the following dShield URL:

https://feeds.dshield.org/block.txt

and for Spamhaus:

http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt

You don't need to have them enabled in Snort/Suricata if its in pfBlocker/pfIPrep

You are probably seeing Snort/Suricata Alerting on these alerts because Snort/Suricata is not a true-inline IPS. These packages are inspecting a "copy" of each packet, so even thou the pf filter blocked the IP, Snort/Suricata will still alert because it is seeing a 'copy' of the packets.

I posted here :

https://forum.pfsense.org/index.php?topic=78062.msg432804#msg432804

with what Rules can be disabled as these can be implemented in pfBlocker/pfIPrep.

dmitripr

@BBcan177:

@dmitripr:

However, I did have dshield and DROP categories enabled – apparently pfblocker doesn't have all the latest IPs for those, and some get though to IPS and are blocked there.

I don't believe that this is correct.

In pfBlocker or in my pfiprep script, you can use the following dShield URL:

https://feeds.dshield.org/block.txt

and for Spamhaus:

http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt

You don't need to have them enabled in Snort/Suricata if its in pfBlocker/pfIPrep

You are probably seeing Snort/Suricata Alerting on these alerts because Snort/Suricata is not a true-inline IPS. These packages are inspecting a "copy" of each packet, so even thou the pf filter blocked the IP, Snort/Suricata will still alert because it is seeing a 'copy' of the packets.

I posted here :

https://forum.pfsense.org/index.php?topic=78062.msg432804#msg432804

with what Rules can be disabled as these can be implemented in pfBlocker/pfIPrep.

Thanks BB. I didn't have those lists added. I will do so and disable the categories on snort/suricata.

BBcan177

@dmitripr:

Thanks BB. I didn't have those lists added. I will do so and disable the categories on snort/suricata.

Anytime.

Take a look at my script. It has a lot of Threat Sources. Not all of them can be used in pfBlocker as it can't recognize the different formats like my script can.