Taming the beasts… aka suricata blueprint

Soloam

Great explanation jflsakfja.

I had a bad conclusion, my suricata is not working, I tried (temporary test) to allow ping to my wan port from a external address, and they passed with success, on suricata alert, still empty. =/

Soloam

I guess I have my answer, looks it seems that suricata is not compatible with PPPOE :/

https://forum.pfsense.org/index.php?topic=73906.15

bmeeks

@soloam:

I guess I have my answer, looks it seems that suricata is not compatible with PPPOE :/

https://forum.pfsense.org/index.php?topic=73906.15

That's true for now.  It is a limitation of the Suricata binary itself.  FreeBSD presents a data link type for PPPoE that Suricata does not recognize at the moment.  Snort will work, though if you want to try it instead.  The DAQ module in Snort correctly handles the FreeBSD PPPoE data link type.

Bill

Soloam

I used snort without any problem for some time, I changed to Suricata to test it out. Back to Snort for now.

Thank You

Soloam

The only problem that I had with Snort, that lead me searching for a new IDS was the fact that Snort keep blocking my WAN ip, even that the ip is on the passing list (it's dynamic ip, its always changing, but the list is updated).

dancwilliams

I just wanted to thank you all for the great write up!  I really appreciate you taking the time to provide all of this information.

After following the guide I got everything working except for some of the PfIP Reputation widget output.  Also, BBcan177 refers to version 2.3.4 of the pfiprep script but I am only able to find version 2.3.3.  I feel I may be behind the times due to other updates that have taken place, but this was a great starting point for me.

I am running pfSense 2.1.5 and everything is going well.  If there have been other changes due to software updates since this post began; would someone be able to point me in the right direction to learn about the changes/updates?

Thanks for all the great information!

Dan

A Former User

A new guide is in the works, as well as a better "keeping the guide up-to-date" procedure is being worked on.

For now, this thread is a great starting point. Most updates in the new guide have to do with making it easier to set everything up, but the outline basically follows this guide.

I know I promised the new guide a while back. I haven't given up on, it's just that work has been keeping me a bit busy lately.

dancwilliams

Thanks for the quick response. I definitely understand how wok can take up all your time!

Like I said, after following this guide everything seems to be running great except for some of the widget stuff to monitor the IP Lists.  I need notice on the forums that BBcan177 is developing a pfBlockerNG package so I may look into that going forward.  It would be nice to have that streamlined and able to backup.

Do you know of a way to backup the Suricata settings?  I am not sure if they are getting backed up with the regular pfSense backup.  I do not see them in the restore options.  Also, anytime my box is power cycled I lose my Suricata block list.  Is that the proper behaviour?

Your ET rule list on github is great!  I have run into a few rules that trigger due to things I use day-to-day such as Cisco VPN phones and what not.  Would you mind if I forked your list just so I can keep up with my findings?

I am also getting into writing some custom rules.  I had to read your posts a few times but I think it has finally "clicked".  Very exciting stuff!

Again…thanks for sharing with the community.

A Former User

@dancwilliams:

Thanks for the quick response. I definitely understand how wok can take up all your time!

Like I said, after following this guide everything seems to be running great except for some of the widget stuff to monitor the IP Lists.  I need notice on the forums that BBcan177 is developing a pfBlockerNG package so I may look into that going forward.  It would be nice to have that streamlined and able to backup.

Yes, BBcan177 is pushing towards a pfBlockerNG package. Should be very good when it's released. I'll leave it up to him for more info.
@dancwilliams:

Do you know of a way to backup the Suricata settings?  I am not sure if they are getting backed up with the regular pfSense backup.  I do not see them in the restore options.  Also, anytime my box is power cycled I lose my Suricata block list.  Is that the proper behaviour?

Make sure you visit Suricata>Global settings> and tick the checkbox to keep the settings when the package is removed. That should take care of keeping settings between package upgrades/reinstallations if something goes wrong. As for transfering the complete settings over to a "new" system, bmeeks should be able to point out more details for it.

Yes, the blocked hosts get cleaned when you reboot. It's an annoying "feature" ;-)

@dancwilliams:

Your ET rule list on github is great!  I have run into a few rules that trigger due to things I use day-to-day such as Cisco VPN phones and what not.  Would you mind if I forked your list just so I can keep up with my findings?

You are only permitted to fork the list if you contact ET and tell them the rules on the list have long been broken and should be removed/updated. Then you are free to do what you want with it. Except one thing, claim copyrights and sue me later  :P
@dancwilliams:

I am also getting into writing some custom rules.  I had to read your posts a few times but I think it has finally "clicked".  Very exciting stuff!

Again…thanks for sharing with the community.

Not a problem. I'll send an invoice later  ;)

dancwilliams

@jflsakfja:

Yes, the blocked hosts get cleaned when you reboot. It's an annoying "feature" ;-)

You really have to love those features.  They are saving you from yourself you know….ha!  :)

@jflsakfja:

You are only permitted to fork the list if you contact ET and tell them the rules on the list have long been broken and should be removed/updated. Then you are free to do what you want with it. Except one thing, claim copyrights and sue me later  :P

I will definitely start hounding them.  You are right…there are some rules in there that are just ridiculous!  And no copyrights will be claimed...can't be too careful these days!

@jflsakfja:

Not a problem. I'll send an invoice later  ;)

Of course! I just appreciate the chance to get to learn this stuff.  ;)

BBcan177

@dancwilliams:

Also, BBcan177 refers to version 2.3.4 of the pfiprep script but I am only able to find version 2.3.3.

Thanks Dan.. I moved my gist to the following URL.. Unfortunately I can't edit my original post.

https://gist.github.com/BBcan177/3cbd01b5b39bb3ce216a

If anyone else is using my pfIPrep script, please PM me and I will move you to the new pfBlockerNG package. As my script is a manual process, I can guide you on how to cleanly remove it.

dancwilliams

So, I have fallen deep into this Suricata hole…so much you can do!

Is there a way to pass custom variables into Suricata through the GUI?  I see under the interface "WAN Variables" there are some static definitions that can be adjusted, but I am curious about adding a few custom variables.

Thanks!

Dan

A Former User

Do you mean declaring your own variables and using them in the rules? that was possible with snort (custom rules, declare the variables at the top), but suricata for some reason doesn't accept my custom variables.

Not particularly fussed about it, didn't give it too much attention. Maybe bmeeks can chime in if you can in fact do it.

dancwilliams

Exactly,

Trying to pass in my own variables to use in custom rules.

Thanks!

bmeeks

@dancwilliams:

Exactly,

Trying to pass in my own variables to use in custom rules.

Thanks!

Currently there is no way to handle this within the GUI.  You can manually do this if you are willing to edit a file, and are willing to have the same custom variables defined across all interfaces.  Here are the steps.

Edit the file /usr/local/pkg/suricata/suricata_yaml_template.inc

Locate this section of the file (it's near the bottom):

# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[{$home_net}]"
    EXTERNAL_NET: "{$external_net}"
    {$addr_vars}

  # Holds the port group vars that would be passed in a Signature.
  port-groups:
    {$port_vars}

Add your custom variables to the appropriate section (either address-groups: or port-groups:).

Be sure that you DO NOT change anything else in that section!  Here is an example:

# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[{$home_net}]"
    EXTERNAL_NET: "{$external_net}"
    {$addr_vars}
    MY_CUSTOM_ADDRESSS_GROUPS_VAR: "some_value"

  # Holds the port group vars that would be passed in a Signature.
  port-groups:
    {$port_vars}
    MY_CUSTOM_PORT_VAR: "some_number"

This template file is used by the code to create the actual suricata.yaml configuration file for the interface.  The string variables inside the braces, such as {$addr_vars} are replaced by values from the GUI code as it reads the config file.  All you need to do is just add your custom variables beneath the existing string variables and they will be included in the generated suricata.yaml file.

Bill

dancwilliams

bmeeks,

Thanks for the info!  That is what I was looking for.  Just wanted to make sure I was not missing a spot in the GUI.

Has anyone had any issues with Pass Lists in Suricata?  WebEx keeps triggering a certain rule so I thought I would use a pass list for the WebEx subnets and leave the rule in place.  I created the list with the appropriate subnets and restarted Suricata on the appropriate interface.  I am still seeing alerts and blocks on those IPs.

Is there a step I am missing?

Dan

A Former User

Yes, the part where you disable the rule  :D

If a rule generates an alert, but you are absolutely sure that the alert shouldn't be generated (alert on an older version of the software in use for example) then disable the rule instead of suppressing/whitelisting it.

dancwilliams

Great!  ;D

I was not sure what the appropriate response to those situations would be.

Disable the rule it is!

Dan

bmeeks

@dancwilliams:

bmeeks,

Thanks for the info!  That is what I was looking for.  Just wanted to make sure I was not missing a spot in the GUI.

Has anyone had any issues with Pass Lists in Suricata?  WebEx keeps triggering a certain rule so I thought I would use a pass list for the WebEx subnets and leave the rule in place.  I created the list with the appropriate subnets and restarted Suricata on the appropriate interface.  I am still seeing alerts and blocks on those IPs.

Is there a step I am missing?

Dan

While jflsakfja's advice is sound, it could be that you missed a step with the PASS LIST.  Once you create the list and save it, you then need to go to the INTERFACE SETTTINGS tab for the interface where you want to use the Pass List and down near the bottom of that page select the new Pass List in the drop-down box next to PASS LIST.  Save it, and then restart Suricata on the interface.

Bill

dancwilliams

bmeeks,

That is what I missed! Thanks for pointing that out. I knew I had to be missing a setting somewhere.

Dan