Taming the beasts… aka suricata blueprint
-
I just wanted to thank you all for the great write up! I really appreciate you taking the time to provide all of this information.
After following the guide I got everything working except for some of the PfIP Reputation widget output. Also, BBcan177 refers to version 2.3.4 of the pfiprep script but I am only able to find version 2.3.3. I feel I may be behind the times due to other updates that have taken place, but this was a great starting point for me.
I am running pfSense 2.1.5 and everything is going well. If there have been other changes due to software updates since this post began; would someone be able to point me in the right direction to learn about the changes/updates?
Thanks for all the great information!
Dan
-
A new guide is in the works, as well as a better "keeping the guide up-to-date" procedure is being worked on.
For now, this thread is a great starting point. Most updates in the new guide have to do with making it easier to set everything up, but the outline basically follows this guide.
I know I promised the new guide a while back. I haven't given up on, it's just that work has been keeping me a bit busy lately.
-
Thanks for the quick response. I definitely understand how wok can take up all your time!
Like I said, after following this guide everything seems to be running great except for some of the widget stuff to monitor the IP Lists. I need notice on the forums that BBcan177 is developing a pfBlockerNG package so I may look into that going forward. It would be nice to have that streamlined and able to backup.
Do you know of a way to backup the Suricata settings? I am not sure if they are getting backed up with the regular pfSense backup. I do not see them in the restore options. Also, anytime my box is power cycled I lose my Suricata block list. Is that the proper behaviour?
Your ET rule list on github is great! I have run into a few rules that trigger due to things I use day-to-day such as Cisco VPN phones and what not. Would you mind if I forked your list just so I can keep up with my findings?
I am also getting into writing some custom rules. I had to read your posts a few times but I think it has finally "clicked". Very exciting stuff!
Again…thanks for sharing with the community.
-
Thanks for the quick response. I definitely understand how wok can take up all your time!
Like I said, after following this guide everything seems to be running great except for some of the widget stuff to monitor the IP Lists. I need notice on the forums that BBcan177 is developing a pfBlockerNG package so I may look into that going forward. It would be nice to have that streamlined and able to backup.
Yes, BBcan177 is pushing towards a pfBlockerNG package. Should be very good when it's released. I'll leave it up to him for more info.
@dancwilliams:Do you know of a way to backup the Suricata settings? I am not sure if they are getting backed up with the regular pfSense backup. I do not see them in the restore options. Also, anytime my box is power cycled I lose my Suricata block list. Is that the proper behaviour?
Make sure you visit Suricata>Global settings> and tick the checkbox to keep the settings when the package is removed. That should take care of keeping settings between package upgrades/reinstallations if something goes wrong. As for transfering the complete settings over to a "new" system, bmeeks should be able to point out more details for it.
Yes, the blocked hosts get cleaned when you reboot. It's an annoying "feature" ;-)
Your ET rule list on github is great! I have run into a few rules that trigger due to things I use day-to-day such as Cisco VPN phones and what not. Would you mind if I forked your list just so I can keep up with my findings?
You are only permitted to fork the list if you contact ET and tell them the rules on the list have long been broken and should be removed/updated. Then you are free to do what you want with it. Except one thing, claim copyrights and sue me later :P
@dancwilliams:I am also getting into writing some custom rules. I had to read your posts a few times but I think it has finally "clicked". Very exciting stuff!
Again…thanks for sharing with the community.
Not a problem. I'll send an invoice later ;)
-
@jflsakfja:
Yes, the blocked hosts get cleaned when you reboot. It's an annoying "feature" ;-)
You really have to love those features. They are saving you from yourself you know….ha! :)
@jflsakfja:
You are only permitted to fork the list if you contact ET and tell them the rules on the list have long been broken and should be removed/updated. Then you are free to do what you want with it. Except one thing, claim copyrights and sue me later :P
I will definitely start hounding them. You are right…there are some rules in there that are just ridiculous! And no copyrights will be claimed...can't be too careful these days!
@jflsakfja:
Not a problem. I'll send an invoice later ;)
Of course! I just appreciate the chance to get to learn this stuff. ;)
-
Also, BBcan177 refers to version 2.3.4 of the pfiprep script but I am only able to find version 2.3.3.
Thanks Dan.. I moved my gist to the following URL.. Unfortunately I can't edit my original post.
https://gist.github.com/BBcan177/3cbd01b5b39bb3ce216a
If anyone else is using my pfIPrep script, please PM me and I will move you to the new pfBlockerNG package. As my script is a manual process, I can guide you on how to cleanly remove it.
-
So, I have fallen deep into this Suricata hole…so much you can do!
Is there a way to pass custom variables into Suricata through the GUI? I see under the interface "WAN Variables" there are some static definitions that can be adjusted, but I am curious about adding a few custom variables.
Thanks!
Dan
-
Do you mean declaring your own variables and using them in the rules? that was possible with snort (custom rules, declare the variables at the top), but suricata for some reason doesn't accept my custom variables.
Not particularly fussed about it, didn't give it too much attention. Maybe bmeeks can chime in if you can in fact do it.
-
Exactly,
Trying to pass in my own variables to use in custom rules.
Thanks!
-
Exactly,
Trying to pass in my own variables to use in custom rules.
Thanks!
Currently there is no way to handle this within the GUI. You can manually do this if you are willing to edit a file, and are willing to have the same custom variables defined across all interfaces. Here are the steps.
Edit the file /usr/local/pkg/suricata/suricata_yaml_template.inc
Locate this section of the file (it's near the bottom):
# Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. address-groups: HOME_NET: "[{$home_net}]" EXTERNAL_NET: "{$external_net}" {$addr_vars} # Holds the port group vars that would be passed in a Signature. port-groups: {$port_vars}Add your custom variables to the appropriate section (either address-groups: or port-groups:).
Be sure that you DO NOT change anything else in that section! Here is an example:
# Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. address-groups: HOME_NET: "[{$home_net}]" EXTERNAL_NET: "{$external_net}" {$addr_vars} MY_CUSTOM_ADDRESSS_GROUPS_VAR: "some_value" # Holds the port group vars that would be passed in a Signature. port-groups: {$port_vars} MY_CUSTOM_PORT_VAR: "some_number"This template file is used by the code to create the actual suricata.yaml configuration file for the interface. The string variables inside the braces, such as {$addr_vars} are replaced by values from the GUI code as it reads the config file. All you need to do is just add your custom variables beneath the existing string variables and they will be included in the generated suricata.yaml file.
Bill
-
bmeeks,
Thanks for the info! That is what I was looking for. Just wanted to make sure I was not missing a spot in the GUI.
Has anyone had any issues with Pass Lists in Suricata? WebEx keeps triggering a certain rule so I thought I would use a pass list for the WebEx subnets and leave the rule in place. I created the list with the appropriate subnets and restarted Suricata on the appropriate interface. I am still seeing alerts and blocks on those IPs.
Is there a step I am missing?
Dan
-
Yes, the part where you disable the rule :D
If a rule generates an alert, but you are absolutely sure that the alert shouldn't be generated (alert on an older version of the software in use for example) then disable the rule instead of suppressing/whitelisting it.
-
Great! ;D
I was not sure what the appropriate response to those situations would be.
Disable the rule it is!
Dan
-
bmeeks,
Thanks for the info! That is what I was looking for. Just wanted to make sure I was not missing a spot in the GUI.
Has anyone had any issues with Pass Lists in Suricata? WebEx keeps triggering a certain rule so I thought I would use a pass list for the WebEx subnets and leave the rule in place. I created the list with the appropriate subnets and restarted Suricata on the appropriate interface. I am still seeing alerts and blocks on those IPs.
Is there a step I am missing?
Dan
While jflsakfja's advice is sound, it could be that you missed a step with the PASS LIST. Once you create the list and save it, you then need to go to the INTERFACE SETTTINGS tab for the interface where you want to use the Pass List and down near the bottom of that page select the new Pass List in the drop-down box next to PASS LIST. Save it, and then restart Suricata on the interface.
Bill
-
bmeeks,
That is what I missed! Thanks for pointing that out. I knew I had to be missing a setting somewhere.
Dan
-
bmeeks,
That is what I missed! Thanks for pointing that out. I knew I had to be missing a setting somewhere.
Dan
Suricata and Snort work the same in the area of Pass Lists. Once you have a custom list created and saved, you then must go to the INTERFACE SETTINGS tab and select that list in the drop-down selection for PASS LIST. Then you save the change and restart that interface.
Bill
-
Hello!
First, I registered and stopped lurking specifically for this thread. I humbly recognize it's weight and wanted to say thank you to its originator and all of the people involved in keeping it going.
Second, I have never felt more mentally challenged in my life! I would love to regale you all of my trials and hardships simply getting the box running (its been an experience), but there's other times and places for this (say no to usb ethernet adapters).
I did write what could have been mistaken for a blog post on where I got hung up on, but after reading all 25 pages of this thread I think I'm back on track. I got stuck on the floating rule shuffle, but will hopefully defeat it before I go to bed! :)
Thank you all so much for this rich and in depth guide. Not just the software related stuff but the insightful commentary as well, it has all be very fascinating to read.
Thank you!
-
Good day folks!
I've had to hold off on my progress, but actually got through the script part not long after my last post. I broke it all to hell, so had to start over. I'm not worried as I learned some stuff along the way and that feels good.
As I come back to get it going again I see pfsense 2.2 has been released. Will this release affect this +year old thread's contents? Should I hold off until a revision is made? Is there one I haven't seen yet (I honestly have been cruising these forums to keep an eye out).
Thank you in advance for your answers and time, I hope everyone's New Year has gotten off to a great start.
-
As I come back to get it going again I see pfsense 2.2 has been released. Will this release affect this +year old thread's contents? Should I hold off until a revision is made? Is there one I haven't seen yet (I honestly have been cruising these forums to keep an eye out).
Go for it… Shouldn't make a difference at all
-
I'm now setting up my aliases after running the script initially.
For the part where I 'point' them at their respective addresses, does the port number matter? "Let's say X=43.." gives the impression it can be any port or perhaps a specific port particular to the system.
I got this far already once and blew everything up again after doing about five of the aliases, so I figured it'd be best to check first before getting to that point again.
Thank you (and you and you) in advance for your time o/
