Taming the beasts… aka suricata blueprint
-
So, I have fallen deep into this Suricata hole…so much you can do!
Is there a way to pass custom variables into Suricata through the GUI? I see under the interface "WAN Variables" there are some static definitions that can be adjusted, but I am curious about adding a few custom variables.
Thanks!
Dan
-
Do you mean declaring your own variables and using them in the rules? that was possible with snort (custom rules, declare the variables at the top), but suricata for some reason doesn't accept my custom variables.
Not particularly fussed about it, didn't give it too much attention. Maybe bmeeks can chime in if you can in fact do it.
-
Exactly,
Trying to pass in my own variables to use in custom rules.
Thanks!
-
Exactly,
Trying to pass in my own variables to use in custom rules.
Thanks!
Currently there is no way to handle this within the GUI. You can manually do this if you are willing to edit a file, and are willing to have the same custom variables defined across all interfaces. Here are the steps.
Edit the file /usr/local/pkg/suricata/suricata_yaml_template.inc
Locate this section of the file (it's near the bottom):
# Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. address-groups: HOME_NET: "[{$home_net}]" EXTERNAL_NET: "{$external_net}" {$addr_vars} # Holds the port group vars that would be passed in a Signature. port-groups: {$port_vars}Add your custom variables to the appropriate section (either address-groups: or port-groups:).
Be sure that you DO NOT change anything else in that section! Here is an example:
# Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. address-groups: HOME_NET: "[{$home_net}]" EXTERNAL_NET: "{$external_net}" {$addr_vars} MY_CUSTOM_ADDRESSS_GROUPS_VAR: "some_value" # Holds the port group vars that would be passed in a Signature. port-groups: {$port_vars} MY_CUSTOM_PORT_VAR: "some_number"This template file is used by the code to create the actual suricata.yaml configuration file for the interface. The string variables inside the braces, such as {$addr_vars} are replaced by values from the GUI code as it reads the config file. All you need to do is just add your custom variables beneath the existing string variables and they will be included in the generated suricata.yaml file.
Bill
-
bmeeks,
Thanks for the info! That is what I was looking for. Just wanted to make sure I was not missing a spot in the GUI.
Has anyone had any issues with Pass Lists in Suricata? WebEx keeps triggering a certain rule so I thought I would use a pass list for the WebEx subnets and leave the rule in place. I created the list with the appropriate subnets and restarted Suricata on the appropriate interface. I am still seeing alerts and blocks on those IPs.
Is there a step I am missing?
Dan
-
Yes, the part where you disable the rule :D
If a rule generates an alert, but you are absolutely sure that the alert shouldn't be generated (alert on an older version of the software in use for example) then disable the rule instead of suppressing/whitelisting it.
-
Great! ;D
I was not sure what the appropriate response to those situations would be.
Disable the rule it is!
Dan
-
bmeeks,
Thanks for the info! That is what I was looking for. Just wanted to make sure I was not missing a spot in the GUI.
Has anyone had any issues with Pass Lists in Suricata? WebEx keeps triggering a certain rule so I thought I would use a pass list for the WebEx subnets and leave the rule in place. I created the list with the appropriate subnets and restarted Suricata on the appropriate interface. I am still seeing alerts and blocks on those IPs.
Is there a step I am missing?
Dan
While jflsakfja's advice is sound, it could be that you missed a step with the PASS LIST. Once you create the list and save it, you then need to go to the INTERFACE SETTTINGS tab for the interface where you want to use the Pass List and down near the bottom of that page select the new Pass List in the drop-down box next to PASS LIST. Save it, and then restart Suricata on the interface.
Bill
-
bmeeks,
That is what I missed! Thanks for pointing that out. I knew I had to be missing a setting somewhere.
Dan
-
bmeeks,
That is what I missed! Thanks for pointing that out. I knew I had to be missing a setting somewhere.
Dan
Suricata and Snort work the same in the area of Pass Lists. Once you have a custom list created and saved, you then must go to the INTERFACE SETTINGS tab and select that list in the drop-down selection for PASS LIST. Then you save the change and restart that interface.
Bill
-
Hello!
First, I registered and stopped lurking specifically for this thread. I humbly recognize it's weight and wanted to say thank you to its originator and all of the people involved in keeping it going.
Second, I have never felt more mentally challenged in my life! I would love to regale you all of my trials and hardships simply getting the box running (its been an experience), but there's other times and places for this (say no to usb ethernet adapters).
I did write what could have been mistaken for a blog post on where I got hung up on, but after reading all 25 pages of this thread I think I'm back on track. I got stuck on the floating rule shuffle, but will hopefully defeat it before I go to bed! :)
Thank you all so much for this rich and in depth guide. Not just the software related stuff but the insightful commentary as well, it has all be very fascinating to read.
Thank you!
-
Good day folks!
I've had to hold off on my progress, but actually got through the script part not long after my last post. I broke it all to hell, so had to start over. I'm not worried as I learned some stuff along the way and that feels good.
As I come back to get it going again I see pfsense 2.2 has been released. Will this release affect this +year old thread's contents? Should I hold off until a revision is made? Is there one I haven't seen yet (I honestly have been cruising these forums to keep an eye out).
Thank you in advance for your answers and time, I hope everyone's New Year has gotten off to a great start.
-
As I come back to get it going again I see pfsense 2.2 has been released. Will this release affect this +year old thread's contents? Should I hold off until a revision is made? Is there one I haven't seen yet (I honestly have been cruising these forums to keep an eye out).
Go for it… Shouldn't make a difference at all
-
I'm now setting up my aliases after running the script initially.
For the part where I 'point' them at their respective addresses, does the port number matter? "Let's say X=43.." gives the impression it can be any port or perhaps a specific port particular to the system.
I got this far already once and blew everything up again after doing about five of the aliases, so I figured it'd be best to check first before getting to that point again.
Thank you (and you and you) in advance for your time o/
-
I'm assuming you are talking about the port to point the alias in order to "download" the IP list. In that case yes, the port matters. It's the same port as pfsense's webgui, and it's used like this: pfsenseIP:port/directory_where_you_put_the_lists
If you are talking on the ports in the rules, then set it to any, since you don't want to talk to those IPs on any port.
-
@jflsakfja:
I'm assuming you are talking about the port to point the alias in order to "download" the IP list. In that case yes, the port matters. It's the same port as pfsense's webgui, and it's used like this: pfsenseIP:port/directory_where_you_put_the_lists
If you are talking on the ports in the rules, then set it to any, since you don't want to talk to those IPs on any port.
Thanks jflsakfja! Yes, the first part is exactly what I was looking for. Now to wait 8 hours to get home and get back to it, haha. ;D
-
Well, luckily I'm not a quitter.
Last night I blew up my box up after running the script the first time.
So a quick fresh install (4th one now I think) and some steps later and I'm back to the aliases. I get all the ones I find after doing the "ls /usr/local/www/badips/" command and do a jig.
Now I'm on to the two floating rules per alias created. I start with ALIENSHIELD instead of dshield in the example. I finish the first half on WAN and read 'mouse over and a pop up will show some IPs in it'. Nope. It shows the address I put in: 127.0.0.1:275/badips/ALIENVAULT.txt. No IPs and no 1.1.1.1.
Of course I managed to go outside of the lines once again.
Okay, maybe I jacked up the part where it says to set the userfolder and pfdir in the script? Nope, they're set exactly as stated.
In the address 127.0.0.1:275/badips/ALIENVAULT.txt' is this referencing the badips folder in the usr/local/www directory, or the /home/badips? Did I mix them up perhaps?
Oh, and after I ran the script there were no tier rules of any kind auto built or created. Should I just stop now?
Thank anyone in advance for your time :)
-
Hi Matt… I hope to have pfBlockerNG released as a package which will do what my original script was doing and more... Its actually been so long since I looked at that script :) I would have to review and see what steps you missed :)
-
Hi Matt… I hope to have pfBlockerNG released as a package which will do what my original script was doing and more... Its actually been so long since I looked at that script :) I would have to review and see what steps you missed :)
Thanks for the reply BB, I appreciate it. I look forward to that package :)
After the part under (tip when using carp) I followed the numbered steps to get everything set up.
I popped open the script and made the 2 changes that were given (userfolder=/home/badips and pfdir=/usr/www/badips/).
I actually read it this time and saw there were two dependencies, grepcidr and geoIP. I figured out that pkg add -r grepcidr of course doesn't work for me and grabbed it using pkg install grepcidr. I"m not sure if that makes a difference as I couldn't figure out what the -r was, on mine the help blurb says there's a -R.
I set the bypass to yes for the first run also and then set it back after running it.
Attached is a copy of what I have currently.
[current pfiprep config.txt](/public/imported_attachments/1/current pfiprep config.txt)
-
I've sort of backed off staying up to date on the Suricata news as I've had way too many other projects going on, my pfSense box has just been humming along and I was waiting for some things in 2.2.
So, ready to start looking at moving to a 2.2 build and going with Suricata over SNORT. I know the information is all here but this thread has really grown…. really grown. Will there be a sticky with the install/setup essentials as was done with SNORT?
Thanks,
Rick
