Taming the beasts… aka suricata blueprint
-
Since I like transparency, just letting anyone know that I'm waiting for permission to go ahead and start public work on the guide. Some parts of the guide have been completed offline, waiting to be pushed when the time comes.
Here's the relevant topic. https://forum.pfsense.org/index.php?topic=88244. An email has been sent to the mentioned address as well.
Edit: brain-farting-typo
-
Thanks for the guide jflsakfja, it's obvious that you've put a lot of work into it and I look forward to seeing it completed. I have one suggestion though, when you publish the guide it might be better to use pictures (maybe pics showing the firewall rules on all the interfaces) or indenting, similar to what you did with configuring the "pfsense ports". For example, the "outgoing ports" rule creation gets a little lost in a paragraph format in my opinion.
"Head over to an interface's tab and set up a an allow rule. Source should be the interface's subnet. The destination should be any, and for the ports use the outgoing ports alias created above. Destination should be any. Otherwise identical to the webgui rule."
-
That's exactly what I'm planning to do eventually, hence github, hence github pages (a little less known feature of github) ;)
Something along the lines of: http://jflsakfja.github.io/test-page
It's gonna be good, I promise that :-)
-
@jflsakfja:
That's exactly what I'm planning to do eventually, hence github, hence github pages (a little less known feature of github) ;)
Something along the lines of: http://jflsakfja.github.io/test-page
It's gonna be good, I promise that :-)
I can't wait to see it, really. I'm learning a lot just from reading thru your examples. Forgive me if you've mentioned this before but do you have a date in mind for the full release?
-
I took a little break and worked on something else to give my mind a rest. I have a newer box and am working on getting it up now :) I gotta say, it sure is nice to see PFBlockerNG in the packages list. I can't wait to get deep into the the suricata after, mwa ha ha!
-
Here's a good one for Suricata, no need for pfBlocker ;)
drop ip any any <> $HOME_NET any (msg:"GeoIP Country Block"; geoip:!US,CA,BE,CZ,FR,DE,UK,NL,DK,FI,IE,NO,CH,JP,AU,NZ,SE,IS; classtype:policy-violation; sid:7710002; rev:1;)
Feel free to add/remove countries as you wish…
F.
-
Actually that's the exact rule that the guide is recommending not to use, for a reason or two ;-)
Why spend CPU/RAM analyzing packets that you know you'll drop? Packets that by the time you've finished analyzing them, a small number will get through (suricata/snort doesn't work on the live traffic, but a copy of that traffic).
A rule like that will take most of the RAM suricata is using. If you need a 2nd interface, double it. 3rd triple it and so on. A pfsense rule though will not take that much RAM.
Blocking by countries is NOT as attractive as it sounds. Most hosting providers don't rent datacenter space/servers in the country their visitors are. Blocking the US for example (as you should, see NSA saga) will get rid of most of the "known internet". Admittedly not a bad thing to do, but.There is no date on the new guide. I need the pf guys to give me the OK to go ahead with the guide. It's their move now. I'm pretty much sitting around waiting for their answer.
-
Yea I understand it should be at the firewall level, not at the IDS one in //, but still try it… with some decent hardware; pfSense & Suricata geoIp rule, try to visit a banned country site and tell me how much data was passed before the drop/block kicked in...Also compare the memory footprint of this option vs pfblocker or an alias list...
Concerning the NSA, no need trying to fight it; they operate at a different layer...Imagine if they had to opperate at the "user" level...
Just intercept/inject bigger hardware...you will never see them, they will always catch all...
F.
-
Any news on progress with the guide?
-
Still waiting for the pfsense crew's answer.
-
@jflsakfja:
Still waiting for the pfsense crew's answer.
Looking forward to your guide, I hope they respond soon.
-
@jflsakfja:
Still waiting for the pfsense crew's answer.
Looking forward to your guide, I hope they respond soon.
Yep, I second that!
Rick
-
And I will third it :)
I am in the process of installing a new pfsense firewall and v2.0 of the infamous guide would come just in handy :)
-
jflsakfja, I cannot thank you enough for this. Over the last week I read through this entire thread and I am going to have to go through and read at least the first few pages again before trying this for myself.
I am sure I am not alone in having set up Snort/Suricata piecemeal, tweaking based on the odd nugget of advice picked up here and there but always wondering "am I really doing this right?". I am looking forward to seeing the updated guide, thak you again for all your efforts.
-
I am in the process of installing a new pfsense firewall and v2.0 of the infamous guide would come just in handy :)
Agreed :D
I have a matching hardware spare so I've started a 2.2.1 build and am just going to hold tight until the guide comes out. I'm venturing into new territory with Suricata and would rather follow the knowledge. Until then, my 2.1.5 with Snort is running just fine.
Curious though, is there any "school of thought" as to order of loading Squid3, PfBlockerNG and Suricata?
Rick
-
@jflsakfja any progress? I'm pretty sure you're probably done with the write up, but still waiting on the pfSense team to give the OK?
-
Negative on progress, since I still haven't got the OK. Patience is a virtue we all need ;)
-
@jflsakfja:
Patience is a virtue we all need ;)
I'll second that one too!
Rick
-
Hello,
On my home I use pfsense 2.1.5 and now I switched from Snort to Suricata, set it as recommended by jflsakfja instructions in this thread….
Looking at alert logs yesterday I found that China people try to probe/hack my home network ( probably they found that Lenovo tablet can't report home and want to see whats wrong... ) so I put them in an alias blocked and set them in firewall as permanent blocked traffic In ( WAN ) and Out ( LAN ) but I still get alert in Suricata from there IP.
And by the way I still have Pfblocker set up to block all incoming traffic from Asia, and other sources.
Isn't pfsense firewall blocking traffic before it arriving at Suricata ?
Thank you.
edit:
security by obscurity ( pictures removed ) -
@jflsakfja:
Patience is a virtue we all need ;)
After reading https://forum.pfsense.org/index.php?topic=88244 , I think we will need more then patience. I understand what you're doing/asking for.. I've seen many pfsense guides on the internet, and none of them have gotten in trouble.. They just put the standard trademark disclaimer.
I'll wait and see