Suricata not dropping any traffic
-
So I have set the "Block offenders" on the WAN interface in inline mode.
I get alerts in the log but I don't get anything highlighted, why is that?
Do I manually have to change every single rule to "drop" instead of "alert"?
-
How can i manualy change all rules to drop all? like snort?
I will create whiteliste.
Thanks
-
As an update to this I tried to change a few of the rules to "drop" and now I get highlighted entries in the alert-log.
But surely something must be wrong here, there are severals hundreds of rules in just the few categories I choose the time it would take to change all them to drop….. :-\
-
I know a way to make all rules drop, but its a bit of a nuclear option. Very simple though. Let me know if you still want to do that.
-
I know a way to make all rules drop, but its a bit of a nuclear option. Very simple though. Let me know if you still want to do that.
Isn't that the point of IPS-mode, to actually drop traffic that matches the categories you choose.
I used IDS-mode for a bit to tune out some false positives (disable some rules within the chosen categories/sets), and then when I felt I had gotten to a point where I felt it was worth a shot of testing it out in IPS-mode, there's just no difference unless I change every rule itself to "force drop" in the categories/rulesets I've chosen.
One set I have is "ET trojan" that set contains "Default Enabled: 5401" rules, but for them to actually drop any traffic you mean I have to manually force every rule to "drop", that makes no sense to me.
So if that is the way it is meant to be, yeah I'm interested in how to turn them all to "drop" instead of "alert".
-
There actually is a bit of disagreement among the most knowledgeable people I've talked to.
Some tell me they think that an Intrusion Detection System (IDS) should just detect and and alert.
I'm with you. I want the OPTION to also drop that offending traffic.
Pfsense will drop the traffic if thats what you configure it to do.
-
The smart people will tell you this is a horrible idea, however, this is what I've done.
In services > suricata
Go to SID MGMT
create a new sid configuration file. Save it as something like-my-dropsid.conf
Put this inside it:
pcre:"a"*
pcre:"b"*
pcre:"c"*
pcre:"d"*
pcre:"e"*
pcre:"f"*
pcre:"g"*
pcre:"h"*
pcre:"i"*
pcre:"j"*
pcre:"k"*
pcre:"l"*
pcre:"m"*
pcre:"n"*
pcre:"o"*
pcre:"p"*
pcre:"q"*
pcre:"r"*
pcre:"s"*
pcre:"t"*
pcre:"u"*
pcre:"v"*
pcre:"w"*
pcre:"x"*
pcre:"y"*
pcre:"z"*
pcre:"A"*
pcre:"B"*
pcre:"C"*
pcre:"D"*
pcre:"E"*
pcre:"F"*
pcre:"G"*
pcre:"H"*
pcre:"I"*
pcre:"J"*
pcre:"K"*
pcre:"L"*
pcre:"M"*
pcre:"N"*
pcre:"O"*
pcre:"P"*
pcre:"Q"*
pcre:"R"*
pcre:"S"*
pcre:"T"*
pcre:"U"*
pcre:"V"*
pcre:"W"*
pcre:"X"*
pcre:"Y"*
pcre:"Z"*
pcre:"0"*
pcre:"1"*
pcre:"2"*
pcre:"3"*
pcre:"4"*
pcre:"5"*
pcre:"6"*
pcre:"7"*
pcre:"8"*
pcre:"9"*Be sure to Enable Automatic SID State Management
at the bottom, put a check mark in the interface you want the rules to get modified for.
In the Drop SID File column, select the new file you made.
Finally, click save….
It will take a moment to process. Hope that helps you.
I'm sure there is a much better way to do this. I'd be happy to know it if anyone can tell me.
-
So I have set the "Block offenders" on the WAN interface in inline mode.
I get alerts in the log but I don't get anything highlighted, why is that?
Do I manually have to change every single rule to "drop" instead of "alert"?
Yes, you do. If you use Inline IPS Mode, you must manage your rule actions. By default all rule vendors ship their rules with ALERT as the action. You can manage them using the SID MGMT tab. If you don't want to do that, then use Legacy Mode instead where all alerts give blocks.
If you run Suricata on any other platform, you must manually manage your rules by manually changing certain ones to DROP from ALERT. Otherwise you will just receive alerts. That's the way an IPS was designed to work. Admins want some rules to alert so they know something is happening, but that "something" may not be bad enough to justify breaking traffic by dropping it. However, some traffic is known as bad and needs to be instantly dropped. The IPS admin has the power to decide. So when Inline IPS mode was implemented we followed the paradigm of all the other Instrusion Prevention Systems out there.
The way Snort works, and the way Legacy Mode in Suricata works, is really an anomaly and spoiled some users. That's not the way a true IPS works. A true IPS gives the admin total flexibility for picking which rules raise just alerts and which rules actually block traffic.
So if you do not want the hassle of managing your rules using the SID MGMT tab and manually changing rules from ALERT to DROP, then flip back to using Legacy Mode.
Bill
-
The smart people will tell you this is a horrible idea, however, this is what I've done.
In services > suricata
Go to SID MGMT
create a new sid configuration file. Save it as something like-my-dropsid.conf
Put this inside it:
pcre:"a"*
.
.
.
pcre:"9"*I'm sure there is a much better way to do this. I'd be happy to know it if anyone can tell me.
Can you explain why this is a horrible idea?
I wanted inline mode to function similar to legacy mode for me, so I just wanted to set all these rules to drop. The configuration I used in my dropsid.conf was derived from the instructions in the sample file, what I wrote was:1:2000000-1:2600000
Just that one line and it was able to successfully set all SIDs to drop.
Could someone explain the difference between these two configurations?
-
I didn't know that method existed. My way is based on brute force and ignorance. It the short way works, I'd use that.
-
The smart people will tell you this is a horrible idea, however, this is what I've done.
In services > suricata
Go to SID MGMT
create a new sid configuration file. Save it as something like-my-dropsid.conf
Put this inside it:
pcre:"a"*
.
.
.
pcre:"9"*I'm sure there is a much better way to do this. I'd be happy to know it if anyone can tell me.
Can you explain why this is a horrible idea?
I wanted inline mode to function similar to legacy mode for me, so I just wanted to set all these rules to drop. The configuration I used in my dropsid.conf was derived from the instructions in the sample file, what I wrote was:1:2000000-1:2600000
Just that one line and it was able to successfully set all SIDs to drop.
Could someone explain the difference between these two configurations?
Functionally, there is no difference. Both result in pretty much 100% of the rules getting changed to DROP. Using the GID:SID method is more efficient as it avoids a bunch of Perl regex string seaches.
I will state again that changing all the rules to DROP is not the perferred method of configuring an IPS. You should be more selective about which rules DROP to avoid breaking stuff unnecessarily. If you change all the rules to DROP, and then have to spend a large amount of time finding and eliminating false positives to "unbreak" your network, would not that time have been better spent learning which rules to selectively modify to DROP from ALERT?
Bill
-
Hey thanks for the clarification!! :)
I see what you mean, and I definitely agree that if all traffic that generated an alert was dropped in a high-availability production environment, the number of false positives would cripple countless applications and managing the false positives would certainly be overwhelming.
On my home network where I use pfSense, I prefer to administrate my network this way because I have a long-standing policy to restrict applications phoning home unnecessarily, and additionally, I operate a very limited gamut of software applications so this approach has been manageable for me and is somewhat in line with my ideologies anyhow.
Regardless, I can certainly see how an in-depth knowledge of the types of 'noise' that poorly configured or outdated systems/websites can generate (in the form of IDS alerts) can help in understanding which SIDs can safely be whitelisted and which others are more serious…
Is there a central location some place where these sorts of concepts are documented?
-
Is there a central location some place where these sorts of concepts are documented?
Unfortunately not – at least I've never found one. There is at least one thread here on the pfSense forum that contains suggestions from other experienced users on which rules can safely be either disabled or their alerts suppressed. You will have to search for "suppress list", for example, in the IDS/IPS sub-forum.
Bill