Suricata Rule management

deleted

All good. I also did not mean to insult you or devalue you as incompetent.

If you are the creator and maintainer for the Suricata package I would like to formally thank you for the work. It was among other things the good implementation of Suricata in pfsense that made me choose Netgate.

To be honest, in the first moment I found it strange how someone knows what services are running in my network based on my question.

You are right with your listings. However, these have already been included in the design of the firewall.

The config.xml will indeed be filled with a lot of rules. However, the write access as it ends up in the ram and to users accessing it will be limited. I think there is still room for maneuver even if you use a lot of entries until you have to replace the file with another solution.

The Ram consumption increases in fact also. However, a problem only arises on the hardware side.

Basically you are also right, you don't need to load SMTP rules if you don't have a Public Mail Server.

However, my thought goes further at this point.

I think it is possible to increase the security of the network with a little more ram.

In case of a hybrid attack I expect significant advantages.

Furthermore, I can control exactly which IP's are excluded, then it only hits unauthorized ones.

(I hope you could read my bad english and know how that means.)

bmeeks

While I still disagree with the strategy of enabling every rule in every category, if you want to proceed with it the most efficient way will be to use the functionality on the SID MGMT tab to achieve the goal. That will result in less storage consumption in the config.xml file.

Enable the automatic SID management feature on that tab (check the box to enable and save that change), then create a custom enablesid.conf file using the examples from the sample files available on that page. You can list all the category names, and then follow that with a very wide SID range. That should result in all rules being enabled. Read through the sample files on that tab to get an idea of how the feature works. It uses Perl regular expression logic (regex) to select rules.

deleted

I just wanted to copy an interface where many rules are already activated.

This was not possible. Without error message. Was there a change, I am sure to have done this before?

Otherwise I will have to take the time to activate all of them. Or I will implement your suggestion.

One last question. Is there anywhere to see how many rules are currently active and how many are not?

Thanks for your help!

bmeeks

@deleted said in Suricata Rule management:

I just wanted to copy an interface where many rules are already activated.

This was not possible. Without error message. Was there a change, I am sure to have done this before?

What was the error message?

One last question. Is there anywhere to see how many rules are currently active and how many are not?

Thanks for your help!

You can see how many are active by going to the RULES tab and then choosing "Active Rules" in the drop-down selector there. It may take a very long time to finish populating the page if a lot of rules are selected. There is no way to easily see "not active" rules.

deleted

@bmeeks said in Suricata Rule management:

What was the error message?

There is no error message. Also no entry in the log.

I have pressed the button to copy.
Then edited and saved the interface and the description.

Then I was back on the overview page. However, no copy was made.

However, since I used the function for the last time in another patch version, I wanted to see if there were changes and I have overlooked something.

deleted

What information / logs do you need?

I tried again, a copy is still not possible. There is no entry in the Suricata logs.

bmeeks

@deleted said in Suricata Rule management:

What information / logs do you need?

I tried again, a copy is still not possible. There is no entry in the Suricata logs.

I've put this issue on my "TO DO" list for the next upgrade. I will test and fix anything I find not working. There have been more hands than just mine in the Suricata GUI code over the last couple of years, so very possible something got messed up. That feature is not routinely tested, and is apparently seldom used.

bmeeks

@deleted said in Suricata Rule management:

What information / logs do you need?

I tried again, a copy is still not possible. There is no entry in the Suricata logs.

I just tested the interface copy feature in a virtual machine and it worked as designed. Here is a screenshot. I copied the existing LAN interface over to OPT1.

Suricata - copied interface.png

You can only copy interfaces when an existing open and enabled interface exists in pfSense itself. So maybe you do not have any available enabled interfaces in pfSense?

deleted

This post is deleted!

deleted

Sorry.

My example was disabled.

With this it works and I can save myself the work of activating everything.

Then I only have to look at what is newly added and disabled.

Thank you very much for your help.