Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Suricata Really Annoying, Blocking Everything

    IDS/IPS
    9
    29
    29158
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      downtown last edited by

      I just set up Suricata recently on my pfSense box.  I set it up to use the ETOpen Rules and the Snort VRT Rules.  I ticked the box for Use rules from one of three pre-defined Snort IPS policies, and used the Connected profile.  So far, I find it really annoying.  It seems to be blocking all kinda of stuff that it should not.  I open up a terminal and ssh to my web server in the cloud - boom - blocked by ET SCAN Potential SSH Scan OUTBOUND and eventually SURICATA STREAM excessive retransmissions.  I try to connect to a client's pfSense box via remote, and boom, blocked.  VPN connections: blocked.  Some web sites: blocked.  It is very counter-productive to be constantly managing this.  I don't want to sit here and passlist the entire Internet.  Am I missing something?

      1 Reply Last reply Reply Quote 0
      • T
        tipiewot last edited by

        @downtown:

        I just set up Suricata recently on my pfSense box.  I set it up to use the ETOpen Rules and the Snort VRT Rules.  I ticked the box for Use rules from one of three pre-defined Snort IPS policies, and used the Connected profile.  So far, I find it really annoying.  It seems to be blocking all kinda of stuff that it should not.  I open up a terminal and ssh to my web server in the cloud - boom - blocked by ET SCAN Potential SSH Scan OUTBOUND and eventually SURICATA STREAM excessive retransmissions.  I try to connect to a client's pfSense box via remote, and boom, blocked.  VPN connections: blocked.  Some web sites: blocked.  It is very counter-productive to be constantly managing this.  I don't want to sit here and passlist the entire Internet.  Am I missing something?

        Hi downtown,

        A short answer : Suricata (or snort, or whatever IPS)  is not an automatic "plug and play" toy, and you'll need days and weeks before being able to have a stable and linear behavior.
        First of all, DO NOT activate blocking during the first steps. You will have to filter alerts and fill pass lists (time consuming, yes, no other way).
        Try to enable only a few rulesets first (dshield, CINS), check for alerts. Then add other needed rulesets, and check again, step by step. Add undesirable actions in suppress list.

        "stream-events" has a strange behavior for me too. I won't tell you not to activate this ruleset at all, but… maybe.

        Hope it helps  :)

        Pierre

        1 Reply Last reply Reply Quote 0
        • M
          mind12 last edited by

          Hi,

          if you use the Inline IPS mode there won't be any blocking by default only alerts. This way you have time to configure blocking on specific categories or rules in the SID mgmt menu using dropsid.conf file.
          So far I use these in my dropsid.conf and I'm satisfied with the results. Feel free to modify for your needs:

          snort_
          emerging-drop
          emerging-botcc.portgrouped
          emerging-botcc
          emerging-ciarmy
          emerging-compromised
          emerging-dshield
          emerging-tor
          emerging-worm
          emerging-trojan
          emerging-mobile_malware
          emerging-malware
          
          1:2016149       # ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
          1:2016150       # ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
          1:2012247  	# ET P2P BTWebClient UA uTorrent in use
          1:2221002  	# SURICATA HTTP request field missing colon
          1:2221013  	# SURICATA HTTP request header invalid
          1:2016777  	# ET INFO HTTP Request to a *.pw domain
          #1:2013031       # ET POLICY Python-urllib/ Suspicious User Agent
          1:2014701  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set
          1:2014703  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
          
          1 Reply Last reply Reply Quote 0
          • D
            dcol Banned last edited by

            I also had freezing when Inline was enabled. Worked ok Legacy mode. Works in the dev version 2.4.0, but no pass list is available.

            1 Reply Last reply Reply Quote 0
            • D
              downtown last edited by

              Thanks for the helpful replies.  Will work on it…  :)

              1 Reply Last reply Reply Quote 0
              • T
                tipiewot last edited by

                Hi all !

                Finally the Inline mode is clearly unable to go to production environment for the moment  :(, despite the fact it is an enormous step ahead. It will be a strong IPS soon, no doubt, but it is not stable enough yet.

                I also have hard blocking issues.

                Among them :
                1) Only bge (Broadcom) NICs seem to be able to handle Inline mode. em (Intel) NICs block all traffic, even without any rule or droplist enabled on them (no alert, but no traffic passing). Other Threads and post quote this issue. Tuning the NICs didn't fix anything.
                2a) Enabling rules on bge cards generate alerts (works fine for IDS, it seems).
                2b) Enabling also a droplist fires alerts correctly (alerts in red, so works fine for first part of IPS)
                2c)  Pass list are not available anymore, OK. But suppress lists still exist and should work as before (in legacy mode, I mean)… While trying to use a Suppress list to exclude some traffic for specific hosts, this trafic is completely blocked, without any alert (black or red), whereas it should pass silently. I managed to isolate the problem with my mail server, where the ET POLICY Inbound Frequent Emails - Possible Spambot Inbound, for an example. Removing all rules and re anble them didn't fix (as suggested in oter posts). Re install didn't fix neither.
                2d) Well, maybe I'll try to create custom rule linked to IP Reputation list, to workaroud the Suppress list issue. I'll post back to the forum when I'll have done this step.

                However, these are too many problems to enable Inline mode for the moment. I'll go back to legacy mode.

                Please understand it is not a criticism at all  :D , I'm aware of the awesome job made by the devs and contibutors to pf and suricata, and I congratulate and thank them very much. Just excited to play with suricata asap, like all of us  ;)

                Pierre

                1 Reply Last reply Reply Quote 0
                • C
                  certifiable last edited by

                  So what you're saying is that you don't want a job as a security analyst?

                  LMFAO!

                  We've had sourcefire (enterprise snort) in alert mode for 6 months before switching it to block.  Now, please follow me everyone, on the WAN.  We turned it on the WAN.  So what this means is we're not intercepting our own SSH, inside our network.  And the rules we turned on were "medium" security (this is an enterprise subscription), and the threats were considered "high."  So that's somewhere between 5k and 7k of signatures.  How many are you running?  I'm sorry for laughing.

                  1 Reply Last reply Reply Quote 0
                  • Rango
                    Rango last edited by

                    @mind12:

                    Hi,

                    if you use the Inline IPS mode there won't be any blocking by default only alerts. This way you have time to configure blocking on specific categories or rules in the SID mgmt menu using dropsid.conf file.
                    So far I use these in my dropsid.conf and I'm satisfied with the results. Feel free to modify for your needs:

                    snort_
                    emerging-drop
                    emerging-botcc.portgrouped
                    emerging-botcc
                    emerging-ciarmy
                    emerging-compromised
                    emerging-dshield
                    emerging-tor
                    emerging-worm
                    emerging-trojan
                    emerging-mobile_malware
                    emerging-malware
                    
                    1:2016149       # ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
                    1:2016150       # ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
                    1:2012247  	# ET P2P BTWebClient UA uTorrent in use
                    1:2221002  	# SURICATA HTTP request field missing colon
                    1:2221013  	# SURICATA HTTP request header invalid
                    1:2016777  	# ET INFO HTTP Request to a *.pw domain
                    #1:2013031       # ET POLICY Python-urllib/ Suspicious User Agent
                    1:2014701  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set
                    1:2014703  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
                    

                    I just copied your setup into my suricata setup. Have you found for this to be sufficient at start up or have you added more since then. Where u at now as far as rules go. I just setup suricata and disabled hardware notification rule which was pretty much flooding the log. I googled it before i did that.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mind12 last edited by

                      Hi,

                      the following code is my recent configuration.
                      I haven't touched it for 5 months. Running without issues but be aware that this is a small home network:

                      
                      GPLv2_community
                      snort_
                      emerging-drop
                      emerging-botcc.portgrouped
                      emerging-botcc
                      emerging-ciarmy
                      emerging-compromised
                      emerging-dshield
                      emerging-tor
                      emerging-worm
                      emerging-trojan
                      emerging-mobile_malware
                      emerging-malware
                      
                      1:2016149       # ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
                      1:2016150       # ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
                      1:2012247  	# ET P2P BTWebClient UA uTorrent in use
                      1:2221002  	# SURICATA HTTP request field missing colon
                      1:2221013  	# SURICATA HTTP request header invalid
                      1:2016777  	# ET INFO HTTP Request to a *.pw domain
                      # Blocks Kodi user agent 1:2013031      # ET POLICY Python-urllib/ Suspicious User Agent
                      1:2014701  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set
                      1:2014703  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
                      1:2221030       # SURICATA HTTP METHOD terminated by non-compliant character
                      1:2221029       # SURICATA HTTP URI terminated by non-compliant character
                      1:2221031       # SURICATA HTTP Request line with leading whitespace
                      1:2013936       # ET POLICY SSH banner detected on TCP 443 likely proxy evasion
                      1:2017399  	# ET WEB_SERVER WebShell Generic eval of base64_decode
                      1:2012118  	# ET CURRENT_EVENTS http string in hex Likely Obfuscated Exploit Redirect
                      1:2011540  	# ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
                      1:2012811  	# ET DNS Query to a .tk domain - Likely Hostile
                      1:2023472  	# ET POLICY OpenDNS IP Lookup
                      1:2012087  	# ET SHELLCODE Possible Call with No Offset UDP Shellcode
                      1:2018302  	# ET INFO Possible Phish - Mirrored Website Comment Observed
                      1:2015561  	# ET INFO PDF Using CCITTFax Filter
                      # Blocks trackers 1:2011706  	# ET P2P Bittorrent P2P Client User-Agent (uTorrent)
                      1:2221015  	# SURICATA HTTP Host header ambiguous
                      1:2221027  	# SURICATA HTTP Host part of URI is invalid
                      1:2025105  	# ET INFO DNS Query for Suspicious .ga Domain
                      
                      
                      1 Reply Last reply Reply Quote 0
                      • Raffi_
                        Raffi_ last edited by

                        I had similar issues when I first started using the IPS. As other stated, don't enable all categories. mind12's list seems like a good starting point for a dropsid.config file. I could be wrong, but I thought the categories in the dropsid file had to be separated with commas. I found a similar list which I copied from these forums. Also, under the WAN Categories I have the Snort IPS Policy Selection set to Balanced with the IPS Policy Mode set to Policy. Based on my understanding, doing this will set certain snort rules to drop automatically so the snort rules don't have to be specified in a dropsid file if you go that route.

                        1 Reply Last reply Reply Quote 0
                        • bmeeks
                          bmeeks last edited by

                          @Raffi.:

                          I had similar issues when I first started using the IPS. As other stated, don't enable all categories. mind12's list seems like a good starting point for a dropsid.config file. I could be wrong, but I thought the categories in the dropsid file had to be separated with commas. I found a similar list which I copied from these forums. Also, under the WAN Categories I have the Snort IPS Policy Selection set to Balanced with the IPS Policy Mode set to Policy. Based on my understanding, doing this will set certain snort rules to drop automatically so the snort rules don't have to be specified in a dropsid file if you go that route.

                          All of the above statements by @Raffi are correct.  The best starting point for a complete newbie to an IDS/IPS is to use the Snort rules and set the CATEGORIES tab to "IPS Policy Connectivity" and the Policy Mode to "Policy".  This will set up a good starter rule set with expert-recommended rules set to DROP and some others set to just ALERT.  Later, if you want to, you can up the Policy to "Balanced" to get a bit more security, but with the possibility of a few false positives now and then.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • Raffi_
                            Raffi_ last edited by

                            Thanks Bill. Most of my knowledge on this stuff is thanks to you. You laid out the information for the rest of us. Below is the dropsid.conf I'm using to add ET categories. The code uses the syntax with commas. I forget who's list this was based on so I can't give credit. For all I know, this could be based on yours Bill.

                            # This is the full list of ET open rules in case I want to add more of them ==> emerging-activex.rules,emerging-attack_response.rules,emerging-botcc.portgrouped.rules,emerging-botcc.rules,emerging-chat.rules,emerging-ciarmy.rules,emerging-compromised.rules,emerging-current_events.rules,emerging-deleted.rules,emerging-dns.rules,emerging-dos.rules,emerging-drop.rules,emerging-dshield.rules,emerging-exploit.rules,emerging-ftp.rules,emerging-games.rules,emerging-icmp.rules,emerging-icmp_info.rules,emerging-imap.rules,emerging-inappropriate.rules,emerging-info.rules,emerging-malware.rules,emerging-misc.rules,emerging-mobile_malware.rules,emerging-netbios.rules,emerging-p2p.rules,emerging-policy.rules,emerging-pop3.rules,emerging-rbn-malvertisers.rules,emerging-rbn.rules,emerging-rpc.rules,emerging-scada.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-smtp.rules,emerging-snmp.rules,emerging-sql.rules,emerging-telnet.rules,emerging-tftp.rules,emerging-tor.rules,emerging-trojan.rules,emerging-user_agents.rules,emerging-voip.rules,emerging-web_client.rules,emerging-web_server.rules,emerging-web_specific_apps.rules,emerging-worm.rules
                            # Emerging Threat categories shown below will have all rules changed from "alert" to "drop"
                            emerging-worm,emerging-voip,emerging-snmp,emerging-scada,emerging-rpc,emerging-pop3,emerging-misc,emerging-imap,emerging-games,emerging-dos,emerging-deleted,emerging-current_events,emerging-activex,emerging-botcc,emerging-malware,emerging-mobile_malware,emerging-trojan
                            
                            1 Reply Last reply Reply Quote 0
                            • bmeeks
                              bmeeks last edited by

                              @Raffi.:

                              Thanks Bill. Most of my knowledge on this stuff is thanks to you. You laid out the information for the rest of us. Below is the dropsid.conf I'm using to add ET categories. The code uses the syntax with commas. I forget who's list this was based on so I can't give credit. For all I know, this could be based on yours Bill.

                              # This is the full list of ET open rules in case I want to add more of them ==> emerging-activex.rules,emerging-attack_response.rules,emerging-botcc.portgrouped.rules,emerging-botcc.rules,emerging-chat.rules,emerging-ciarmy.rules,emerging-compromised.rules,emerging-current_events.rules,emerging-deleted.rules,emerging-dns.rules,emerging-dos.rules,emerging-drop.rules,emerging-dshield.rules,emerging-exploit.rules,emerging-ftp.rules,emerging-games.rules,emerging-icmp.rules,emerging-icmp_info.rules,emerging-imap.rules,emerging-inappropriate.rules,emerging-info.rules,emerging-malware.rules,emerging-misc.rules,emerging-mobile_malware.rules,emerging-netbios.rules,emerging-p2p.rules,emerging-policy.rules,emerging-pop3.rules,emerging-rbn-malvertisers.rules,emerging-rbn.rules,emerging-rpc.rules,emerging-scada.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-smtp.rules,emerging-snmp.rules,emerging-sql.rules,emerging-telnet.rules,emerging-tftp.rules,emerging-tor.rules,emerging-trojan.rules,emerging-user_agents.rules,emerging-voip.rules,emerging-web_client.rules,emerging-web_server.rules,emerging-web_specific_apps.rules,emerging-worm.rules
                              # Emerging Threat categories shown below will have all rules changed from "alert" to "drop"
                              emerging-worm,emerging-voip,emerging-snmp,emerging-scada,emerging-rpc,emerging-pop3,emerging-misc,emerging-imap,emerging-games,emerging-dos,emerging-deleted,emerging-current_events,emerging-activex,emerging-botcc,emerging-malware,emerging-mobile_malware,emerging-trojan
                              

                              No, that's not a list I created but it is a good one.  There have been several contributions submitted to the forum here by Suricata users.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • G
                                goa200 last edited by

                                @Rango:

                                @mind12:

                                Hi,

                                if you use the Inline IPS mode there won't be any blocking by default only alerts. This way you have time to configure blocking on specific categories or rules in the SID mgmt menu using dropsid.conf file.
                                So far I use these in my dropsid.conf and I'm satisfied with the results. Feel free to modify for your needs:

                                snort_
                                emerging-drop
                                emerging-botcc.portgrouped
                                emerging-botcc
                                emerging-ciarmy
                                emerging-compromised
                                emerging-dshield
                                emerging-tor
                                emerging-worm
                                emerging-trojan
                                emerging-mobile_malware
                                emerging-malware
                                
                                1:2016149       # ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
                                1:2016150       # ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
                                1:2012247  	# ET P2P BTWebClient UA uTorrent in use
                                1:2221002  	# SURICATA HTTP request field missing colon
                                1:2221013  	# SURICATA HTTP request header invalid
                                1:2016777  	# ET INFO HTTP Request to a *.pw domain
                                #1:2013031       # ET POLICY Python-urllib/ Suspicious User Agent
                                1:2014701  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set
                                1:2014703  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
                                

                                I just copied your setup into my suricata setup. Have you found for this to be sufficient at start up or have you added more since then. Where u at now as far as rules go. I just setup suricata and disabled hardware notification rule which was pretty much flooding the log. I googled it before i did that.

                                been trying to find more info regardin dropsid.conf or how to copy a setup like this. But i havnt found anything. Could anyone please point me in the right direction how you use above setup to copy it into your own suricata setup

                                1 Reply Last reply Reply Quote 0
                                • bmeeks
                                  bmeeks last edited by

                                  @goa200:

                                  @Rango:

                                  @mind12:

                                  Hi,

                                  if you use the Inline IPS mode there won't be any blocking by default only alerts. This way you have time to configure blocking on specific categories or rules in the SID mgmt menu using dropsid.conf file.
                                  So far I use these in my dropsid.conf and I'm satisfied with the results. Feel free to modify for your needs:

                                  snort_
                                  emerging-drop
                                  emerging-botcc.portgrouped
                                  emerging-botcc
                                  emerging-ciarmy
                                  emerging-compromised
                                  emerging-dshield
                                  emerging-tor
                                  emerging-worm
                                  emerging-trojan
                                  emerging-mobile_malware
                                  emerging-malware
                                  
                                  1:2016149       # ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
                                  1:2016150       # ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
                                  1:2012247  	# ET P2P BTWebClient UA uTorrent in use
                                  1:2221002  	# SURICATA HTTP request field missing colon
                                  1:2221013  	# SURICATA HTTP request header invalid
                                  1:2016777  	# ET INFO HTTP Request to a *.pw domain
                                  #1:2013031       # ET POLICY Python-urllib/ Suspicious User Agent
                                  1:2014701  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set
                                  1:2014703  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
                                  

                                  I just copied your setup into my suricata setup. Have you found for this to be sufficient at start up or have you added more since then. Where u at now as far as rules go. I just setup suricata and disabled hardware notification rule which was pretty much flooding the log. I googled it before i did that.

                                  been trying to find more info regardin dropsid.conf or how to copy a setup like this. But i havnt found anything. Could anyone please point me in the right direction how you use above setup to copy it into your own suricata setup

                                  Very easy.  In @mind12's post click the small red "Select" link to select everything in the code box and then copy that to the clipboard using CTRL+c or whatever other shortcut your computer uses.  Now go over to Suricata and open the SID MGMT tab.  Click the ADD button to create a new dropsid.conf file.  In the modal dialog that opens, type the list name on the top line (I suggest something like "dropsid-LAN.conf" or "dropsid-WAN.conf" depending on the interface you intend to use it with).  Then paste the clipboard contents into the textarea control in the middle of the dialog using the appropriate keyboard shortcut for your computer (CTRL+v) for Windows.  Click SAVE to create the new list.  It will now show up along side the other sample lists on the page.

                                  Go down to the interfaces list at the bottom of the SID MGMT page and in the row for the interface you want to assign the new dropsid.conf file to, go across to the dropsid drop-down selector and choose the just-created list.  If you want to immediately apply the list to the running Suricata interface, then tick the checkbox over on the far left end of the row and then click SAVE.  That's it.

                                  You can view the result of the automatic SID MGMT operation by going to the LOGS VIEW tab, choosing the interface where you assigned the new list, and then selecting the "sid_changes.log" in the drop-down for selecting which log to view.  The contents of the log will appear in the window.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • Raffi_
                                    Raffi_ last edited by

                                    @goa200:

                                    @Rango:

                                    @mind12:

                                    Hi,

                                    if you use the Inline IPS mode there won't be any blocking by default only alerts. This way you have time to configure blocking on specific categories or rules in the SID mgmt menu using dropsid.conf file.
                                    So far I use these in my dropsid.conf and I'm satisfied with the results. Feel free to modify for your needs:

                                    snort_
                                    emerging-drop
                                    emerging-botcc.portgrouped
                                    emerging-botcc
                                    emerging-ciarmy
                                    emerging-compromised
                                    emerging-dshield
                                    emerging-tor
                                    emerging-worm
                                    emerging-trojan
                                    emerging-mobile_malware
                                    emerging-malware
                                    
                                    1:2016149       # ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
                                    1:2016150       # ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
                                    1:2012247  	# ET P2P BTWebClient UA uTorrent in use
                                    1:2221002  	# SURICATA HTTP request field missing colon
                                    1:2221013  	# SURICATA HTTP request header invalid
                                    1:2016777  	# ET INFO HTTP Request to a *.pw domain
                                    #1:2013031       # ET POLICY Python-urllib/ Suspicious User Agent
                                    1:2014701  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set
                                    1:2014703  	# ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
                                    

                                    I just copied your setup into my suricata setup. Have you found for this to be sufficient at start up or have you added more since then. Where u at now as far as rules go. I just setup suricata and disabled hardware notification rule which was pretty much flooding the log. I googled it before i did that.

                                    been trying to find more info regardin dropsid.conf or how to copy a setup like this. But i havnt found anything. Could anyone please point me in the right direction how you use above setup to copy it into your own suricata setup

                                    goa, that list will not work as a dropsid.conf file because it doesn't separate the categories with commas. You can find a really good write up by bmeeks in the forum here https://forum.pfsense.org/index.php?topic=108365.msg603749#msg603749

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      goa200 last edited by

                                      @bmeeks:

                                      Very easy.  In @mind12's post click the small red "Select" link to select everything in the code box and then copy that to the clipboard using CTRL+c or whatever other shortcut your computer uses.  Now go over to Suricata and open the SID MGMT tab.  Click the ADD button to create a new dropsid.conf file.  In the modal dialog that opens, type the list name on the top line (I suggest something like "dropsid-LAN.conf" or "dropsid-WAN.conf" depending on the interface you intend to use it with).  Then paste the clipboard contents into the textarea control in the middle of the dialog using the appropriate keyboard shortcut for your computer (CTRL+v) for Windows.  Click SAVE to create the new list.  It will now show up along side the other sample lists on the page.

                                      Go down to the interfaces list at the bottom of the SID MGMT page and in the row for the interface you want to assign the new dropsid.conf file to, go across to the dropsid drop-down selector and choose the just-created list.  If you want to immediately apply the list to the running Suricata interface, then tick the checkbox over on the far left end of the row and then click SAVE.  That's it.

                                      You can view the result of the automatic SID MGMT operation by going to the LOGS VIEW tab, choosing the interface where you assigned the new list, and then selecting the "sid_changes.log" in the drop-down for selecting which log to view.  The contents of the log will appear in the window.

                                      Bill

                                      Superthanks!!

                                      Does this override my current suricata setup for wan?
                                      Are there any documents where i can read more about this?
                                      Or where  i can find more info about this. As i prefer to read up on this myself instead of having to constantly ask questions in the forum.

                                      1 Reply Last reply Reply Quote 0
                                      • G
                                        goa200 last edited by

                                        @Raffi.:

                                        goa, that list will not work as a dropsid.conf file because it doesn't separate the categories with commas. You can find a really good write up by bmeeks in the forum here https://forum.pfsense.org/index.php?topic=108365.msg603749#msg603749

                                        Cant i just add , to each row?

                                        1 Reply Last reply Reply Quote 0
                                        • Raffi_
                                          Raffi_ last edited by

                                          There might be books on this, but the official pfSense book doesn't have much at all on Suricata. This is a community driven project and these forums have been extremely helpful for me. I have learn about it, thanks to people on the forums and some trial and error. Unfortunately, it does require digging around for answers. I didn't find all the answers in one place. I even found some contradictory information such as lists without commas and lists with them. Read up on that link I sent. If you still have questions, don't be afraid to dig some more and ask more questions.

                                          One thing the pfSense book taught me was how to use google with more relevant results. For example, try typing in google "suricata inline site:pfsense.org" This will limit the search to information about suricata inline mode on pfsense.org, including the forums.

                                          1 Reply Last reply Reply Quote 0
                                          • G
                                            goa200 last edited by

                                            @Raffi.:

                                            There might be books on this, but the official pfSense book doesn't have much at all on Suricata. This is a community driven project and these forums have been extremely helpful for me. I have learn about it, thanks to people on the forums and some trial and error. Unfortunately, it does require digging around for answers. I didn't find all the answers in one place. I even found some contradictory information such as lists without commas and lists with them. Read up on that link I sent. If you still have questions, don't be afraid to dig some more and ask more questions.

                                            One thing the pfSense book taught me was how to use google with more relevant results. For example, try typing in google "suricata inline site:pfsense.org" This will limit the search to information about suricata inline mode on pfsense.org, including the forums.

                                            Dont think my current card supports inline mode. So no real point in reading up about it.

                                            1 Reply Last reply Reply Quote 0
                                            • Raffi_
                                              Raffi_ last edited by

                                              In that case, you don't really need a dropsid.conf file. The dropsid is mainly needed for inline mode, at least that's the only reason I'm using it. Legacy mode is a matter of enabling categories from the WAN categories list. In legacy mode, an alert will automatically block/drop that traffic anyway so there is no need to specify which traffic should be dropped in a dropsid file.

                                              1 Reply Last reply Reply Quote 0
                                              • G
                                                goa200 last edited by

                                                @Raffi.:

                                                In that case, you don't really need a dropsid.conf file. The dropsid is mainly needed for inline mode, at least that's the only reason I'm using it. Legacy mode is a matter of enabling categories from the WAN categories list. In legacy mode, an alert will automatically block/drop that traffic anyway so there is no need to specify which traffic should be dropped in a dropsid file.

                                                Well in that case it should save me a lot of time =)

                                                1 Reply Last reply Reply Quote 0
                                                • bmeeks
                                                  bmeeks last edited by

                                                  @Raffi.:

                                                  In that case, you don't really need a dropsid.conf file. The dropsid is mainly needed for inline mode, at least that's the only reason I'm using it. Legacy mode is a matter of enabling categories from the WAN categories list. In legacy mode, an alert will automatically block/drop that traffic anyway so there is no need to specify which traffic should be dropped in a dropsid file.

                                                  Well… the new 4.x Suricata versions do have a feature for Legacy Mode users that mimics IPS Inline Mode in terms of DROPS versus ALERTS.  There is an option on the INTERFACE SETTINGS tab, when you enable Legacy Mode blocking, to only block traffic for DROP rules.  So if you enable that, then you do need to set rules to DROP using a dropsid.conf file.  This option is off by default, but can be enabled if desired.  With the option enabled, then Legacy Mode behaves more like IPS Mode where you can have alerts that don't block, but drops that do block.

                                                  Bill

                                                  1 Reply Last reply Reply Quote 0
                                                  • Rango
                                                    Rango last edited by

                                                    @bmeeks:

                                                    @Raffi.:

                                                    I had similar issues when I first started using the IPS. As other stated, don't enable all categories. mind12's list seems like a good starting point for a dropsid.config file. I could be wrong, but I thought the categories in the dropsid file had to be separated with commas. I found a similar list which I copied from these forums. Also, under the WAN Categories I have the Snort IPS Policy Selection set to Balanced with the IPS Policy Mode set to Policy. Based on my understanding, doing this will set certain snort rules to drop automatically so the snort rules don't have to be specified in a dropsid file if you go that route.

                                                    All of the above statements by @Raffi are correct.  The best starting point for a complete newbie to an IDS/IPS is to use the Snort rules and set the CATEGORIES tab to "IPS Policy Connectivity" and the Policy Mode to "Policy".  This will set up a good starter rule set with expert-recommended rules set to DROP and some others set to just ALERT.  Later, if you want to, you can up the Policy to "Balanced" to get a bit more security, but with the possibility of a few false positives now and then.

                                                    Bill

                                                    Bill, guys under wan interface wan categories and/or wan rules i don't see any option to set Categories to ips policy connectivity. Am i looking in the wrong tab?

                                                    1 Reply Last reply Reply Quote 0
                                                    • Rango
                                                      Rango last edited by

                                                      btw guys i'm now on vpn with aes 128 gcm encyrpted traffic. Are these rules neccessary stil even when using VPN encryption and vpn interface therefore?

                                                      So far i set @raffi rules only with block enabled on WAN interface only, no lan no vpn interface at all. Any advise.

                                                      I tried lan and vpn interace and suricata dropped my vpn connection lol. Granted i'm just getting familiar with IDS so for now i disabled blocking and listening only on lan and opt1 interaces.

                                                      I recently had my paypal, amazon and ebay accounts hacked hance me setting up pfsenes firewall and vpn encryption. Then coinmama account got hacked as well.

                                                      This was really annoying and was done with malice. It showed russian names on paypal charge but I'm pretty sure NSA did this. I'm also not sure wtf they want from me. I'm just some unimportant dude.

                                                      1 Reply Last reply Reply Quote 0
                                                      • Raffi_
                                                        Raffi_ last edited by

                                                        Rango good luck with the accounts.

                                                        I only use blocking on the WAN interface. All the information and recommendation I've seen show only blocking on WAN.

                                                        I recently had issues with inline mode not showing dropped traffic. I had a legitimate site being blocked and even after clearing all the logs and restarting Suricata, I could not see the site coming up in the alert log highlighted in red. Since I could not see what was being blocked, this made it pretty much impossible to manage in instances when legit sites were being blocked. Maybe I'm doing something wrong. In any case, I switched back to legacy mode and that site is now working fine even with the same categories selected.

                                                        Another odd thing I found is that line mode caused an issue with my WAN traffic graph to show no out traffic. When I switched back to legacy, that's working fine again.

                                                        I attached what the WAN categories should look like. If you don't have the snort IPS policy selection showing up, then you may have to configure the snort rules in the global settings first.

                                                        ![Wan Cat.JPG](/public/imported_attachments/1/Wan Cat.JPG)
                                                        ![Wan Cat.JPG_thumb](/public/imported_attachments/1/Wan Cat.JPG_thumb)

                                                        1 Reply Last reply Reply Quote 0
                                                        • Rango
                                                          Rango last edited by

                                                          Raffi thanks mate. I figured it out. I needed to register for Snort VRT rules of Snort.org and put registration and oinkmaster code before i can view those policy tabs, otherwise they're not available.

                                                          Thanks for the screenshot, cause it helped. I'm going to start with Connectivity as other gentleman suggested.  It is set now and i see some dropped/blocked ips in block list….cool. I'm backing up config file as i go along not to ruin it going forward.

                                                          One more thing,  should we be using emerging rules or snort_ rules OR BOTH? , as those are two separate options when looking under Wan categories. I am attaching screenshot.

                                                          I would think one should switch to snort_ rules from emerging but i see you're using still emerging rules?

                                                          Also are you running pfBlockerNG DNSBL  service to compliment. I'm only running it chrome. I want to block Russia country and Ukrain as those were showing up as hackers. Wonder if i should do this threw IDS or pfblocker. I would think IDS would be better choice.

                                                          ![Emerging Rules.JPG](/public/imported_attachments/1/Emerging Rules.JPG)
                                                          ![Emerging Rules.JPG_thumb](/public/imported_attachments/1/Emerging Rules.JPG_thumb)

                                                          1 Reply Last reply Reply Quote 0
                                                          • Raffi_
                                                            Raffi_ last edited by

                                                            You can use all of the above, Suricata, ET rules, snort rules, and pfblocker. That's what I currently do. pfblocker is great and provides another layer of security.

                                                            I think the selections you have in the WAN categories tab look fine. That's how mine looks as well except mine is balanced. Connectivity should be fine as well, but if you're paranoid about being a victim, balanced provides some more security at the cost of some more false positives.

                                                            The snort IPS policy selection will override the snort manual selections below that anyway, so you don't have to select the snort categories individually. In fact there is a note in the section stating that.
                                                            "Note: You must be using the Snort VRT rules to use this option.
                                                            Selecting this option disables manual selection of Snort VRT categories in the list below, although Emerging Threats categories may still be selected if enabled on the Global Settings tab. These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."

                                                            1 Reply Last reply Reply Quote 0
                                                            • Rango
                                                              Rango last edited by

                                                              Thanks for your help Raffi. I just blocked all countries with exception of few i need it. I will read that taming the beast blueprint too. Step by step i'm improving the security. Sorry for other if newbies like me rehash same thing over again but we got to start somewhere and forum is good spot. I'm already seeing RU, CN, HU trying to access my wan port. Crazy stuff. Nuts.

                                                              1 Reply Last reply Reply Quote 0
                                                              • First post
                                                                Last post