Suricata Really Annoying, Blocking Everything

Raffi_

In that case, you don't really need a dropsid.conf file. The dropsid is mainly needed for inline mode, at least that's the only reason I'm using it. Legacy mode is a matter of enabling categories from the WAN categories list. In legacy mode, an alert will automatically block/drop that traffic anyway so there is no need to specify which traffic should be dropped in a dropsid file.

goa200

@Raffi.:

In that case, you don't really need a dropsid.conf file. The dropsid is mainly needed for inline mode, at least that's the only reason I'm using it. Legacy mode is a matter of enabling categories from the WAN categories list. In legacy mode, an alert will automatically block/drop that traffic anyway so there is no need to specify which traffic should be dropped in a dropsid file.

Well in that case it should save me a lot of time =)

bmeeks

@Raffi.:

In that case, you don't really need a dropsid.conf file. The dropsid is mainly needed for inline mode, at least that's the only reason I'm using it. Legacy mode is a matter of enabling categories from the WAN categories list. In legacy mode, an alert will automatically block/drop that traffic anyway so there is no need to specify which traffic should be dropped in a dropsid file.

Well… the new 4.x Suricata versions do have a feature for Legacy Mode users that mimics IPS Inline Mode in terms of DROPS versus ALERTS. There is an option on the INTERFACE SETTINGS tab, when you enable Legacy Mode blocking, to only block traffic for DROP rules. So if you enable that, then you do need to set rules to DROP using a dropsid.conf file. This option is off by default, but can be enabled if desired. With the option enabled, then Legacy Mode behaves more like IPS Mode where you can have alerts that don't block, but drops that do block.

Bill

Rango

@bmeeks:

@Raffi.:

I had similar issues when I first started using the IPS. As other stated, don't enable all categories. mind12's list seems like a good starting point for a dropsid.config file. I could be wrong, but I thought the categories in the dropsid file had to be separated with commas. I found a similar list which I copied from these forums. Also, under the WAN Categories I have the Snort IPS Policy Selection set to Balanced with the IPS Policy Mode set to Policy. Based on my understanding, doing this will set certain snort rules to drop automatically so the snort rules don't have to be specified in a dropsid file if you go that route.

All of the above statements by @Raffi are correct. The best starting point for a complete newbie to an IDS/IPS is to use the Snort rules and set the CATEGORIES tab to "IPS Policy Connectivity" and the Policy Mode to "Policy". This will set up a good starter rule set with expert-recommended rules set to DROP and some others set to just ALERT. Later, if you want to, you can up the Policy to "Balanced" to get a bit more security, but with the possibility of a few false positives now and then.

Bill

Bill, guys under wan interface wan categories and/or wan rules i don't see any option to set Categories to ips policy connectivity. Am i looking in the wrong tab?

Rango

btw guys i'm now on vpn with aes 128 gcm encyrpted traffic. Are these rules neccessary stil even when using VPN encryption and vpn interface therefore?

So far i set @raffi rules only with block enabled on WAN interface only, no lan no vpn interface at all. Any advise.

I tried lan and vpn interace and suricata dropped my vpn connection lol. Granted i'm just getting familiar with IDS so for now i disabled blocking and listening only on lan and opt1 interaces.

I recently had my paypal, amazon and ebay accounts hacked hance me setting up pfsenes firewall and vpn encryption. Then coinmama account got hacked as well.

This was really annoying and was done with malice. It showed russian names on paypal charge but I'm pretty sure NSA did this. I'm also not sure wtf they want from me. I'm just some unimportant dude.

Raffi_

Rango good luck with the accounts.

I only use blocking on the WAN interface. All the information and recommendation I've seen show only blocking on WAN.

I recently had issues with inline mode not showing dropped traffic. I had a legitimate site being blocked and even after clearing all the logs and restarting Suricata, I could not see the site coming up in the alert log highlighted in red. Since I could not see what was being blocked, this made it pretty much impossible to manage in instances when legit sites were being blocked. Maybe I'm doing something wrong. In any case, I switched back to legacy mode and that site is now working fine even with the same categories selected.

Another odd thing I found is that line mode caused an issue with my WAN traffic graph to show no out traffic. When I switched back to legacy, that's working fine again.

I attached what the WAN categories should look like. If you don't have the snort IPS policy selection showing up, then you may have to configure the snort rules in the global settings first.

![Wan Cat.JPG](/public/imported_attachments/1/Wan Cat.JPG)
![Wan Cat.JPG_thumb](/public/imported_attachments/1/Wan Cat.JPG_thumb)

Rango

Raffi thanks mate. I figured it out. I needed to register for Snort VRT rules of Snort.org and put registration and oinkmaster code before i can view those policy tabs, otherwise they're not available.

Thanks for the screenshot, cause it helped. I'm going to start with Connectivity as other gentleman suggested. It is set now and i see some dropped/blocked ips in block list….cool. I'm backing up config file as i go along not to ruin it going forward.

One more thing, should we be using emerging rules or snort_ rules OR BOTH? , as those are two separate options when looking under Wan categories. I am attaching screenshot.

I would think one should switch to snort_ rules from emerging but i see you're using still emerging rules?

Also are you running pfBlockerNG DNSBL service to compliment. I'm only running it chrome. I want to block Russia country and Ukrain as those were showing up as hackers. Wonder if i should do this threw IDS or pfblocker. I would think IDS would be better choice.

![Emerging Rules.JPG](/public/imported_attachments/1/Emerging Rules.JPG)
![Emerging Rules.JPG_thumb](/public/imported_attachments/1/Emerging Rules.JPG_thumb)

Raffi_

You can use all of the above, Suricata, ET rules, snort rules, and pfblocker. That's what I currently do. pfblocker is great and provides another layer of security.

I think the selections you have in the WAN categories tab look fine. That's how mine looks as well except mine is balanced. Connectivity should be fine as well, but if you're paranoid about being a victim, balanced provides some more security at the cost of some more false positives.

The snort IPS policy selection will override the snort manual selections below that anyway, so you don't have to select the snort categories individually. In fact there is a note in the section stating that.
"Note: You must be using the Snort VRT rules to use this option.
Selecting this option disables manual selection of Snort VRT categories in the list below, although Emerging Threats categories may still be selected if enabled on the Global Settings tab. These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."

Rango

Thanks for your help Raffi. I just blocked all countries with exception of few i need it. I will read that taming the beast blueprint too. Step by step i'm improving the security. Sorry for other if newbies like me rehash same thing over again but we got to start somewhere and forum is good spot. I'm already seeing RU, CN, HU trying to access my wan port. Crazy stuff. Nuts.