Suricata cannot change HOME NET list?

Grimson

@tomstephens89 said in Suricata cannot change HOME NET list?:

Running pfSense 2.3.2

Ouch, update now.

justme2

I'm on Suricata 4.0.13_11 with 2.4.4 and the same issue exists. Is there something specific about the Alias's name in order to be able to select the list? Tried creating two Aliases - one of IP and one of Networks - neither is available within the drop down list selection for Suricata. The problem is the value for $HOME_NET due down downstream networks (same as original poster).

Thanks!

bmeeks

@justme2 said in Suricata cannot change HOME NET list?:

I'm on Suricata 4.0.13_11 with 2.4.4 and the same issue exists. Is there something specific about the Alias's name in order to be able to select the list? Tried creating two Aliases - one of IP and one of Networks - neither is available within the drop down list selection for Suricata. The problem is the value for $HOME_NET due down downstream networks (same as original poster).

Thanks!

Creating a custom HOME_NET in Suricata is a little tricky. You have to first create a Pass List on the PASS LIST tab. Then on the INTERFACE SETTINGS tab for the interface you want to set a custom HOME_NET for, choose the Pass List you created in the drop-down (the one that probably says "default" right now).

Here are the steps:

1. First create an alias on the firewall. Put all the remote networks and IP addresses (excepting locally-attached addresses on the firewall itself) that you want to be in HOME_NET in that alias. If you need to, remember that on pfSense you can nest aliases (so you can put an alias in another alias).

2. On the PASS LIST tab, click the icon to create a new Pass List. Name the list something with HOME_NET in it just to help you identify it in the future.

3. You probably want to leave all the defaults in the new list, and then down at the bottom in the Address text box start typing the name of the alias created in step #1. The alias name should auto-populate.

4. Save the new Pass List.

5. Go to the INTERFACE SETTINGS tab for the Suricata interface you want to modify and scroll down to the HOME_NET setting. Click the drop-down and select the Pass List you created in step #2. Save the change and then restart Suricata on the interface.

justme2

That worked!

That was NOT at all what one may expect when going over various combinations, trying to figure it out. Based on the verbiage, was expecting it to be more straight forward, ie: create a firewall alias list and feed directly. Which is what worked on the variables page.

Thanks!

bmeeks

@justme2

Yeah, I need to refactor how HOME_NET and EXTERNAL_NET work in the package. When I created the Suricata package, I just kept the same logic as was in the Snort package; but in hindsight that decision has led to some confusion about how to customize HOME_NET and EXTERNAL_NET.

justme2

Interesting. Completely off topic, but... Would like to add/create a package for support of DHIS. Have yet to find documentation on what/where/how to integrate into the GUI, standards, etc. Where would one look for such documentation? It's the one DDNS service that appears to be missing - which is a mainstay on this end.

justme2

@bmeeks

FWIW - the inclusions that one might "miss" are quite helpful. eg: the checkboxes for local IP Addresses. The quandary would be the ability to exclude addresses that exist in the user's alias list. Been some years since I played with PHP (asserting that the underpinnings are PHP?), but in Perl Net::Netmask (and some alternatives) would provide a means to determine if a located local address/network are covered by the user's inputted list. Without searching and doing some homework, unsure if there's an available library to ease the auto-gen of the list. Then again, if Suricata is "smart enough" (would need look to determine behavior/s) to see duplication and 'do the right thing'. Thinking about it, the double negative of the parent network and the child IP or network within could invert the logic for External. Hmmm....

If you can point me in the direction of the code that drives handling of HOME_NET and EXTERNAL_NET - would happily spend some cycles trying to figure out what options (via library) and/or if there's a means to generate a routine or two to handle the logic of the list(s).

Thanks!

bmeeks

@justme2 said in Suricata cannot change HOME NET list?:

@bmeeks

FWIW - the inclusions that one might "miss" are quite helpful. eg: the checkboxes for local IP Addresses. The quandary would be the ability to exclude addresses that exist in the user's alias list. Been some years since I played with PHP (asserting that the underpinnings are PHP?), but in Perl Net::Netmask (and some alternatives) would provide a means to determine if a located local address/network are covered by the user's inputted list. Without searching and doing some homework, unsure if there's an available library to ease the auto-gen of the list. Then again, if Suricata is "smart enough" (would need look to determine behavior/s) to see duplication and 'do the right thing'. Thinking about it, the double negative of the parent network and the child IP or network within could invert the logic for External. Hmmm....

If you can point me in the direction of the code that drives handling of HOME_NET and EXTERNAL_NET - would happily spend some cycles trying to figure out what options (via library) and/or if there's a means to generate a routine or two to handle the logic of the list(s).

Thanks!

The GUI code for Suricata is all written in PHP. All that PHP code does is provide a fancy user interface for choosing parameters which populate the suricata.yaml configuration file that the Suricata binary needs to run. All of the "brains" of packet inspection and rule signatures lives within the binary. The binary is designed to be completely command-line driven, and a simple text configuration file (suricata.yaml) tells the binary how to behave. So the Suricata package in pfSense consists of two parts: (1) the Suricata binary piece; and (2) a GUI piece to aid the user in choosing appropriate parameter settings for the suricata.yaml text configuration file.

All of the PHP code lives in /usr/local/pkg/suricata and /usr/local/www/suricata. I was pretty liberal with comments, sprinkling them throughout the code base. That should help you follow the logic. The file names (especially in the www sub-directory) are descriptive of the function of the file. For example, you will find at least one PHP file responsible for displaying and handling user interaction for each tab in the GUI.

justme2

@bmeeks

Just so I'm clear - is there any option/availability to include a 3rd party library or should that be avoided? eg: something like (https://github.com/S1lentium/IPTools) could make parsing far easier vs. trying to re-create the wheel. The idea being a two pass op:

1. for each network in 'alias' - if 'included' set item is covered by something in alias (drop from list)
2. invert prior so that duplicates (or already included items) from 'alias' are removed

Thus, resulting in the distinct list.

Side question, noticed that VPN related addresses appear to be excluded. Should that not be a GUI option? eg: "trust but verify" mentality. ;)

bmeeks

@justme2

In general, third-party tools are not the best idea on a firewall. pfSense includes a number of useful API-type function calls for parsing network masks and addresses and performing other types of IP address related functions. Take a look at the include files and functions in the /etc/inc directory on your firewall. See if the built-in functions will work for you first. You can also use any built-in PHP calls.