Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Rule Re-do (opinions and recommendations)

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 795 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bigjme93
      last edited by bigjme93

      Hi All,

      As i know there are much bigger issues now i wanted to post a little of what i have seen/found while playing with this and my original question is mostly redundant so below is what i did and my setup for any comments and to potentially help others

      My network is set up as follows:

      • pfSense - Running Suricata and pfBlockerNG (Inbound on WAN, outbound on LAN, OPT1, OPT2)
      • Wan
      • Lan - Home Machines, CCTV Server (public), TV Server (none public)
      • OPT1 (vlan of the lan) - Web Server (public), Mail Server (public), Database Server (none public)
      • OPT2 (vlan of the lan) - VoIP Server (public)

      Originally i had Suricata enabled on all ports in Legacy Mode with ETOpen Emerging Threats and Snort GPLv2 Community enabled

      Following what i have learnt i have now disabled Suricata on the wan, all other interfaces are set up with Inline Blocking, ETOpen Emerging Threats, the Free Snort Rules, and Snort GPLv2 Community enabled

      All Suricata interfaces interfaces have the following rule categories:
      Resolve Flowbits
      Snort GPLv2
      emerging-attack_response.rules
      emerging-botcc.portgrouped.rules
      emerging-botcc.rules
      emerging-ciarmy.rules
      emerging-compromised.rules
      emerging-current_events.rules
      emerging-dos.rules
      emerging-dshield.rules
      emerging-exploit.rules
      emerging-malware.rules
      emerging-tor.rules
      emerging-trojan.rules
      emerging-worm.rules

      OPT1 has these as extra rule categories due to the servers:
      emerging-imap.rules
      emerging-pop3.rules
      emerging-smtp.rules
      emerging-web_server.rules

      Within each interface i then have the IPS Policy enables with Connectivity and Policy set. This enables the Snort rules automatically and sets the drop/reject options for those

      Emerging threats need to be changed separately. As all my emerging threat rules that are active by default are likely to be valid, i went into SID mgmt and added a dropsid.conf file shared between all interfaces and added all the ET rule categories i have enabled as drop as i want them all to block.

      This list has all the ET rules i mentioned above as only those enabled will be taken into account anyway

      pfBlockerNG now blocks all ip's as it should but the emerging-ciarmy.rules still do pick up IP's that get through pfBlockerNG so it was worth keeping both on

      In am now just checking the alerts on each interface daily to decide what i want to do with anything blocked or alerted in case i want to manually tweak anything

      So far, everything seems to be working well and i think i have an understanding of how this is all working. If anyone knows differently or wants to recommend anything then please let me know but otherwise, i hope this maybe helps some others looking

      Regards,
      Jamie

      1 Reply Last reply Reply Quote 2
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.