Suricata Rule Re-do (opinions and recommendations)
-
Hi All,
As i know there are much bigger issues now i wanted to post a little of what i have seen/found while playing with this and my original question is mostly redundant so below is what i did and my setup for any comments and to potentially help others
My network is set up as follows:
- pfSense - Running Suricata and pfBlockerNG (Inbound on WAN, outbound on LAN, OPT1, OPT2)
- Wan
- Lan - Home Machines, CCTV Server (public), TV Server (none public)
- OPT1 (vlan of the lan) - Web Server (public), Mail Server (public), Database Server (none public)
- OPT2 (vlan of the lan) - VoIP Server (public)
Originally i had Suricata enabled on all ports in Legacy Mode with ETOpen Emerging Threats and Snort GPLv2 Community enabled
Following what i have learnt i have now disabled Suricata on the wan, all other interfaces are set up with Inline Blocking, ETOpen Emerging Threats, the Free Snort Rules, and Snort GPLv2 Community enabled
All Suricata interfaces interfaces have the following rule categories:
Resolve Flowbits
Snort GPLv2
emerging-attack_response.rules
emerging-botcc.portgrouped.rules
emerging-botcc.rules
emerging-ciarmy.rules
emerging-compromised.rules
emerging-current_events.rules
emerging-dos.rules
emerging-dshield.rules
emerging-exploit.rules
emerging-malware.rules
emerging-tor.rules
emerging-trojan.rules
emerging-worm.rulesOPT1 has these as extra rule categories due to the servers:
emerging-imap.rules
emerging-pop3.rules
emerging-smtp.rules
emerging-web_server.rulesWithin each interface i then have the IPS Policy enables with Connectivity and Policy set. This enables the Snort rules automatically and sets the drop/reject options for those
Emerging threats need to be changed separately. As all my emerging threat rules that are active by default are likely to be valid, i went into SID mgmt and added a dropsid.conf file shared between all interfaces and added all the ET rule categories i have enabled as drop as i want them all to block.
This list has all the ET rules i mentioned above as only those enabled will be taken into account anyway
pfBlockerNG now blocks all ip's as it should but the emerging-ciarmy.rules still do pick up IP's that get through pfBlockerNG so it was worth keeping both on
In am now just checking the alerts on each interface daily to decide what i want to do with anything blocked or alerted in case i want to manually tweak anything
So far, everything seems to be working well and i think i have an understanding of how this is all working. If anyone knows differently or wants to recommend anything then please let me know but otherwise, i hope this maybe helps some others looking
Regards,
Jamie