Suricata rules without Internet access
-
I have a pfSense in my local network. I am using it as IDS. Mostly, to detect some abnormally network behaviours. Unfortunatelly the ip address for the pfSense has not direct access to the Internet. I have downloaded the rulesets file. I copy the .rules files to /usr/local/etc/suricata/suricata_xxxx/rules. But the rules are being ignored by the system. How can I solve this? I have googled, read forums, mailing lists, but no luck with an answer. It seems everybody have their pfSense server luckly connected to the Internet. But it is not my case. So, I need some support here.
-
@Yordano said in Suricata rules without Internet access:
I have a pfSense in my local network. I am using it as IDS. Mostly, to detect some abnormally network behaviours. Unfortunatelly the ip address for the pfSense has not direct access to the Internet. I have downloaded the rulesets file. I copy the .rules files to /usr/local/etc/suricata/suricata_xxxx/rules. But the rules are being ignored by the system. How can I solve this? I have googled, read forums, mailing lists, but no luck with an answer. It seems everybody have their pfSense server luckly connected to the Internet. But it is not my case. So, I need some support here.
Sorry, but the Suricata GUI package for pfSense is not configured for offline operation (without Internet access) nor is it configured for manual installation of the rules in that situation.
If you want to run Suricata in an offline type of situation, it would be better for you to install the plain binary (no GUI support) package from FreeBSD Ports (not the pfSense packages repository!). You can download the package file to a USB stick and then port it over to the pfSense firewall. Be warned that you will also need to grab quite a number of shared library dependencies as well.
A shorter better answer is "you can't" ...
. At least not without being willing to go to a lot of extra effort.
In fact, you will find that pfSense iself, with no Internet access, is going to be very slow on the Dashboard GUI due to attempts to contact the pfSense software repository to check for updates. pfSense is just not set up for an offline situation where it can't readily access the Internet.
I know what a pain offline isolated systems can be. I had to manage such systems for several years, and keeping them updated is a big challenge because pretty much all software systems today assume they have immediate unrestricted Internet access.
If all you want is IDS/IPS, then I would seriously consider just installing a Linux distro (or FreeBSD, if you prefer) on the box and then installing the regular Suricata binary for the particular distro. You would then configure everything using the CLI.
-
@bmeeks said in Suricata rules without Internet access:
In fact, you will find that pfSense iself, with no Internet access, is going to be very slow on the Dashboard GUI due to attempts to contact the pfSense software repository to check for updates. pfSense is just not set up for an offline situation where it can't readily access the Internet.
Wasn't there a fix for that "Slow gui" if no internet access , in either 2.4.5-p1 or the upcomming 2.5 ?
I think i read about a fix, here on the forum.
/Bingo
-
@bingo600 said in Suricata rules without Internet access:
@bmeeks said in Suricata rules without Internet access:
In fact, you will find that pfSense iself, with no Internet access, is going to be very slow on the Dashboard GUI due to attempts to contact the pfSense software repository to check for updates. pfSense is just not set up for an offline situation where it can't readily access the Internet.
Wasn't there a fix for that "Slow gui" if no internet access , in either 2.4.5-p1 or the upcomming 2.5 ?
I think i read about a fix, here on the forum.
/Bingo
I believe you can turn off the check for updates which should take care of the problem.
-
Finally, I was able to manually append any desired ruleset to my running suricata. After searching everywhere, I found at NetGate docs of pfSense, that the command viconfig is able to persist changes to the always refreshed config.xml after every system reboot or service restart. First, I found the XML rulesets tag, and appended every filename attending to the same syntax already used there. After that, I copied to /usr/local/share/suricata/rules every matching file according to the declared names at rulesets XML tag. Finallly, after every refresh of the pfSense box, the changes persist. Thanks anyway to everybody for the tips.
-
Background: I'm using the GUI for Suricata through the pfSense virtual firewall (FreeBSD instance).
Has anyone tried to use the ETOpen custom URL option to "download" a the ruleset via a "file://" URL? It seems like a reasonable work-around, but doesn't work.Where would I look to see errors?
Thank you very much!
-
@marklark said in Suricata rules without Internet access:
Background: I'm using the GUI for Suricata through the pfSense virtual firewall (FreeBSD instance).
Has anyone tried to use the ETOpen custom URL option to "download" a the ruleset via a "file://" URL? It seems like a reasonable work-around, but doesn't work.Where would I look to see errors?
Thank you very much!
The internal code within the PHP GUI is expecting HTTP or HTTPS urls only in that field and sets the options for
curl
with that in mind. The assumption was the user would have an internal web host to download from when using the Custom URL option.Any errors would be logged on the UPDATES tab in the log file available for viewing there.