Suricata modifying rules
-
Hi All,
I am new to pfSense and Suricata. I am running suricata for 2-3 months now and got it pretty much tuned in terms of false positives.
Now I wanted to modify certain rules which get triggered to DROP action. I see in alerts the rule SID and name but unfortunately when I go to interface/list of rules there is no filter to find a rule by SID or name (whish there was option for this). I have to go thorough those categories and list each category. This is quite difficult for me as I have no idea from which category a certain rule could come so it takes me ages to find one rule and change its action.
So if I am not mistaken there is no easy way to change rule action via UI in the rules list but I think I could make a change via SID Management. Problem is I don't know how to use SID Management to modify certain rule SID action to DROP.
Or there is other option?
-
You can very easily change a rule action via the GUI while on the ALERTS tab. Simply click the icon under the Action column (for ALERT rules it is a yellow triangle). That will bring up a modal dialog where you can choose another action.
But doing the above set of actions rule-by-rule can be cumbersome. The SID MGMT tab is easier. Here is a link to a Sticky Post at the top of this sub-forum describing how to use the feature: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.
Create a new
dropsid.conf
file on the SID MGMT tab after enabling the SID Management feature (you can give it any name you wish, but I like to name the conf files by what they are doing). In that file, put the GID:SID value pair for each rule you want to change to DROP from ALERT. Put each GID:SID pair on a separate line, or you can put multiple entries on the same line by separating each GID:SID pair with a comma. Save the file. Then go down to the bottom of the page and in the Drop SID drop-down selector, choose the file you just created. Check the box over on the far left to tell Suricata to immediately rebuild the rules for the interface, then click Save.You can examine the various sample files on that tab to see how the syntax works. I would not recommend altering the sample files, though. Look at them, and then create your own custom files for your changes.
Finally, on the RULES tab, if you already know the SID you want to change, then just choose the "Active Rules" category in the drop-down selector for Category. That will show all of your currently active rules. They should already be sorted by SID, but if not, click the SID column at the top of the table to sort the list by SID. Scroll down and find your SID, then click the Action icon to bring up the same modal dialog as the ALERTS tab where you can force a different rule action.
Don't be shy about moving your mouse over the various icons on the screen and hovering there a moment. In most cases a pop-up tooltip message will appear giving you information about the icon and offering some possible options.
-
@bmeeks
I see, and when I tried to do the method of clicking icon on my Alerts tab it does not work. I figured out why...I am not in INLINE mode. AFAIK Inline mode has to be used to make use of DROP action.Given that I was using legacy mode for a while what I need to look for when I switch over to inline?
Does the current rules configuration get reset? Example rules that I have already disabled/will they get re-enabled?
I guess I have to go through every single rule and switch it to drop if I want a drop to happen otherwise Suricata will not do anything apart from recording entry in Alerts?
-
@nicesub said in Suricata modifying rules:
@bmeeks
I see, and when I tried to do the method of clicking icon on my Alerts tab it does not work. I figured out why...I am not in INLINE mode. AFAIK Inline mode has to be used to make use of DROP action.No, with Suricata there is an option on the INTERFACE SETTINGS tab when editing a Suricata interface to set the Legacy Mode option for "Block on DROP Only". When that option is enabled, only rules with the action DROP will generate blocks.
There is a Sticky Post for this feature located at the top of this sub-forum. Here is a link: https://forum.netgate.com/topic/119237/about-the-new-block-on-drops-only-option-in-suricata-4-0-0.
Given that I was using legacy mode for a while what I need to look for when I switch over to inline?
Simply go to the INTERFACE SETTINGS tab and change the mode selector drop-down to "Inline IPS Mode". If your NIC hardware does not support Inline IPS Mode, then you will be prevented from saving the change.
Does the current rules configuration get reset? Example rules that I have already disabled/will they get re-enabled?
No, nothing changes in your configuration in terms of enabled rules or policies.
I guess I have to go through every single rule and switch it to drop if I want a drop to happen otherwise Suricata will not do anything apart from recording entry in Alerts?
Yes, when you use Inline IPS Mode or the "Block on DROP Only" option with Legacy Mode, only rules whose action keyword is changed from the default of ALERT to DROP will drop or block traffic. But you don't need to change every rule individually. The SID MGMT tab features let you change entire categories, single SIDs, ranges of SIDs, and even the text of a rule. Go to the SID MGMT tab, click the checkbox at the top to enable the feature, then browse each of the example conf files there by clicking the edit icon to the right of each file. All of the
*-sample.conf
files are loaded with comments as examples of how to use each file and what syntax is used. At the bottom of that tab page is where you assign a SID management conf file to an interface for the various duties (enable, disable, drop, modify or reject [when using Inline mode]). -
Thank you for your reply. Given that I run my Suricata on Hyper-V server I was wondering how Inline mode would work given its hardware/driver requirements?
-
@nicesub said in Suricata modifying rules:
Thank you for your reply. Given that I run my Suricata on Hyper-V server I was wondering how Inline mode would work given its hardware/driver requirements?
That virtual NIC is not supported for native-mode netmap, so Inline IPS is not possible. You should instead use the Legacy Blocking Mode and choose to enable the "Block on DROP Only" option, then proceed configuring rules as you would if you were using Inline IPS Mode.