MD5 Blocklist
-
I would like to use a MD5 hash block list that's a (.txt) file with suricata and have a few questions
Is it possible to ad the MD5 Hash blocklist under extra rules ?
Do the MD5 blocklist file have to be located under a specific interface ?
MD5 Hash format example 7f7eebb16fb26eb1c7399d411f8383e8
example of custom rule that i will try, but will finalize depending on response.
alert http any any -> any any (msg:"File match MD5 blacklist"; filemd5:blacklistmd5.txt; sid:25; rev1
Would this work ? -
I can't answer directly whether your example rule will work or not as I have never used the file hash feature.
I can tell you, as the package developer, that each Suricata interface has its own independent interface sub-directory under
/usr/local/etc/suricata/
. You will find a sub-directory under that path for each configure interface. The subdirectories will be named with the physical interface name with a UUID added. In the interface subdirectory you will find all of the configuration data for that interface. Thesuricata.yaml
file for the interface is created from scratch using PHP code in the GUI each time you start Suricata. So any manual edits you make in these subdirectories are immediately overwritten the next time you save a change in the GUI or stop/start Suricata.Suricata expects rules files referenced by URLs entered on the GLOBAL SETTINGS tab to be in very rigid formats. A list of MD5 hashes is not expected, so that would not work. You can only download files that contain fully formed text rules.
You can, however, manually (or via some other third-party means) copy your MD5 hashes file to some directory on the firewall and then reference the full path in your filemd5 rules. Here is an example (not on pfSense, but the general process would be the same): https://idstower.com/blog/configuring-suricata-ids-to-alert-on-malicious-file-hashes/.
-
Thanks bmeeks for the info,
Are you still planning on adding a feature to pfBlockerNG to Download "Malicious MD5's" from several sources on a download frequency.
https://forum.netgate.com/topic/79990/suricata-md5-hashes-list -
@yorke said in MD5 Blocklist:
Thanks bmeeks for the info,
Are you still planning on adding a feature to pfBlockerNG to Download "Malicious MD5's" from several sources on a download frequency.
https://forum.netgate.com/topic/79990/suricata-md5-hashes-listI do not maintain the pfBlockerNG package. That question would need to be directed to that sub-forum.
-
@bmeeks
Ok wiil do, soory about the mixup