Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    MD5 Blocklist

    IDS/IPS
    2
    5
    78
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yorke last edited by

      I would like to use a MD5 hash block list that's a (.txt) file with suricata and have a few questions
      Is it possible to ad the MD5 Hash blocklist under extra rules ?
      Do the MD5 blocklist file have to be located under a specific interface ?
      MD5 Hash format example 7f7eebb16fb26eb1c7399d411f8383e8
      example of custom rule that i will try, but will finalize depending on response.
      alert http any any -> any any (msg:"File match MD5 blacklist"; filemd5:blacklistmd5.txt; sid:25; rev1
      Would this work ?

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        I can't answer directly whether your example rule will work or not as I have never used the file hash feature.

        I can tell you, as the package developer, that each Suricata interface has its own independent interface sub-directory under /usr/local/etc/suricata/. You will find a sub-directory under that path for each configure interface. The subdirectories will be named with the physical interface name with a UUID added. In the interface subdirectory you will find all of the configuration data for that interface. The suricata.yaml file for the interface is created from scratch using PHP code in the GUI each time you start Suricata. So any manual edits you make in these subdirectories are immediately overwritten the next time you save a change in the GUI or stop/start Suricata.

        Suricata expects rules files referenced by URLs entered on the GLOBAL SETTINGS tab to be in very rigid formats. A list of MD5 hashes is not expected, so that would not work. You can only download files that contain fully formed text rules.

        You can, however, manually (or via some other third-party means) copy your MD5 hashes file to some directory on the firewall and then reference the full path in your filemd5 rules. Here is an example (not on pfSense, but the general process would be the same): https://idstower.com/blog/configuring-suricata-ids-to-alert-on-malicious-file-hashes/.

        Y 1 Reply Last reply Reply Quote 0
        • Y
          yorke @bmeeks last edited by

          @bmeeks

          Thanks bmeeks for the info,
          Are you still planning on adding a feature to pfBlockerNG to Download "Malicious MD5's" from several sources on a download frequency.
          https://forum.netgate.com/topic/79990/suricata-md5-hashes-list

          bmeeks 1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks @yorke last edited by

            @yorke said in MD5 Blocklist:

            @bmeeks

            Thanks bmeeks for the info,
            Are you still planning on adding a feature to pfBlockerNG to Download "Malicious MD5's" from several sources on a download frequency.
            https://forum.netgate.com/topic/79990/suricata-md5-hashes-list

            I do not maintain the pfBlockerNG package. That question would need to be directed to that sub-forum.

            Y 1 Reply Last reply Reply Quote 0
            • Y
              yorke @bmeeks last edited by

              @bmeeks
              Ok wiil do, soory about the mixup

              1 Reply Last reply Reply Quote 0
              • First post
                Last post