Suricata custom ruleset downloaded but not used
-
Greetings,
I have installed Suricata version 6.0.13 on pfsense 2.7.0 stable via pfsense WebGUI.
What I want to accomplish is adding a custom selfhosted source for the rule updater (suricata-update i guess) for automatic git based rule deployment.
In the global settings I added http://192.168.0.102:7182/customrules.tar.gz as custom source.
The rule updater tells me “Extra CustomRules rules were updated.” and
“Suricata has restarted with your new set of rules”, but they are in fact not loaded.
(I can tell since I included a syntactically wrong rule, for easy detection of rule loading in suricata.log and there is no error in the log.)
The same source can be successfully loaded (with one syntax error showing up) by plain Suricata on Arch.
My question now is, how I can instruct pfsenses Suricata not only to download, but to actually use the ruleset.
Copy Pasting the rules into the "Defined Custom Rules" Textbox is no option,because the solution should be easy maintain and automate.Additional info:
The tar.gz is created using “tar -czf customrules.tar.gz *.rules *.lua”, but I also tried including the parent directory with the same result.Thanks for your support.
-
Did you go to the CATEGORIES tab for the interface and enable the new rules package there? You must enable the rules using the checkboxes on the CATEGORIES tab. Or you can enable the SID MGMT feature and select the rules there.
The GLOBAL SETTINGS tab enables rules archives for download, but it does NOT automatically mean those rules will be used by any Suricata instance. You still must select the rules to use for each Suricata instance on the CATEGORIES tab (or via the SID MGMT feature).
To see the CATEGORIES tab, edit the appropriate Suricata interface instance and then click the CATEGORIES tab.
-
@bmeeks
No I didn't.
Now I did and it works. Thank you very much.
Is there a dedicated Suricata-pfsense-manual where such things, info about sid_mgmt and other UI specific stuff is documented?
I only have the Suricata-manual and an internet search brings up very specific threads on this forum.
I really would appreciate to have less of those rtfm moments. -
Here is a link to the generic pfSense documentation for the IDS/IPS packages (Snort and Suricata): https://docs.netgate.com/pfsense/en/latest/packages/snort/index.html.
Because those two packages share so much common GUI code, the way they operate is extraordinarily similar. That point is noted in the documentation linked above.
Just be aware that Suricata (and Snort) on pfSense runs a customized binary with a special output plugin compiled in for Legacy Mode Blocking. Also, the GUI in pfSense does everything "behind the scenes" that a user would normally do via command-line editing of configuration files on other Linux or FreeBSD distros. So, many of the online guides you might find for configuring Suricata have limited usefulness on pfSense (at least in terms of providing specific steps to achieve some particular configuration) because they refer you to direct file edits. Those don't work on pfSense because the GUI code rewrites all the local configuration files each time you save a change in the GUI or start the binary. Thus any hand-edits you may have made will be immediately lost.
At best these online generic Suricata guides can give you the overall concept, but then you need to find how some feature is implemented within the package GUI on pfSense. Posting specific questions back to this forum is a great way to get help and learn to use the package. There are quite a few Snort and Suricata users on pfSense. There are also some pinned Sticky Posts at the top of this sub-forum describing how to use certain features of both packages. Remember that anything you see posted for Snort operation likely applies about the same to Suricata. There are some differences, but the overall workflow of the GUI is the same in both IDS/IPS packages.