Taming the beasts… aka suricata blueprint
-
I've been setting up multiple pfsenses based on my recommendations in this topic and never had a problem with them blocking legitimate sites (aside from FPs now and then). In particular, a CARP cluster that provides connectivity to a small datacenter that houses web hosting servers, email servers and co-located servers, and internet access to remote clients, rarely gets any false positives. Those false positives are dealt with as soon as possible, which can be seen on the github list, since I took the enable all rules, then start removing rules as they are encountered approach, as recommended in this topic.
There is a reason those sites are blocked. Maybe it's a misconfiguration issue, a suricata false positive, or maybe they are not so legitimate after all.
-
@jflsakfja:
To explain the floating rules we need to examine the following examples:
A) 1 non-quick floating rule that blocks traffic to port 80 on interface wan
B) 1 normal (interface) rule that passes traffic to port 80 on interface wan- Floating rules get evaluated first from top to bottom
- If the floating rule is NOT quick, then proceed with further matching against other rules
- Interface rules get evaluated last from top to bottom
Going through the checklist above, tells us that a packet will first pass through the floating rule, where the rule does match, but is not the terminal match against it, so the packet will continue on until it reaches the terminal match, which is rule B. Although the floating rule says block, the packet will pass since that's the rule that matches it.
In the case that rule A is quick, the packet will immediately match that rule, which says block it, therefore it will be blocked.
One of my ever frustrating frustrations (yaah :P ) with the floating rules was that I never understood them. I think your explanation is very clear, so for the zillionth time: thank you, Jfl ;D
What remains is one little question: the source versus destination. You will have to set the rules twice, yes (?) because of the source versus destination difference: suppose you have multiple WAN and multiple LAN (as I do), in order to block connections from and to a specific IP you will have to set two floating rules: 1 for all WAN's where source is the aforementioned IP, and a second floating rule for all LAN's where the destination is the aforementioned IP.
I ask because in many posts (in this forum) as well as 'tutorials' on the internets it is said you only need one floating rule, and I never understood that since it depends on whether traffic is coming from the source or from the destination.
Brains: mysterious things ;D
-
@jflsakfja:
I've been setting up multiple pfsenses based on my recommendations in this topic and never had a problem with them blocking legitimate sites (aside from FPs now and then). In particular, a CARP cluster that provides connectivity to a small datacenter that houses web hosting servers, email servers and co-located servers, and internet access to remote clients, rarely gets any false positives. Those false positives are dealt with as soon as possible, which can be seen on the github list, since I took the enable all rules, then start removing rules as they are encountered approach, as recommended in this topic.
There is a reason those sites are blocked. Maybe it's a misconfiguration issue, a suricata false positive, or maybe they are not so legitimate after all.
I trust your judgements and knowledge completely, Jfl, you know that; more researching for me to do ;D
-
ping www.geenstijl.nl
PING www.geenstijl.nl (162.159.255.153): 56 data bytes
(Look at the Original Download Files)
grep "162.159.255.153" /home/USER/orig/*/home/USER/orig/ET_IPrep.txt:162.159.255.81,15,127
/home/USER/orig/ET_IPrep.txt:162.159.255.81,24,103
/home/USER/orig/ET_IPrep.txt:162.159.255.219,27,55
/home/USER/orig/ET_IPrep.txt:162.159.255.5,27,109(Look at the final pf Folder files)
grep "^162.159.255." /home/USER/pf/*/home/USER/pf/ET_IPrep.txt:162.159.255.81
/home/USER/pf/e_tfakeav:162.159.255.81(Look at the pfSense AliasTable Folder)
grep "^162.159.255." /usr/local/www/aliastables/*/usr/local/www/aliastables/IR_PRI1:162.159.255.81
I am using the Emerging Threats IQRisk Blocklist, so that is the only list that I see that has any IPs in that Range.
I don't believe you are using that list, so not sure which list had that IP. And there is ony 4 IPs listed which is below the threshold of "5" and so it didn't block the whole range.
Atleast you can see that this range has some malicious activity (FakeAv)
-
Yes, that's why I recommended setting up pairs for floating rules for the list's aliases.
A source rule says the source should be matched. Since it's "them" that send packets to "us" on our wan type interfaces, we should set up the wan side rules to perform their match against the source (list alias). These rules should be block (don't answer the door saying I will not talk to you).
A destination rule says the destination should be matched. Since it's "us" that send packets to "them" on our lan type interfaces, we should set up the lan side (or dmz, or any other internal interface) rules to match based on the destination. Matching against the source will never give a match, since the source is "us". These rules should be reject (answer the door to our internal client saying "You are not allowed to talk to that") so that browsing to a non-legitimate site doesn't take 2 minutes to time out.
-
ping www.geenstijl.nl
PING www.geenstijl.nl (162.159.255.153): 56 data bytes
(Look at the Original Download Files)
grep "162.159.255.153" /home/USER/orig/*/home/USER/orig/ET_IPrep.txt:162.159.255.81,15,127
/home/USER/orig/ET_IPrep.txt:162.159.255.81,24,103
/home/USER/orig/ET_IPrep.txt:162.159.255.219,27,55
/home/USER/orig/ET_IPrep.txt:162.159.255.5,27,109(Look at the final pf Folder files)
grep "^162.159.255." /home/USER/pf/*/home/USER/pf/ET_IPrep.txt:162.159.255.81
/home/USER/pf/e_tfakeav:162.159.255.81(Look at the pfSense AliasTable Folder)
grep "^162.159.255." /usr/local/www/aliastables/*/usr/local/www/aliastables/IR_PRI1:162.159.255.81
I am using the Emerging Threats IQRisk Blocklist, so that is the only list that I see that has any IPs in that Range.
I don't believe you are using that list, so not sure which list had that IP. And there is ony 4 IPs listed which is below the threshold of "5" and so it didn't block the whole range.
Atleast you can see that this range has some malicious activity (FakeAv)
IP 162.159.255.153 belongs to cloudflare. Since cloudflare is a CDN (Content Distribution Network) some other site might have used that IP to perform some nefarious act, therefore the IP got listed on one of the lists. Ideally cloudflare will deal with it and the IP will eventually be removed from the list. My only explanation as to why traffic to that IP is blocked.
-
F*** cloudflare… I have been blocking SPAM from their Network for two weeks now. Everyday its getting past all of the Blocklists, Snort, and my Mail Servers Mail Spam protection. FRESH Spam I guess. I send all of the mail that makes it past my Security Systems to SPAMCOP and hopefully they add it to the list of IPs to Ban.
-
Re-read my post, "ideally" is the key word ;)
Dealing with abuse (or spam) reports is an activity I don't look forward to. In particular my country's ISPs seem to think they invented the Internet, and all (without ANY exception) do NOT respond to abuse reports merely thinking out loud "Who the F**** are you to tell us our job!?!?!". Hell I've had to deal with a 15month DoS attack, until I had to scream at my upstream's "Head of Technical Department" (a complete and utter idiot, of the variety that no matter how many you seem to get rid of, a thousand more pop up for each one) to add the single IP to their ACL (a NON existent ACL until I forced them to implement it).
The attacker's upstream's response to my constant abuse reports was drum-roll…. they changed his IP. I got a brain aneurysm when they told me that. I thought my upstream's idiotic technical department was the lowest you could go, but apparently there are "innovators" all over the place.
Don't want to name and shame anyone, since there are "innovators" all over the place, even in the justice system, that would think those comments were "libelous" ;)
A small tip to ISPs. If I bother to write an official abuse report to you, citing logs, then that means I'm fed up with your client/system. Do something about it, or consider a career change and let us, that know how to do your job, do it.
-
Thanks Cino and jflsakfja, for clearing up why I should tick the Quick box.
If it were not for the risk of black hole and total collapse of the forum I might have suggested here to edit the original instructions in the #10 reply post accordingly ;) ;) ;D -
ping www.geenstijl.nl
PING www.geenstijl.nl (162.159.255.153): 56 data bytes
(Look at the Original Download Files)
grep "162.159.255.153" /home/USER/orig/*/home/USER/orig/ET_IPrep.txt:162.159.255.81,15,127
/home/USER/orig/ET_IPrep.txt:162.159.255.81,24,103
/home/USER/orig/ET_IPrep.txt:162.159.255.219,27,55
/home/USER/orig/ET_IPrep.txt:162.159.255.5,27,109(Look at the final pf Folder files)
grep "^162.159.255." /home/USER/pf/*/home/USER/pf/ET_IPrep.txt:162.159.255.81
/home/USER/pf/e_tfakeav:162.159.255.81(Look at the pfSense AliasTable Folder)
grep "^162.159.255." /usr/local/www/aliastables/*/usr/local/www/aliastables/IR_PRI1:162.159.255.81
I am using the Emerging Threats IQRisk Blocklist, so that is the only list that I see that has any IPs in that Range.
I don't believe you are using that list, so not sure which list had that IP. And there is ony 4 IPs listed which is below the threshold of "5" and so it didn't block the whole range.
Atleast you can see that this range has some malicious activity (FakeAv)
Amazing to see what you can do @ the CLI, BB ;D
I wasn't clear enough, since I could hit geenstijl.nl, but not the movies they embed there. They are hosted on one of their other sites, dumpert.nl. And that one was blocked. The IP lookup turned out this was cloudflare. So I added a floating rule IR_PASS (which, magically, also appears in the dashboard widget :P ) that will use the IR_PASS alias to contain hosts that I might consider 'false positives'.
Just curious, btw, BB: why is cloudflare spamming you (or, better said: how?) I thought this was a reputable service? Obviously not, but I don't know why? I mean, large sites use cloudflare(?)
-
Could I ask some of my most famous noob questions?
1. Does it make sense that if IR_PRI1 is blocking that Snort is also still blocking IP's based on Dshield (which is in IR_PRI1)?
2. While I will be moving over from Snort to Suricata after Bmeeks will have added new buttons for easy disabling rules, does it still make sense to buy the Snort VRT subscription for use in Suricata? Or won't these Snort rules work too well in Suricata?
3. How do you get rid of all these log lines about traffic being blocked:–- 255.255.255.255:10001 UDP
--- 239.255.255.250:1900 UDP
--- 224.0.0.252:5355 UDPThey were gone for months, but suddenly the log is being flooded with them again. Ever since I started with pfSense these lines appear to bug me every so many months.
Thank you ;D
-
@jflsakfja:
Yes, that's why I recommended setting up pairs for floating rules for the list's aliases.
A source rule says the source should be matched. Since it's "them" that send packets to "us" on our wan type interfaces, we should set up the wan side rules to perform their match against the source (list alias). These rules should be block (don't answer the door saying I will not talk to you).
A destination rule says the destination should be matched. Since it's "us" that send packets to "them" on our lan type interfaces, we should set up the lan side (or dmz, or any other internal interface) rules to match based on the destination. Matching against the source will never give a match, since the source is "us". These rules should be reject (answer the door to our internal client saying "You are not allowed to talk to that") so that browsing to a non-legitimate site doesn't take 2 minutes to time out.
Thank you Sir ;D
Whilst in the traffic jam I was thinking: what actually is the goal of floating rules as opposed to rules on Interface Groups? Both do the same as far as I can tell: they both work over different interfaces, they both come before the individual rules per interface. I am sort of wondering when you should use what ???
-
@Hollander:
1. Does it make sense that if IR_PRI1 is blocking that Snort is also still blocking IP's based on Dshield (which is in IR_PRI1)?
2. While I will be moving over from Snort to Suricata after Bmeeks will have added new buttons for easy disabling rules, does it still make sense to buy the Snort VRT subscription for use in Suricata? Or won't these Snort rules work too well in Suricata?
3. How do you get rid of all these log lines about traffic being blocked:1. Good idea on putting the Pass list into the IR_ category! Snort/Suricata processses a 'copy' of all the packets. So even if it was blocked by the Firewall, Snort/Suricata will still see it. Keep an eye on the Snort/Suricata alerts, and click on the "!" to see if the IP is listed or has the range blocked. I have noticed that over 90% of what Snort/Suricata Blocks is already being blocked by the Firewall Blocklists.
Hopefully when pfSense moves to 2.2 and they add NetMap api, it will allow a true-inline process for Snort/Suricata.
2. Suricata will load the Snort VRT ruleset except for about 600 rules. You can see that in the Suricata logs (which ones failed due to regex issues) I would still use the ruleset in Suricata.
(on another note, I still plan on staying with Snort for the time being)3. I get them occasionally. Maybe Bill has some suggestions.
-
@Hollander:
I wasn't clear enough, since I could hit geenstijl.nl, but not the movies they embed there. They are hosted on one of their other sites, dumpert.nl. And that one was blocked. The IP lookup turned out this was cloudflare. So I added a floating rule IR_PASS (which, magically, also appears in the dashboard widget :P ) that will use the IR_PASS alias to contain hosts that I might consider 'false positives'.
Just curious, btw, BB: why is cloudflare spamming you (or, better said: how?) I thought this was a reputable service? Obviously not, but I don't know why? I mean, large sites use cloudflare(?)
Here is what I show being blocked by that IP (IP may be different for you as cloudflare is a CDN and the IP could be different in your Country.
From these results, really makes you wonder if you would feel comfortable going to those websites? Note, the IPs below are from the ET Paid IQRisk Blocklist. No other lists show that Ip for me, so I am curious which list is blocking on your end?
grep "^141.101.116." pf/*
pf/ET_IPrep.txt:141.101.116.0/24
pf/e_tcnc:141.101.116.72
pf/e_tcnc:141.101.116.52
pf/e_tcnc:141.101.116.55
pf/e_tcnc:141.101.116.107
pf/e_tcnc:141.101.116.126
pf/e_tcnc:141.101.116.162
pf/e_tcnc:141.101.116.15
pf/e_tcnc:141.101.116.187
pf/e_tcnc:141.101.116.137
pf/e_tcnc:141.101.116.175
pf/e_tcompromised:141.101.116.174
pf/e_tddos:141.101.116.176
pf/e_tspywarecnc:141.101.116.55
pf/e_tspywarecnc:141.101.116.154
pf/e_tspywarecnc:141.101.116.95
pf/e_tspywarecnc:141.101.116.170
pf/e_tspywarecnc:141.101.116.112
pf/e_tspywarecnc:141.101.116.130
pf/e_tspywarecnc:141.101.116.17As an Economist, you should already know that answer ;) Money, Bones, Bread, Fins, Moola, Dinero
Why would they kicks spammers off of their network and lose revenue. Spread the word and block/boycott them all.
What happens is a Spammer sets up shop on a Hosting Service and Spams for as long as they can, after they get blocked, they move to another Hosting Service or just setup a new domain and new IPs. (Sadly, those IPs get recycled to some legit sites and people wonder why they are on a Blocklist when they just got these new IP addresses.)
I have had spamming issues from several Hosting Services HOSTNOC, OVH, Burstnet.
I am currently blocking the whole Burstnet network (3000 servers) as I was getting spammed for months without them doing anything about it. If you want to see how bad it is, take a look at this Google Group:
https://groups.google.com/forum/#!forum/news.admin.net-abuse.email
(and for a good laugh… ;D) -
@Hollander:
Whilst in the traffic jam I was thinking: what actually is the goal of floating rules as opposed to rules on Interface Groups? Both do the same as far as I can tell: they both work over different interfaces, they both come before the individual rules per interface. I am sort of wondering when you should use what ???
Floating Rules are good if you have multiple interfaces, so you can define these in the Floating Tab so that they are in effect for several Interfaces at one time.
-
1. Good idea on putting the Pass list into the IR_ category! Snort/Suricata processses a 'copy' of all the packets. So even if it was blocked by the Firewall, Snort/Suricata will still see it. Keep an eye on the Snort/Suricata alerts, and click on the "!" to see if the IP is listed or has the range blocked. I have noticed that over 90% of what Snort/Suricata Blocks is already being blocked by the Firewall Blocklists.
Hopefully when pfSense moves to 2.2 and they add NetMap api, it will allow a true-inline process for Snort/Suricata.
Thank you BB ;D
Ah, ok, so a package comes in, the firewall is the very first line of defense and in the millisecond it will take the firewall to block it, it will also send it to snort which will analyze it and will also block the IP - which is already blocked by the firewall.
So what we are doing right now is more or less a preparation for when 2.2. comes? As in: Jflsak sad he wants the firewall to do the work that the firewall can do, so Snort won't be wasting CPU (and speed) when not necessary. But if I understand you correctly currently that is still not the case, we will have to wait for 2.2, hence it is just 'preparing for'.
2. Suricata will load the Snort VRT ruleset except for about 600 rules. You can see that in the Suricata logs (which ones failed due to regex issues) I would still use the ruleset in Suricata.
(on another note, I still plan on staying with Snort for the time being)On that other note: why, if I may ask? I thought consensus was sort of Snort is no longer to be trusted?
3. I get them occasionally. Maybe Bill has some suggestions.
I hope ;D
-
Floating Rules are good if you have multiple interfaces, so you can define these in the Floating Tab so that they are in effect for several Interfaces at one time.
I am sure I am once again stupid, but: Interface Groups do exactly the same?
For example, I have MultiWAN, in which both my WAN's are. In the MultiWAN-tab I have set some rules that apply to both WAN's at the same time. Floating rules can do that too, so when would one use Interface Groups, and when would one use Floating Rules ???
-
@Hollander:
I wasn't clear enough, since I could hit geenstijl.nl, but not the movies they embed there. They are hosted on one of their other sites, dumpert.nl. And that one was blocked. The IP lookup turned out this was cloudflare. So I added a floating rule IR_PASS (which, magically, also appears in the dashboard widget :P ) that will use the IR_PASS alias to contain hosts that I might consider 'false positives'.
Just curious, btw, BB: why is cloudflare spamming you (or, better said: how?) I thought this was a reputable service? Obviously not, but I don't know why? I mean, large sites use cloudflare(?)
Here is what I show being blocked by that IP (IP may be different for you as cloudflare is a CDN and the IP could be different in your Country.
From these results, really makes you wonder if you would feel comfortable going to those websites? Note, the IPs below are from the ET Paid IQRisk Blocklist. No other lists show that Ip for me, so I am curious which list is blocking on your end?
grep "^141.101.116." pf/*
pf/ET_IPrep.txt:141.101.116.0/24
<snip>pf/e_tspywarecnc:141.101.116.17As an Economist, you should already know that answer ;) Money, Bones, Bread, Fins, Moola, Dinero
Why would they kicks spammers off of their network and lose revenue. Spread the word and block/boycott them all.
What happens is a Spammer sets up shop on a Hosting Service and Spams for as long as they can, after they get blocked, they move to another Hosting Service or just setup a new domain and new IPs. (Sadly, those IPs get recycled to some legit sites and people wonder why they are on a Blocklist when they just got these new IP addresses.)
I have had spamming issues from several Hosting Services HOSTNOC, OVH, Burstnet.
I am currently blocking the whole Burstnet network (3000 servers) as I was getting spammed for months without them doing anything about it. If you want to see how bad it is, take a look at this Google Group:
https://groups.google.com/forum/#!forum/news.admin.net-abuse.email
(and for a good laugh… ;D )</snip>Thank you ;D
I will use your CLI-examples to try and do that myself, and report back here what mine says for that site, dumpert.nl.
So if I understand you correctly the site dumpert.nl (part of a reputable news paper company group in The Netherlands) is not to be expected to be blamed, it is the fact that they are 'outsourcing' their hosting 'in the cloud' and the cloud provider is making a mess of it, hence risking dumpert.nl to be contaminated with crap ware.
-
I think both Snort or Suricata are both good options. The rules generally work for either, so the rules to disable are similar except for the Suricata Stream and other rules specific to Suricata. Suricata is a lot more involved and have a lot of new options not available in Snort.
I think the issue with Snort is when Cisco bought them, and the worry is that they close it to open-source at some time in the future. If that happens, everyone would either have to pay up, or switch to Suricata. As Suricata is harder to configure, getting it working now gets you ahead of the game.
So its all about choice and I think thats what Bill has said numerous times.
I think the Floating Tab also allows "Match" (instead of "pass", "Block" or "reject") these are necessary for things like Traffic Shaper to work. So if you use "Interface groups", I believe its probably the same in the end.
Yes lots of reputable sites do that. Take "Yahoo" as an example. Their site is laden with links to other sites and they are known to have issue for spyware excetera. But again, look at Yahoo's financial issues and they need the revenue.
Sometime, you visit a site, and it redirects to another IP just to popup an "Advert" or a drive-by installation of malicious software.
Also look at Dropbox, these malicious groups are using dropbox to push their malware as most people would assume anything from dropbox is safe? :o :o The next steps after IP blocking would be DNS Sinkholing or URL filtering, so that we can stop "known" URLs that lead to reputable sites but are still malicious.
-
@Hollander:
3. How do you get rid of all these log lines about traffic being blocked:
–- 255.255.255.255:10001 UDP
--- 239.255.255.250:1900 UDP
--- 224.0.0.252:5355 UDPThey were gone for months, but suddenly the log is being flooded with them again. Ever since I started with pfSense these lines appear to bug me every so many months.
Is snort/suricata blocking them or if it pfsense default block rule? if its snort or suricata, you can suppress them base on the rule that is being triggered:
#SURICATA IPv4 padding required
suppress gen_id 1, sig_id 2200007, track by_dst, ip 224.0.0.22