Taming the beasts… aka suricata blueprint
-
I think it was obvious that you wouldn't look at every single log and every single IDS alert. It is true thou that people can setup these systems and get drowned out by the minutia.
However, this is not what he is saying. Its important to filter those logs and those alerts from the IDS so you are only seeing the important ones. Setting up tripwires so that if and when someone does get in, or someone on the inside does something, it will trip an alarm.
It all great to put up blocking system to stop maliciousness from getting in, but as the article articulated, you will make a mistake or someone will, or a zero-day and something gets past your security. Nothing is impenetrable.
Tools like OSSEC are good to have running on servers so that it can alert on file changes or brute forces inside your network. I run Security Onion running full packet capture immediately after my Firewall. So when you have an issue, you can atleast have a bread crumb trail so you can see what was accessed and infiltrated or attempted to be. These logs and pcaps can determine whether someone just snooped around or if they actually downloaded/uploaded anything.
If you look at most network intrusions, its not the first hack that made any damage. Most likely a single event won't be catastrophic. So if you have detection on the inside, they will most likely trip an alarm that will allow you to root out an intruder before they do damage.
As with age, I never judge the length of time someone has been doing something as a sign of wisdom. People do jobs for their entire life; unfortunately some of them never had it right in the first place.
-
I was looking at the Suricata Package and I don't see where the PORT Scanning Pre-Processor is configured? Is this option available in Suricata? or is it expected to be released in the 2.0x releases?
Along with what jflsakfja and Matt Jonkman (ET) have said, here is some more good advice:
http://dcid.me/notes/2013-jul-08
I'm not a Suricata expert yet, but to the best of my knowledge there is no equivalent of Snort's sf_portscan preprocessor in Suricata. There are text rules (ET Scan rules come to mind) that can detect most port scans, though.
Bill
-
Give me a ping, Vasili. One ping only.
-
Hi,
Trying to code a custom rule and getting an error. The rule is basically to block the traffic to closed ports, something like:
alert tcp $EXTERNAL_NET any -> any [1:1024,![XX,XX,XX,XXX]]
However, I'm getting an error:
[ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.I thought this was a valid syntax. What am I missing here?
Thanks for your help!
-
I thought this was a valid syntax. What am I missing here?
This is from an older manual, but I believe its still the same format.
2.2.4 Port Numbers
Port numbers may be specified in a number of ways, including "any" ports, static port definitions, ranges, and by negation. "Any" ports are a wildcard value, meaning literally any port. Static ports are indicated by a single port number, such as 111 for port mapper, 23 for telnet, or 80 for http, etc. Port ranges are indicated with the range operator ":". The range operator may be applied in a number of ways to take on different meanings, such as in Figure 2.6.
log udp any any -> 192.168.1.0/24 1:1024 log udp
traffic coming from any port and destination ports ranging from 1 to 1024
log tcp any any -> 192.168.1.0/24 :6000log tcp traffic from any port going to ports less than or equal to 6000
log tcp any :1024 -> 192.168.1.0/24 500:
log tcp traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500
Port negation is indicated by using the negation operator "!". The negation operator may be applied against any of the other rule types (except any, which would translate to none, how Zen…). For example, if for some twisted reason you wanted to log everything except the X Windows ports, you could do something like the rule in Figure 2.7.
log tcp any any -> 192.168.1.0/24 !6000:6010
-
Hi,
Trying to code a custom rule and getting an error. The rule is basically to block the traffic to closed ports, something like:
alert tcp $EXTERNAL_NET any -> any [1:1024,![XX,XX,XX,XXX]]
However, I'm getting an error:
[ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.I thought this was a valid syntax. What am I missing here?
Thanks for your help!
You need to remove the regular ports from the rule and only select the negated range. It wouldn't be any use anyway to include 1:1024. If you don't allow that range, the rule will still alert for those ports, since that's what you told the IDS to do. Alert on any port other than the open ports (used ports). Any port you don't specifically allow, will generate the alert.
@G.D. Wusser Esq.: It's not a matter of one ping only Vasili. It's a matter of not using a screwdriver and a hammer to remove a 1/2" bolt. Yes it can be done, yes it's extremely useful if the head of the bolt is broken off for any reason, but it's not the right tool for the job. Use the 1/2" wrench to remove the 1/2" bolt.
To ping a host you first need to resolve the host, then ping it.
To find out the IP of a host, you just need to resolve the host. -
@jflsakfja next time you speak to that user, tell them to use nslookup on windows. you can look up by hostname or ip…
-
@jflsakfja:
You need to remove the regular ports from the rule and only select the negated range. It wouldn't be any use anyway to include 1:1024. If you don't allow that range, the rule will still alert for those ports, since that's what you told the IDS to do. Alert on any port other than the open ports (used ports). Any port you don't specifically allow, will generate the alert.
Thanks jflsakfja. That makes sense. However, the reason I stated 1:1024 is because I want ports 1024: onwards to remain open as well. Basically I would like to block all destination privileged port, except a few (IPsec, OpenVPN, etc.), but also leave non-privileged ports open as well (as you suggested :) ). What would be the appropriate syntax for the port part of the rule? Based on the documentation I found online, my proposed syntax should work, but it doesn't and I get the error that I mentioned.
Maybe I'm over-thinking this. Can I use pfsense port alias here?
Also, I've been using snort for a while before this, and it seems that suricata is utilizing more CPU than snort. I got a 50/10 line at home, and during speedtests while with snort my CPU utilization would spike to 30-40% (I have an Atom D2550). However, with suricata during the same test the CPU spikes to 85-95%. And during regular Netflix/youtube streaming suricata seems to use 2x more CPU (snort: ~2-4% avg, suricata: ~5-7%). Anyone else notice that?
Again, thanks for the help!
-
Thanks jflsakfja. That makes sense. However, the reason I stated 1:1024 is because I want ports 1024: onwards to remain open as well. Basically I would like to block all destination privileged port, except a few (IPsec, OpenVPN, etc.), but also leave non-privileged ports open as well (as you suggested :) ). What would be the appropriate syntax for the port part of the rule? Based on the documentation I found online, my proposed syntax should work, but it doesn't and I get the error that I mentioned.
As suggested, keep the rule alerting on all unused ports: ![port1,port2,port3,port4:port25,port1024:port65535]
You just need to set up the ports you use inside that [ ]. I highly suggest to include all the unprivileged ports in there, unless you manually go into every program you use and tell it to use a specific unprivileged range.Maybe I'm over-thinking this. Can I use pfsense port alias here?
Nope. I used to be able to declare the variables at the start of the custom rules tab (eg USED_PORTS) but last time I tried it, it didn't work. Didn't fiddle with it anymore, since it's not that many ports you need to open up anyway.
Also, I've been using snort for a while before this, and it seems that suricata is utilizing more CPU than snort. I got a 50/10 line at home, and during speedtests while with snort my CPU utilization would spike to 30-40% (I have an Atom D2550). However, with suricata during the same test the CPU spikes to 85-95%. And during regular Netflix/youtube streaming suricata seems to use 2x more CPU (snort: ~2-4% avg, suricata: ~5-7%). Anyone else notice that?
Again, thanks for the help!
Yeap seen that too. I'm putting my money on the old version of suricata as being the culprit for this.
@Cino: Will do, thanks.
-
Thanks, jflsakfja. That rule syntax worked.
I see that the latest Suricata release is 2.0.3. Any ideas when pfsense package will be upgraded to that version? Is there a way to manually update?
I have noticed that as of late I'm being pinged from multiple hosts for several minutes at a time. Feels like an attack from hijacked hosts. I put a rule to block those, and I was able to block almost 500 hosts in 24 hours via suricata.
Thanks again!
-
Thanks, jflsakfja. That rule syntax worked.
I see that the latest Suricata release is 2.0.3. Any ideas when pfsense package will be upgraded to that version? Is there a way to manually update?
I have noticed that as of late I'm being pinged from multiple hosts for several minutes at a time. Feels like an attack from hijacked hosts. I put a rule to block those, and I was able to block almost 500 hosts in 24 hours via suricata.
Thanks again!
I think 2.x is coming with the next release of the suricata package. How long that takes, dunno though.
The pings are regular internet noise. Don't worry about it. As long as you are not responding back, then you are still flying under the radar.
-
After doing some testing of Snort vs Suricata, I've decided to go back to Snort.
For whatever reason, looks like Comcast upgraded my line to 100/10 tier in the last couple of days. Now, with my D2550 Atom CPU Suricata was maxing out my CPU cycles and my max throughput was 95 mbps (@100% CPU load). I've tried snort and @45% CPU load I'm getting about 108 mbps (plus it's a more stable/smooth download vs suricata, which was more "jumpy"). I've ran the test 2x between the two, and same result. Suricata came to be the bottleneck for me. And Suricata couldn't download Snort VRT rule set, so, snort had a larger rule set running as well. (although I've never seen a single VRT rule triggered, only the custom rules and the ET rules).
I'll try Suricata again once the 2.0 comes to pfsense. Hopefully that'll perform better.
Just my 2 cents. Thanks for the help!
-
It would be interesting to see more details about your setup. Did you disable the rules I recommended in this topic? Even the amazon one (yes that single rule does matter)? How much RAM was used? Nice to see that a dual core atom @ 1.86Ghz can (nearly) max out 100Mbps. I'm sure with a bit of tuning it could get there, unless you have already removed suricata and installed snort.
Don't worry about the VRT rules.
-
I have TWC. I'm currently 100/5. I have both snort and suricata running on my D510 Atom with no issue. Running speed test, I can max out at 107-110mbps. CPU% anywhere from 45% to 100%. If I download torrents, cpu will peg at 100% but i'm still able to browse with no issues.
-
Respect for the little atoms that could ;D. The newer 4 core models (technically a celeron, or is it the other way around?) are interesting, thinking about getting a couple for testing. A fully loaded psfsense system based on those should be close to 30W (cpu+cards+hdd).
-
I want to say my D510 box is running around 20-25watts. Have to find my build notes to confirm. off topic but I have a few interfaces, traffic shaping, snort, pfblocker, suricta, squid, ntop, vnstat… she runs good... Need to change her it 64bit so I can use all of the 4gb of memory but I think i'll wait for 2.2 to be release then do a fresh install and rebuild the config for fun :o
-
I want to say my D510 box is running around 20-25watts. Have to find my build notes to confirm. off topic but I have a few interfaces, traffic shaping, snort, pfblocker, suricta, squid, ntop, vnstat… she runs good... Need to change her it 64bit so I can use all of the 4gb of memory but I think i'll wait for 2.2 to be release then do a fresh install and rebuild the config for fun :o
Ah, the Debian bug. Nothing happens to it, to the point where you want to upgrade to testing just for the hope of something breaking? :p
Atoms are perfect for personal use, IMHO.
-
@jflsakfja:
Thanks, jflsakfja. That rule syntax worked.
I see that the latest Suricata release is 2.0.3. Any ideas when pfsense package will be upgraded to that version? Is there a way to manually update?
I have noticed that as of late I'm being pinged from multiple hosts for several minutes at a time. Feels like an attack from hijacked hosts. I put a rule to block those, and I was able to block almost 500 hosts in 24 hours via suricata.
Thanks again!
I think 2.x is coming with the next release of the suricata package. How long that takes, dunno though.
The pings are regular internet noise. Don't worry about it. As long as you are not responding back, then you are still flying under the radar.
I am hopefully just a week or so away from posting the Pull Request for 2.0.x Suricata. I ran into a small snag compiling the new package for 2.2 of pfSense, but I think I have a solution for that now. I have been developing/testing with 2.0.2, but if it's not too big of a change I will bump it to 2.0.3 before I post the Pull Request.
Bill
-
I am hopefully just a week or so away from posting the Pull Request for 2.0.x Suricata. I ran into a small snag compiling the new package for 2.2 of pfSense, but I think I have a solution for that now. I have been developing/testing with 2.0.2, but if it's not too big of a change I will bump it to 2.0.3 before I post the Pull Request.
Bill
Hi Bill ;D
Would that also include the suggestion from one of the biggest noobs on this board to have an easy way to multi-enable/disable the rules per category (the same check boxes you see in the left side of the firewall rules screens)?
That would be quite lovely, so to speak :P
-
A most stupid question, for which I am by now famous: wat is the OpenVPN-interface; WAN or LAN?
Virtual Private Network would suggest LAN, but on the other hand: it is connected to the WAN ???
