Taming the beasts… aka suricata blueprint
-
Thanks BBcan177,
I'll try the IR_ Tables instead.
Currently with the script installed and only Suricata configured following the guidelines on this thread my RAM usage is on average in the 80s%.
I was thinking of setting up simple cache (squid proxy) along with it but with my RAM usage so high is there anyway i can still get the most out of using Suricata/pfiprep with the squid cache?
What lists/rules would be fine to disable? (i've followed jflsakfja's guidelines but i still think that there are some lists/rules that may not apply to my usage scenario.)I have a 50mbps connection & my pfSense system is an Athlon 64 3000+ with 1.25GB of RAM and 2 nics (LAN/WAN). That's connected to a switch with a wireless AP, 5 wired clients and possibly over 25 wireless clients.
We are basically a media consuming household (HD streaming,downloads,torrents,skype,teamviewer,facebook etc) and if it was up to me I'd block most of these kinds of traffic but all hell would break loose if i did that, seriously.
Other than my OpenVPN server that i have on my pfSense machine, squid cache, suricata, pfiprep…that's about it.Any rules/lists that you recommend disabling to reduce memory usage?
I'm seeing 22-25% of 4GB RAM usage on systems configured to the T using this guide, so your 80% of 1.25GB seems about right. 1.25 seems wrong though. What's that, 1GB+256MB stick, or 2x512MB+256MB stick? In either case, getting more RAM is what I would do. 1GB shouldn't be more than $20. If you are using 1GB+256MB just get another GB and replace the 256MB module. Since it takes about 1GB for each system configured according to this guide, you should drop down to 50% RAM, which should give you plenty of room to use other things if you need to.
-
@jflsakfja:
Thanks BBcan177,
I'll try the IR_ Tables instead.
Currently with the script installed and only Suricata configured following the guidelines on this thread my RAM usage is on average in the 80s%.
I was thinking of setting up simple cache (squid proxy) along with it but with my RAM usage so high is there anyway i can still get the most out of using Suricata/pfiprep with the squid cache?
What lists/rules would be fine to disable? (i've followed jflsakfja's guidelines but i still think that there are some lists/rules that may not apply to my usage scenario.)I have a 50mbps connection & my pfSense system is an Athlon 64 3000+ with 1.25GB of RAM and 2 nics (LAN/WAN). That's connected to a switch with a wireless AP, 5 wired clients and possibly over 25 wireless clients.
We are basically a media consuming household (HD streaming,downloads,torrents,skype,teamviewer,facebook etc) and if it was up to me I'd block most of these kinds of traffic but all hell would break loose if i did that, seriously.
Other than my OpenVPN server that i have on my pfSense machine, squid cache, suricata, pfiprep…that's about it.Any rules/lists that you recommend disabling to reduce memory usage?
I'm seeing 22-25% of 4GB RAM usage on systems configured to the T using this guide, so your 80% of 1.25GB seems about right. 1.25 seems wrong though. What's that, 1GB+256MB stick, or 2x512MB+256MB stick? In either case, getting more RAM is what I would do. 1GB shouldn't be more than $20. If you are using 1GB+256MB just get another GB and replace the 256MB module. Since it takes about 1GB for each system configured according to this guide, you should drop down to 50% RAM, which should give you plenty of room to use other things if you need to.
Thanks for the reply.
You're correct it's 1GB+256MB stick and usage is around 83% of that most of the time and if that's average use for the guide then I'll invest in another 1G of RAM. Security is more important than bandwidth/speed ;D
-
Getting a lot of these errors from lists in my syslog:
php: rc.filter_configure_sync: The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/AbusePalevo.txt.tmp' 'https://127.0.0.1:43/badips/AbusePalevo.txt'' returned exit code '1', the output was 'fetch: https://127.0.0.1:43/badips/AbusePalevo.txt: Operation timed out'
How did you configure the Alias Table? It Should be a "URL Table".
I would also recommend just using the existing IR_ Tables that the Script already created. This saves you the effort of making dozens of Alias Tables.
/usr/local/www/aliastables/IR_MAIL
/usr/local/www/aliastables/IR_PRI1
/usr/local/www/aliastables/IR_IB
/usr/local/www/aliastables/IR_SEC1
/usr/local/www/aliastables/IR_PRI2
/usr/local/www/aliastables/IR_SEC3
/usr/local/www/aliastables/IR_TOR
/usr/local/www/aliastables/IR_SEC2
/usr/local/www/aliastables/IR_PRI3Followed your suggestion and changed the URL Tables and it seems to be working (the IPs show up when i mouse over the Aliases) but i still get syslog errors.
Aug 30 09:40:26 php: rc.filter_configure_sync: The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/IR_SEC2.txt.tmp' 'https://127.0.0.1:443/usr/local/www/aliastables/IR_SEC2'' returned exit code '1', the output was 'fetch: https://127.0.0.1:443/usr/local/www/aliastables/IR_SEC2: Operation timed out'
Is this something to be concerned about?
pfIP Rep widget shows last update was Aug 30 09:43 with status arrow green (up) though…
-
Getting a lot of these errors from lists in my syslog:
php: rc.filter_configure_sync: The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/AbusePalevo.txt.tmp' 'https://127.0.0.1:43/badips/AbusePalevo.txt'' returned exit code '1', the output was 'fetch: https://127.0.0.1:43/badips/AbusePalevo.txt: Operation timed out'
I don't understand where the .tmp extensions comes from? It should end with .txt?
If you are using the IR_ Alias URL Tables, I would remove URL Tables that are referencing the individual files as shown above. I would also delete these individual aliases in /var/db/aliastables
Hope that Helps.
-
Getting a lot of these errors from lists in my syslog:
php: rc.filter_configure_sync: The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/AbusePalevo.txt.tmp' 'https://127.0.0.1:43/badips/AbusePalevo.txt'' returned exit code '1', the output was 'fetch: https://127.0.0.1:43/badips/AbusePalevo.txt: Operation timed out'
I don't understand where the .tmp extensions comes from? It should end with .txt?
If you are using the IR_ Alias URL Tables, I would remove URL Tables that are referencing the individual files as shown above. I would also delete these individual aliases in /var/db/aliastables
Hope that Helps.
Hey BBCan177!
i figured it out.
- "Operation timed out" was caused by the port being blocked. i had previously created a custom port and disabled anti-lockout so entering my port number 66 allowed the fetch command to access the list directory.
- Even though it passed using the custom port i still had the fetch error "not found".
i confirmed my directory was correct which was "/usr/local/www/aliastables"
$ ls /usr/local/www/aliastables IR_CC IR_IB IR_Match IR_PRI1 IR_PRI2 IR_SEC1 IR_SEC2 IR_TOR
It seems like the directory was already defaulted to "/usr/local/www/" when adding the URL tables so the shortened directory address of "https://127.0.0.1:66/aliastables/IR_SEC2" for example worked for all the IR Lists.
-
Yah, to get back to my issue for future reference.
I'll give the example with Google again. The particular problem was for a client that cannot afford to miss certain mails from some senders, including several other connections both in & out. (long story)I present this magnificent snip-it story.
Either a manual alias is created, or a cron job to whois a company into a list. Lets take Google.cron job creating the list :
List used in floating rules (disabled here, but you get the idea):
Detailled :
If i enable that rule => Because every Gmail server is matched in that rule, the package is matched, rule is applied (pass it) and thats it.
My SMTP NAT rule does .. absolutely nothing. Its very easy to test in this case (enable & send mail = nothing, disable = instant mail received).
Disabeling the quick option works offcourse. But if an IP i want to whitelist is ever blacklisted (i'm not saying it is, or will be any time soon, does not matter as its a direct request from the direction there) i'm screwed :).
Since the blocklist beneath it will match, and will block.I comfirmed the issue with 2 setups, both are completely ignoring NAT after a floating rule match.
OR
I'm completely wrong, and being the fact it is whitelisted first (like normal interfaces rules - priority ruling) is enough? No quick option.For websites, DNS requests and the bunch its not an issue. Just where a forwarding rule has to be applied after seems to be impossible with floating rules.
@BBcan17
Haven't checked your updates yet, but since 2.1.5 altered DNS whois the DNS patch to include the lists doesn't show them anymore. Only updated 1 system thus far, so no idea if its a bug or not.edit
woud be awesome if you could make a rule with "all ports except xyz". Just like its possible with hosts / networks. -
Don't see anything wrong with those, but then again not much is given.
- show the popup for the alias to see the IPs
- show the complete rules (just change public IPs to something obviously public, eg 1.1.1.1 and leave private IPs as private).
- show your floating rules tab
- Run a packet capture on the ingress + egress interfaces and post the redacted (just replace IPs to understand if it's going public or private) text. No need for a full transcript, "Normal" detail will do, just to see how the packets are flowing.
I have traffic shaping rules limiting speeds to public IPs, which are in turn NATed to private ones and everything works perfectly, so as far as I can tell nothing gets ignored. And yes, that does apply to both inbound and outbound traffic.
-
1.
list goes one quite a bit ;). Its not a problem its not loading or empty.2.
forwarding to alias (IP : 10.0.0.2 == internal exchange server)
The rule is applied on both WAN interfaces. Only MX record active on the VDSL interface in question (failover not yet active).
3.
Nothing but whitelist rule, rest is blocklist blocking.
The 2 blocking rules beneath whitelist are to isolate a seperate physical network to acces the main network. (basically a block all from interface x to y). Then a rule to lock down internet acces during the night for the second network.
4.
capturing WAN when rule is applied gives me :00:47:40.700800 IP 209.85.220.177.38924 > <wanip>.25: tcp 0 00:47:41.699405 IP 209.85.220.177.38924 > <wanip>.25: tcp 0 00:47:43.699672 IP 209.85.220.177.38924 > <wanip>.25: tcp 0 00:47:47.699690 IP 209.85.220.177.38924 > <wanip>.25: tcp 0</wanip></wanip></wanip></wanip>
etc
disabling floating whitelist Google rule : (recaptured, the previous IP was another sender)
00:42:47.405562 IP 209.85.220.181.42122 > <wanip>.25: tcp 0 00:42:47.405847 IP <wanip>.25 > 209.85.220.181.42122: tcp 0 00:42:47.522800 IP 209.85.220.181.42122 > <wanip>.25: tcp 0 00:42:47.523516 IP <wanip>.25 > 209.85.220.181.42122: tcp 100 00:42:47.641067 IP 209.85.220.181.42122 > <wanip>.25: tcp 0 00:42:47.641599 IP 209.85.220.181.42122 > <wanip>.25: tcp 31 00:42:47.641865 IP <wanip>.25 > 209.85.220.181.42122: tcp 191 00:42:47.759789 IP 209.85.220.181.42122 > <wanip>.25: tcp 10 00:42:47.760055 IP <wanip>.25 > 209.85.220.181.42122: tcp 29 00:42:47.878097 IP 209.85.220.181.42122 > <wanip>.25: tcp 186 00:42:47.878731 IP <wanip>.25 > 209.85.220.181.42122: tcp 1418 00:42:47.878768 IP <wanip>.25 > 209.85.220.181.42122: tcp 54 00:42:47.998797 IP 209.85.220.181.42122 > <wanip>.25: tcp 0</wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip>
And the 3 test mails I send during the floating rule active get received 5 mins later (re-attempt by gmail server).
Internal :
rule on :22:51:47.917275 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:51:47.917442 IP 10.0.0.2.25 > 209.85.220.174.48733: tcp 0 22:51:48.917181 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:51:50.917183 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:51:50.937085 IP 10.0.0.2.25 > 209.85.220.174.48733: tcp 0 22:51:54.917219 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:51:56.943003 IP 10.0.0.2.25 > 209.85.220.174.48733: tcp 0 22:52:02.917255 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:52:08.939232 IP 10.0.0.2.25 > 209.85.220.174.48733: tcp 0
209.85.220.174 is a Gmail server IP, and is present in the Google alias.
rule of : (capture running before turning it back off)
22:53:43.113162 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:43.113340 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 0 22:53:43.230793 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:43.231483 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 100 22:53:43.349044 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:43.349547 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 31 22:53:43.349829 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 191 22:53:43.467508 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 10 22:53:43.467741 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 29 22:53:43.589822 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 186 22:53:43.590172 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 1418 22:53:43.590213 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 54 22:53:43.710304 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:43.710853 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 326 22:53:43.723228 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 59 22:53:43.840808 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 69 22:53:43.841143 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 213 22:53:43.959329 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 85 22:53:43.959789 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 53 22:53:44.077556 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 69 22:53:44.080321 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 53 22:53:44.199096 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 1418 22:53:44.199126 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 11 22:53:44.199158 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 165 22:53:44.199278 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 0 22:53:44.632042 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 149 22:53:44.750021 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 37 22:53:44.750129 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:44.750235 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 0 22:53:44.750300 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 85 22:53:44.750437 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 0 22:53:44.867823 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:44.867919 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0
test mail instant received, previous test mail 5 mins later.
So yea..- its not that it is such a disaster (I can find ways around it tbh). But I cannot stand not knowing why this is happening.
"edit" - wrong IP in first capture.
-
list goes one quite a bit ;). Its not a problem its not loading or empty.
Yeap, verified a couple of IPs, and they do indeed belong to google. So the alias does not appear to be the problem.
@foetus:forwarding to alias (IP : 10.0.0.2 == internal exchange server)
The rule is applied on both WAN interfaces. Only MX record active on the VDSL interface in question (failover not yet active).Port forwarding rule verified and is correct.
@foetus:Nothing but whitelist rule, rest is blocklist blocking.
The 2 blocking rules beneath whitelist are to isolate a seperate physical network to acces the main network. (basically a block all from interface x to y). Then a rule to lock down internet acces during the night for the second network.General list rules look correct. Love the "GTFO during nighttime" rule. Are you sure the pass rule is applied to the correct interfaces? Careful with those rules. Putting yourself in pfsense's place: What does this rule tell me to do? Pass any traffic destined or sourced from Google, without any further processing. See where I'm going with it? Applying it to the wrong interfaces could open up your network to a spoofed (or originating from Google, who knows?) attacker.
@foetus:capturing WAN when rule is applied gives me :
00:47:40.700800 IP 209.85.220.177.38924 > <wanip>.25: tcp 0 00:47:41.699405 IP 209.85.220.177.38924 > <wanip>.25: tcp 0 00:47:43.699672 IP 209.85.220.177.38924 > <wanip>.25: tcp 0 00:47:47.699690 IP 209.85.220.177.38924 > <wanip>.25: tcp 0</wanip></wanip></wanip></wanip>
Only incoming traffic. No return traffic which is interesting.
@foetus:disabling floating whitelist Google rule : (recaptured, the previous IP was another sender)
00:42:47.405562 IP 209.85.220.181.42122 > <wanip>.25: tcp 0 00:42:47.405847 IP <wanip>.25 > 209.85.220.181.42122: tcp 0 00:42:47.522800 IP 209.85.220.181.42122 > <wanip>.25: tcp 0 00:42:47.523516 IP <wanip>.25 > 209.85.220.181.42122: tcp 100 00:42:47.641067 IP 209.85.220.181.42122 > <wanip>.25: tcp 0 00:42:47.641599 IP 209.85.220.181.42122 > <wanip>.25: tcp 31 00:42:47.641865 IP <wanip>.25 > 209.85.220.181.42122: tcp 191 00:42:47.759789 IP 209.85.220.181.42122 > <wanip>.25: tcp 10 00:42:47.760055 IP <wanip>.25 > 209.85.220.181.42122: tcp 29 00:42:47.878097 IP 209.85.220.181.42122 > <wanip>.25: tcp 186 00:42:47.878731 IP <wanip>.25 > 209.85.220.181.42122: tcp 1418 00:42:47.878768 IP <wanip>.25 > 209.85.220.181.42122: tcp 54 00:42:47.998797 IP 209.85.220.181.42122 > <wanip>.25: tcp 0</wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip></wanip>
Traffic both ways as expected.
@foetus:Internal :
rule on :22:51:47.917275 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:51:47.917442 IP 10.0.0.2.25 > 209.85.220.174.48733: tcp 0 22:51:48.917181 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:51:50.917183 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:51:50.937085 IP 10.0.0.2.25 > 209.85.220.174.48733: tcp 0 22:51:54.917219 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:51:56.943003 IP 10.0.0.2.25 > 209.85.220.174.48733: tcp 0 22:52:02.917255 IP 209.85.220.174.48733 > 10.0.0.2.25: tcp 0 22:52:08.939232 IP 10.0.0.2.25 > 209.85.220.174.48733: tcp 0
Traffic both ways. Replies are leaving the internal server but get choked somewhere on pfsense.
@foetus:rule off : (capture running before turning it back off)
22:53:43.113162 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:43.113340 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 0 22:53:43.230793 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:43.231483 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 100 22:53:43.349044 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:43.349547 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 31 22:53:43.349829 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 191 22:53:43.467508 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 10 22:53:43.467741 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 29 22:53:43.589822 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 186 22:53:43.590172 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 1418 22:53:43.590213 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 54 22:53:43.710304 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:43.710853 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 326 22:53:43.723228 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 59 22:53:43.840808 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 69 22:53:43.841143 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 213 22:53:43.959329 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 85 22:53:43.959789 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 53 22:53:44.077556 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 69 22:53:44.080321 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 53 22:53:44.199096 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 1418 22:53:44.199126 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 11 22:53:44.199158 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 165 22:53:44.199278 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 0 22:53:44.632042 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 149 22:53:44.750021 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 37 22:53:44.750129 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:44.750235 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 0 22:53:44.750300 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 85 22:53:44.750437 IP 10.0.0.2.25 > 209.85.220.181.33212: tcp 0 22:53:44.867823 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0 22:53:44.867919 IP 209.85.220.181.33212 > 10.0.0.2.25: tcp 0
Traffic both ways as expected.
- its not that it is such a disaster (I can find ways around it tbh). But I cannot stand not knowing why this is happening.
Dunno why it's not working tbh. Forgive my notes above, they were needed to follow the "flow" ;D
It should work as is, but can you try changing the gateway in the floating rules to the default gateway? (manually select it instead of it being any)
Other than that I don't see anything being wrong. It could be that it's too early, but at least I tried :P -
Sidenote: Last night suricata banned an entire /24 with an incoming unwanted SSH connection alert. Yes, 254 alerts. SSH servers show increased pre-auth terminated sessions from all over the world. Either the Chinese are ramping up their script kiddie attacks, or a 0-day SSH exploit (possibly OpenSSH) has been found. Just letting everyone know, lock down your SSH servers.
-
Hey jflsakfja, or anyone else for that matter….
First off please forgive my ignorance as i am still very much trying to learn all this.
As stated by jflsakfja and on the pfSense Firewall:Rules section, "Everything that isn't explicitly passed is blocked by default. "
Well i followed the guidelines for creating rules and added only rules for ports that my home network uses.
I intentionally did not create rules for Samba shares and ICMP but i could still access my windows network shares and i could still ping internally (but not externally).
I realised that there was a couple of auto created rules in my firewall:NAT:Outbound, most likely created using the pfSense startup wizard and the OpenVPN server wizard.| WAN 10.0.1.0/24 * * 500 WAN address * YES Auto created rule for ISAKMP - LAN to WAN
WAN 10.0.1.0/24 * * * WAN address * NO Auto created rule for LAN to WAN
WAN 127.0.0.0/8 * * * WAN address 1024:65535 NO Auto created rule for localhost to WAN
WAN 10.0.8.0/24 * * * WAN address * NO Auto created rule for OpenVPN server |What's your advice on these rules? should i disable them? can the rules be fine-tuned to be "less vague"? My assumption is that these rules could circumvent the more fine-tuned floating and interface rules created using this thread guidelines?
-
NAT rules shouldn't have an impact on the effect of other rules, as long as the NAT rules didn't automatically create other allow rules (the case for port forwarding for example).
If you didn't create any rules for samba+ICMP, but you can still use those internally, then a rule exists somewhere that allows it. I've seen a couple of posts lately that pfsense allows things it shouldn't allow. That always comes down to misconfiguration issues.
When trying to troubleshoot pfsense, please put yourself into pfsense's place. What would you do with a packet if you followed the rules below:
- floating rules first
- per interface rules next
- NAT rules
- general block everything rule
Follow the rules through that order, and I'm sure you can find out what the problem is.
-
@jflsakfja:
NAT rules shouldn't have an impact on the effect of other rules, as long as the NAT rules didn't automatically create other allow rules (the case for port forwarding for example).
If you didn't create any rules for samba+ICMP, but you can still use those internally, then a rule exists somewhere that allows it. I've seen a couple of posts lately that pfsense allows things it shouldn't allow. That always comes down to misconfiguration issues.
When trying to troubleshoot pfsense, please put yourself into pfsense's place. What would you do with a packet if you followed the rules below:
- floating rules first
- per interface rules next
- NAT rules
- general block everything rule
Follow the rules through that order, and I'm sure you can find out what the problem is.
I will do that, thanks jflsakfja!
- 22 days later
-
So I've setup the pfIPRep rules per Cino's method here https://forum.pfsense.org/index.php?topic=78062.msg427132#msg427132
Testing an outbound rule, for example 141.101.116.122 is in IR_SEC1 and I can still ping it even though my LAN and DMZ are selected
If I select WAN then it gets dropped accordingly, why is this?
Ticking Quick also drops it, do I need to have quick ticked for all the rules?
-
Check Quick. I forgot to update the screenshots with that.. Without it check, it will compare the rest of your rules and the last one will win.. Which is probably the default allow all lan rule. When Quick is checked, and there is a match; it will apply that rule and stop processing the rest for that packet.
-
Check Quick. I forgot to update the screenshots with that.. Without it check, it will compare the rest of your rules and the last one will win.. Which is probably the default allow all lan rule. When Quick is checked, and there is a match; it will apply that rule and stop processing the rest for that packet.
Cool, thanks for that. You're right, I just have the default LAN to ANY rule so that makes sense.
Should I have quick checked for inbound rules or just the outgoing ones?
-
Quick for all. This way, once there is a match (inbound or outbound) the rule will block/reject the packet right a way.
-
Quick for all. This way, once there is a match (inbound or outbound) the rule will block/reject the packet right a way.
Sweet, that's what I've done, thanks for that.
Now to tackle Suricata.
Just of note, I initially tried this with 2.2-BETA but every time you modify firewall rules or aliases the tables seem to clear. At the time I didn't have quick checked so I'm unsure if it was just a gui problem (as I could still ping that same IP so assumed it was broken) but the only way to get the tables back was to run pfiprep killdb
I also had problems with downloading lists from some https sites with fetch, similar to another user a few pages back yet unsure what a self signed pfsense cert had to do with it. I had ca_root_nss installed and /etc/ssl/certs.pm was symlinked to ca_root_nss.crt from memory
-
Been having fun with Suricata (sarcasm)
Whenever I'm using Astrill VPN to stream Netflix I get these alerts:
SURICATA IPv4 invalid checksum - 09/29/2014-22:44:21
GPL SHELLCODE x86 setuid 0 - 10/02/2014-20:39:23Ended up adding the VPN IP to a pass list
Trying to download the Windows 10 Tech Preview ISO's from Microsoft today and I got these alerts:
ET INFO EXE - Served Attached HTTP - 10/01/2014-01:10:39
ET POLICY PE EXE or DLL Windows file download HTTP - 10/02/2014-01:10:38
ET POLICY Download Windows Help File CHM 2 - 10/02/2014-11:42:05They were .iso files downloading via http so I don't understand those alerts
Then once I'd upgraded my Windows 8.1 -> 10 it failed to connect to my microsoft account because of this alert:
ET POLICY Internet Explorer 6 in use - Significant Security RiskFun and games, haha.
-
You didn't ask suricata nicely, that's why it's behaving badly. Most of those alerts are known FPs, as per the list linked to in this thread. Never add something that gives up an alert to a passlist. A passlist should only contain systems under your home net and DNS servers. Not a single host more than that. In other words, it should contain the bare minimum of systems that should NOT be banned, under any circumstance. Can you imagine what would happen if suricata decided to ban the DNS servers?
If a rule repeatedly gives a bad alert on known good traffic, suricata isn't the one that must be blamed. It's the rule writer that must be blamed and held accountable. Bug him until he changes the rule. Judging by ET's past record, it's not going to happen any time soon, but one can only hope.
Please remove the host from the passlist and disable the rules following instructions in this thread.
-
Appears I missed one alert that was in your list, however these aren't in your list:
SURICATA IPv4 invalid checksum
GPL SHELLCODE x86 setuid 0
ET POLICY Download Windows Help File CHM 2
ET INFO EXE - Served Attached HTTP
ET POLICY Internet Explorer 6 in useAlso this is another alert I was getting downloading those iso's
ET EXPLOIT Windows Media Player parsing BMP file with 0 size offset to start of imageI'm certainly not blaming suricata, I completely agree with you that some of these rules are absolutely ludicrous..
I've removed the passlist and disabled the rules instead
-
Too long night, too short day ;D
Those not on my list doesn't necessarily mean they are not false positives. Don't remember if it was in this thread, or the other (snort blueprint) that someone mentioned the ipv4 checksum one.
My list is the starting point, I can't possibly cover all the use cases out there. Adding to the list rules that come from external sources (other than me) means adding yet another layer of management to the list, something I currently do not have time for. For example I promised a new thread using the new auto management files, and guess what, haven't had time to even begin typing it yet.
This thread described the process of identifying FP rules, and how to deal with them. I'm not attacking you in any way, I'm just saying that a passlist is not the solution for this specific problem. Disabling the rules if you know the alerts are coming from a trusted source, is. If a rule is repeatedly found to be an FP rule, then the rule maintainer has the obligation to correct it, if everyone bugged them about it. He can't correct something that he doesn't even know is wrong. He must correct it though, if others tell him that it's wrong. As was mentioned, don't hold your breath on it when dealing with the ET rules. There are 10 year old rules in there that I have been personally screaming at the writers to remove, for years.
Then there are the "write once, never maintain rules", eg: NT 6.1. As mentioned, directed at ET, "FFS windows 7 IS 6.1, get it into your thick skulls and delete the rule already". Windows 7 was RTM'd on August 6 2009. That's 5 years of a rule FPing, and still counting, since as far as I can tell, they don't plan to correct it. 5 years of people telling you "you are doing it wrong", yet you still don't correct it. :o
-
Haha tell me about it.
Don't worry, I'm not taking offence and know you weren't attacking me. I'm thankful for this thread and the work that you've done with your list.
Cheers for pointing out that I should be disabling rules if I'm certain its legit traffic, rather than using a pass list
- 11 days later
-
I have finally found a bit of time to work on the next part of this guide.
Roadmap:
-
Provide an easy way to upload minimal configurations to pfsense and get it going. Thanks to bmeeks for implementing the behind the scenes work needed for this. What would everyone's suggestion be as to the absolute bare minimum rules? Rules that generally cause mayhem when used, or add even more "delicate" rules (rules that might trigger an FP from akamai for example).
-
Provide the customizations recommended in this topic as an easily uploaded file/s
-
Start work on custom rules for the typical pfsense+suricata usage (network gateway). This came as an inspiration after having been bitten countless times by rules not making any sense at all. That and the push towards more encryption everywhere, which renders most ET rules invalid (not saying a bug, saying that suricata can't see inside the SSL traffic). Not saying that it will be the end-all-be-all configuration, it's just a minimal configuration that will do a hell of a lot more than what the default rules do. YMMV
-
Since this is also a taming pfsense topic, start work on an easy way to push server banned IPs to pfsense for immediate addition to a blocked alias (or an alias to direct traffic to a "YOU HAVE BEEN A BAD, BAD BOY" page). I don't like the way I'm currently implementing this, because I believe it's dangerous to pfsense's security (you need ssh access to it from the servers, even on limited access things can go wrong), and so I want the community's input on how to best implement it. poke poke if only the pfsense devs would add a customizable update schedule to the URL tables…poke poke
I'm willing to put up with a few seconds delay if pulling in the updates instead of them getting pushed forcefully to pfsense is easier (and it should be a lot safer). -
Undecided, but we do have to burn a bit of company time if they are sponsoring me working on all of these, so anyone that wishes to add something they would like to see, feel free to do so.
The way forward I believe is to publish the "main" topics on github, and keep discussions here. That makes it easy to keep track of changes (and actually see the changes) and keeps the topics well, on topic (discussions about pfsense+suricata). Anyone objecting to this should speak up now or forever hold their silence.
Sorry to disappoint certain people by not insulting anyone, but I'm tired :-\
-
-
@jflsakfja:
Sorry to disappoint certain people by not insulting anyone, but I'm tired :-\
;D ;D ;D ;D ;D
@jflsakfja:
The way forward I believe is to publish the "main" topics on github, and keep discussions here. That makes it easy to keep track of changes (and actually see the changes) and keeps the topics well, on topic (discussions about pfsense+suricata). Anyone objecting to this should speak up now or forever hold their silence.
Message copied, Roger, I do not object, not at all, but I am to shut up in the future anyway I read ( ??? ;D )
(I don't object at all, aux contraire, because now the information has been shattered over more than 1 thread - other people adding to your work too - and I had planned a couple of hours to find out where is what these days in the first place)
@jflsakfja:
- Undecided, but we do have to burn a bit of company time if they are sponsoring me working on all of these, so anyone that wishes to add something they would like to see, feel free to do so.
Yes, I have, but I have to find the note where I wrote I down.
-
The main problem I see is that you can't edit the old posts. I would love to add more information to the topic as things move forward/things change, but I simply can't do so in an organized way. Expecting everyone to go through 100 pages of posts is not exactly user intuitive ;)
I also enjoy seeing people take over the "technical support"/troubleshooting for other users. It means at least a few understood what the topic is trying to do, how to do it, and are willing to contribute to it ;D. The downside to that, is that updates to the topic get pushed further back in the thread, which takes us back to the "trying to keep things organized" subject. Having the main topic be outside the thread would (IMHO) help with keeping discussions/insulting-"innocent"-passers-by organized. For example, we could have a "ridicule the industry leaders week" (*see note) without affecting the actual guides.
- I'm looking at you Google, time to take your own advise** and migrate away from SHA-1 certificates on your selected sites, eg www.google.com.cy (at time of writing:PKCS #1 SHA-1 With RSA Encryption). Especially when you yourself are a CA and can just sign a new certificate with no cost, other than the 2 minutes it takes to generate/re-issue/sign a new certificate and change/revoke the old certificate. Or you can take my advice, if you think that your depreciation policy is adequate. I've been screaming since March (this year) that everybody had plenty of time to migrate away from the old (and weak) certificates, time to force everyone to move on. As usual, no industry leader should listen to the "who-the-f***-are-you" random bloke on the Internet.
**http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html which brings us to ***
***9 years is indeed a lot of time. That's why for the past few months I've been literally (not just using the word without any context), literally SCREAMING at the CAs to force everyone off the old certificates already FFS (my exact words). which takes us to ****
**** Comodo just recently (after the Heartbleed security feature*****, and after 2 all round re-issues) has finally decided to force SHA-2 certificates.
***** In open source, bugs are not bugs. They are features. A bug introduced in the most respected (previous to the Heartbleed bug, now (as the Cypriot saying goes) not even dogs will piss on it) cryptographic software would imply that someone was directly paid to put it there. Especially when the ZOMGWTFNEW1337FEATURE is not needed. We wouldn't go around accusing anyone of getting paid to subvert security software now, would we? Of course not, don't be silly. The bloke accidentally introduced a "spil your guts out" feature. See? Only open source can offer you 2in1 features****(something, lost count)
****(something, lost count) to RMS and gang: I'm a die-hard open source supporter.
- 10 days later
-
Here's a laugh for you…
So I'm browsing around http://suricata-ids.org and click on their News - Planet link http://planet.suricata-ids.org/
TCP Potentially Bad Traffic 96.43.130.12 80 x.x.x.x 38263 1:2100498 GPL ATTACK_RESPONSE id check returned root
gotta love it
-
Here's a laugh for you…
So I'm browsing around http://suricata-ids.org and click on their News - Planet link http://planet.suricata-ids.org/
TCP Potentially Bad Traffic 96.43.130.12 80 x.x.x.x 38263 1:2100498 GPL ATTACK_RESPONSE id check returned root
gotta love it
Analyzing the packets just before the website was blocked brings us to this: (code tags not added because they interfere with my red emphasis)
–---------------------------------------------------------------------------
"Lets kick it up notch.....We want to search through -
- all the generated alerts that have
- a printable payload data
- that have the following string: uid=0(root)
Easy, here is the query:
payload_printable:"uid=0(root)"
You should enter it like this in Kibana:
[–---------------------------------------------------------------------------
The rule says this:msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;
In other words, the rule triggers on plaintext uid=0|28|root|29|, which is exactly the text shown above in red. Numbers in | are intrepreted as hexadecimal code, which funnily enough 28 = ( and 29 = ).
The rule is not an FP rule, but a DANGEROUS FP rule. Rules based on plaintext should be banned by legislation. They are the kind of rules that wake you up in the middle of the night when it starts hitting the fan.
I'll add the rule to the list, as well as make the small correction you pointed out on github.
While we are at it, does anyone have anything to say on the proposed way forward as mentioned in a previous post of mine?](http://2.bp.blogspot.com/-u81HF0TVrr4/U_C1BmpQdwI/AAAAAAAAAhU/dJdR8iAQk-k/s1600)
-
I didn't have time to look at the packet capture but I will over the weekend. You explaining it is a good example on how rules are triggered by Suricata.
I think your proposed way going forward will work. Maybe start a new thread linking to github while posting links to this thread and the snort one for background info. Ideally it would be nice if we could just edit post like every other forum out there…
-
Here's a laugh for you…
So I'm browsing around http://suricata-ids.org and click on their News - Planet link http://planet.suricata-ids.org/
TCP Potentially Bad Traffic 96.43.130.12 80 x.x.x.x 38263 1:2100498 GPL ATTACK_RESPONSE id check returned root
gotta love it
I have similar Alerts when Emerging Threats or Snort posts details of a rule in any of their Newsletters.
Instead of suppressing SIDs, i would probably suppress these Sites to avoid FPs.
-
What I would like to do is migrate both the Suricata and Snort packages to a new paradigm where you have alerts and blocks, but not a block from every alert like you have today. In a true IPS, you manually edit rules to change the "alert" action to "drop" only for those rules that detect really bad threats. For other things a simple alert to notify you is enough. However, in both Suricata and Snort today on pfSense, the output plugin that handles blocking simply keys off every alert. So any alert results in a block (unless the offending IP is in a Pass List).
I have been running some ideas around in my head on a method for presenting this new paradigm in the GUI. I am thinking about a series of behavior options the admin can choose from. Maybe something along these lines:
1. Legacy behavior where every alert results in a block unless the offender is in a Pass List. This is how things work today.
2. Only blocking when the PRIORITY field in the associated rule is less than or equal to a set value. For example, block on Priority 1 alerts but only alert for Priority 2 and 3 alerts. Still not sure how useful this option would really be, nor how reliable the Priority field values are.
3. A more conventional IPS setup where all rules are only alerts (with no blocks) unless the admin explicitly changes the rule action from "alert" to "drop". This could be handled fairly easily using the new SID MGMT tab feature. It would still require the admin to do a lot of work, though.
4. A refinement of #3 above where choosing one of the Snort VRT IPS policy settings results in blocks from all alerts originating from any of the IPS Policy rules, while other rules (non-IPS policy ones) simply alert. Of course the admin would still have the ability to manually edit any of the other rules to block (drop) by changing the action keyword from "alert" to "drop".
This would set both packages up to be ready to implement true IPS mode when the pfSense kernel is ready to support it. As both packages exist today where any alert results in a block, things could be a pain to administer if those blocks were true inline traffic drops.
I would like the community's input on the above. What changes would you like to see in the blocking behavior?
Thanks,
Bill -
1. Legacy behavior where every alert results in a block unless the offender is in a Pass List. This is how things work today.
That would be a nice option.
@bmeeks:2. Only blocking when the PRIORITY field in the associated rule is less than or equal to a set value. For example, block on Priority 1 alerts but only alert for Priority 2 and 3 alerts. Still not sure how useful this option would really be, nor how reliable the Priority field values are.
Not at all useful, since I've seen priorities that really don't match the rules.
@bmeeks:3. A more conventional IPS setup where all rules are only alerts (with no blocks) unless the admin explicitly changes the rule action from "alert" to "drop". This could be handled fairly easily using the new SID MGMT tab feature. It would still require the admin to do a lot of work, though.
If you turn that around, I'd love to have the functionality. Instead of all rules being alert and you had to change them to drop, I would prefer all rules to be drop and you can change them to alert, if need be. Makes a lot more sense when the inline parts are finally available.
That's what I would like to see, alert/blocking wise. I didn't even gave it much thought, until I saw your post.
What I would like though (WANTED FEATURE ALERT!) is a way to turn off the category + priority from the syslog logs. It's driving me (and our loggers) insane. Every IDS/IPS/firewall log should be:
Source IP - Source Port - Destination IP - Destination Port - Protocol - Rule ID - Reason for blocking/dropping/rule explanation.Warning:RANT!
Anything more than that is, pardon my Greek, BS. Having the line wrap at just the exact point where the IP (and splitting the IP across the screen) is annoying to say the least ;D. I do remember you mentioning that the logging facility is taken straight from the binary (which BTW, everyone reading this* go here:https://redmine.openinfosecfoundation.org/issues/809, then stalk** the developers until they fix it. Bonus points if you print out a large banner and display it in public). That would require the upstream devs to fix it, correct? While they are at it, they can fix the bug linked above. When the time comes (and I can sign a note stating it WILL come), and it hits the fan, everybody will run around screaming "IT WAS THE LOGGING BUG REPORTED OVER A YEAR AGO". Just like the recent POODLE attack. Nobody pays any attention to the guy screaming "stop using an (almost) 20 year old cryptographic protocol. It's proven broken time and time again!". NOPE. Everybody pays attention to Google's engineers when they publish a paper asking everyone to stop using a broken protocol. Doesn't matter, I pointed and laughed because I (unlike the "leaders") eat my own dogfood ;D- all 5 of you
** literally stalk them: show up at random times at their houses, stand next to them in queues staring, peek through their windows while they are having sex. Stalk them. I find it personally offending when a serious bug is reported over a year ago and is yet to be determined when it will be fixed (looks over at the traffic shaping bug…oh wait ;))
-
@jflsakfja:
1. Legacy behavior where every alert results in a block unless the offender is in a Pass List. This is how things work today.
That would be a nice option.
@bmeeks:2. Only blocking when the PRIORITY field in the associated rule is less than or equal to a set value. For example, block on Priority 1 alerts but only alert for Priority 2 and 3 alerts. Still not sure how useful this option would really be, nor how reliable the Priority field values are.
Not at all useful, since I've seen priorities that really don't match the rules.
@bmeeks:3. A more conventional IPS setup where all rules are only alerts (with no blocks) unless the admin explicitly changes the rule action from "alert" to "drop". This could be handled fairly easily using the new SID MGMT tab feature. It would still require the admin to do a lot of work, though.
If you turn that around, I'd love to have the functionality. Instead of all rules being alert and you had to change them to drop, I would prefer all rules to be drop and you can change them to alert, if need be. Makes a lot more sense when the inline parts are finally available.
That's what I would like to see, alert/blocking wise. I didn't even gave it much thought, until I saw your post.
What I would like though (WANTED FEATURE ALERT!) is a way to turn off the category + priority from the syslog logs. It's driving me (and our loggers) insane. Every IDS/IPS/firewall log should be:
Source IP - Source Port - Destination IP - Destination Port - Protocol - Rule ID - Reason for blocking/dropping/rule explanation.Thank you for the comments. Option #1 is sort of a no-brainer since that is how things work today and no changes in any code would be required.
Your assessment of Option #2 reinforces what I suspected – the assignment of the Priority value in a rule is not necessarily perfect.
Your comment on Option #3 regarding turning the logic around (making all alerts DROP by default and allowing changing some to only ALERT) would require rewriting some of the underlying binary code in both Suricata and Snort. All of the internal routines are geared to act on the action keyword (either ALERT or DROP) in the rule. So without essentially rewriting the core mechanisms of both binaries, implementing as you suggest would not be possible. And for several very valid reasons, the pfSense team wants packages to stay in sync with upstream to the maximum amount possible. That means no or very limited patching for use on pfSense.
Turning off fields in the syslog output would also require upstream changes in the binary. Today the fields are hard-coded in that Suricata source code module.
Bill
-
I am attempting the red pill. However it is not going down all that well. ;) I am attempting the very first portion of the tutorial, blocking everything and setting up explicit "whitelist rules" I am using version 2.1.5.
- First setup your port aliases - check.
- Next setup your anti-lockout rule - check. (and it works… phew)
- Next setup a floating rule that blocks basically everything in/out on WAN - check.
- Next setup rule(s) that allow LAN services access to services (DNS, DHCP, NTP) - check. I get a DHCP address and I can resolve DNS.
- Finally, setup your explicit outbound ports rule to allow traffic out from the LAN - No Joy.
Here's what I suspect is happening - can someone help me figure this out?
Floating rules are parsed before rules on other interfaces. Thus, if a packet matches a floating rule and the Quick option is active (as we were told to do) on that rule, pfsense will not attempt to filter that packet against any rule on any other interface. Thus in step 5 the explicit outbound rules are not being hit because the floating "block everything in/out" has "quick" checked.
Does this make any sense? Has anyone else followed the first post in the thread and got working? I'm stumped.
Cheers,
Dan -
I'm thinking that you too got confused by the floating rule. The floating "block everything" rule isn't meant to be a "block everything" rule. It's meant to be a rule to block everything to pfsense's ports!, hence the giant red warning. I'm working on version 2.0 of this guide, which will clear up some confusion (and possibly create confusion elsewhere :p).
-
I'm still confused. If you "DON'T CHANGE DESTINATION PORT RANGE!!!" on a new rule then you end up with "any" on the rule. It looks like the attached. And yes, it blocks everything. ;)
So instead I should use the alias for the pfSense ports? i.e. instead of "DON'T CHANGE DESTINATION PORT RANGE!!!" on a new rule it should say "Destination port range 'pfsense_ports' as above"?
a 2.0 guide would be much appreciated - this thread is a long hard slog. ;D
edit: I did find what I was looking for somewhere in the middle of this thread you give a very clear explanation:
Re-reading it does make sense on why it blocked out traffic. I meant to say create a new floating rule, based on the previous allow rule, but this time around change the pass to a block, keeping the destination ports the same.
A)1 normal pass rule for the ports active on the interface you want to administer pfsense from.
B)1 floating rule block rule for ALL interfaces EXCEPT the one you want to administer pfsense from.
-
What I would like to do is migrate both the Suricata and Snort packages to a new paradigm where you have alerts and blocks, but not a block from every alert like you have today. In a true IPS, you manually edit rules to change the "alert" action to "drop" only for those rules that detect really bad threats. For other things a simple alert to notify you is enough. However, in both Suricata and Snort today on pfSense, the output plugin that handles blocking simply keys off every alert. So any alert results in a block (unless the offending IP is in a Pass List).
I have been running some ideas around in my head on a method for presenting this new paradigm in the GUI. I am thinking about a series of behavior options the admin can choose from. Maybe something along these lines:
1. Legacy behavior where every alert results in a block unless the offender is in a Pass List. This is how things work today.
2. Only blocking when the PRIORITY field in the associated rule is less than or equal to a set value. For example, block on Priority 1 alerts but only alert for Priority 2 and 3 alerts. Still not sure how useful this option would really be, nor how reliable the Priority field values are.
3. A more conventional IPS setup where all rules are only alerts (with no blocks) unless the admin explicitly changes the rule action from "alert" to "drop". This could be handled fairly easily using the new SID MGMT tab feature. It would still require the admin to do a lot of work, though.
4. A refinement of #3 above where choosing one of the Snort VRT IPS policy settings results in blocks from all alerts originating from any of the IPS Policy rules, while other rules (non-IPS policy ones) simply alert. Of course the admin would still have the ability to manually edit any of the other rules to block (drop) by changing the action keyword from "alert" to "drop".
This would set both packages up to be ready to implement true IPS mode when the pfSense kernel is ready to support it. As both packages exist today where any alert results in a block, things could be a pain to administer if those blocks were true inline traffic drops.
I would like the community's input on the above. What changes would you like to see in the blocking behavior?
Thanks,
BillWell I'm alot like you on those feelings.
1,2,3 - Maybe the answer is in the "log" operator. Alert, Drop = block, Pass = Pass and … Log = Log; No drop, No block, just log.. There are many rules these days that I would want to be "log" only in pfsense. Also...all those complains about false positives, you can switch them manualy to "log" only. What I hate the most is when a rule is disabled because of too many false positives....well hell, let me decide whats FP...
"Pass" is sweet too, I have a set of rules that are true firewall rules with barely any payload inspection. "Pass" comes handy in this ruleset...
I personnaly replace all Alert with Drop and monitor the traffic, then, I change single rules to log only, one by one.
Keep up the good work Bill!
Cheers.
F.
-
What I would like to do is migrate both the Suricata and Snort packages to a new paradigm where you have alerts and blocks, but not a block from every alert like you have today. In a true IPS, you manually edit rules to change the "alert" action to "drop" only for those rules that detect really bad threats. For other things a simple alert to notify you is enough. However, in both Suricata and Snort today on pfSense, the output plugin that handles blocking simply keys off every alert. So any alert results in a block (unless the offending IP is in a Pass List).
I have been running some ideas around in my head on a method for presenting this new paradigm in the GUI. I am thinking about a series of behavior options the admin can choose from. Maybe something along these lines:
1. Legacy behavior where every alert results in a block unless the offender is in a Pass List. This is how things work today.
2. Only blocking when the PRIORITY field in the associated rule is less than or equal to a set value. For example, block on Priority 1 alerts but only alert for Priority 2 and 3 alerts. Still not sure how useful this option would really be, nor how reliable the Priority field values are.
3. A more conventional IPS setup where all rules are only alerts (with no blocks) unless the admin explicitly changes the rule action from "alert" to "drop". This could be handled fairly easily using the new SID MGMT tab feature. It would still require the admin to do a lot of work, though.
4. A refinement of #3 above where choosing one of the Snort VRT IPS policy settings results in blocks from all alerts originating from any of the IPS Policy rules, while other rules (non-IPS policy ones) simply alert. Of course the admin would still have the ability to manually edit any of the other rules to block (drop) by changing the action keyword from "alert" to "drop".
This would set both packages up to be ready to implement true IPS mode when the pfSense kernel is ready to support it. As both packages exist today where any alert results in a block, things could be a pain to administer if those blocks were true inline traffic drops.
I would like the community's input on the above. What changes would you like to see in the blocking behavior?
Thanks,
BillWell I'm alot like you on those feelings.
1,2,3 - Maybe the answer is in the "log" operator. Alert, Drop = block, Pass = Pass and … Log = Log; No drop, No block, just log.. There are many rules these days that I would want to be "log" only in pfsense. Also...all those complains about false positives, you can switch them manualy to "log" only. What I hate the most is when a rule is disabled because of too many false positives....well hell, let me decide whats FP...
"Pass" is sweet too, I have a set of rules that are true firewall rules with barely any payload inspection. "Pass" comes handy in this ruleset...
I personnaly replace all Alert with Drop and monitor the traffic, then, I change single rules to log only, one by one.
Keep up the good work Bill!
Cheers.
F.
Utilizing LOG and PASS in addition to ALERT and DROP are excellent suggestions. I now have more options to be thinking about …
Bill
- 19 days later
-
Hi, I made the transition from snort to suricata, I followed your tutorial from the beginning, and I think that I have all working. But one thing is wired, on snord I had several alerts a day, some were identified as false positives, others I wasn't able to determine, so a keep them blocked until I identified the real source. On Suricata, I have it running now at 5 days, and not even one alert. Should I go back to snort in my production system until Suricata is in a more mature state?
-
Suricata is more than mature…
The problem is, some of Snort VRT rules arent compatible, out of the box, with suricata.
Majority of ET rules are. So the alerts you were seeing with Snort and not, right now, with suricata are most probably coming from Snort VRT ruleset.
Take those rules you were seeing, paste them in the custom box of your suricata interfaces and youll get a warning on why they arent compatible.
Bingo...just modify the rules now according to the warning and you all set.
You can even use the SID Mgmt tab to mod many rules at the same time.
Cheers.
F.