Taming the beasts… aka suricata blueprint
-
Well, luckily I'm not a quitter.
Last night I blew up my box up after running the script the first time.
So a quick fresh install (4th one now I think) and some steps later and I'm back to the aliases. I get all the ones I find after doing the "ls /usr/local/www/badips/" command and do a jig.
Now I'm on to the two floating rules per alias created. I start with ALIENSHIELD instead of dshield in the example. I finish the first half on WAN and read 'mouse over and a pop up will show some IPs in it'. Nope. It shows the address I put in: 127.0.0.1:275/badips/ALIENVAULT.txt. No IPs and no 1.1.1.1.
Of course I managed to go outside of the lines once again.
Okay, maybe I jacked up the part where it says to set the userfolder and pfdir in the script? Nope, they're set exactly as stated.
In the address 127.0.0.1:275/badips/ALIENVAULT.txt' is this referencing the badips folder in the usr/local/www directory, or the /home/badips? Did I mix them up perhaps?
Oh, and after I ran the script there were no tier rules of any kind auto built or created. Should I just stop now?
Thank anyone in advance for your time :)
-
Hi Matt… I hope to have pfBlockerNG released as a package which will do what my original script was doing and more... Its actually been so long since I looked at that script :) I would have to review and see what steps you missed :)
-
Hi Matt… I hope to have pfBlockerNG released as a package which will do what my original script was doing and more... Its actually been so long since I looked at that script :) I would have to review and see what steps you missed :)
Thanks for the reply BB, I appreciate it. I look forward to that package :)
After the part under (tip when using carp) I followed the numbered steps to get everything set up.
I popped open the script and made the 2 changes that were given (userfolder=/home/badips and pfdir=/usr/www/badips/).
I actually read it this time and saw there were two dependencies, grepcidr and geoIP. I figured out that pkg add -r grepcidr of course doesn't work for me and grabbed it using pkg install grepcidr. I"m not sure if that makes a difference as I couldn't figure out what the -r was, on mine the help blurb says there's a -R.
I set the bypass to yes for the first run also and then set it back after running it.
Attached is a copy of what I have currently.
[current pfiprep config.txt](/public/imported_attachments/1/current pfiprep config.txt)
-
I've sort of backed off staying up to date on the Suricata news as I've had way too many other projects going on, my pfSense box has just been humming along and I was waiting for some things in 2.2.
So, ready to start looking at moving to a 2.2 build and going with Suricata over SNORT. I know the information is all here but this thread has really grown…. really grown. Will there be a sticky with the install/setup essentials as was done with SNORT?
Thanks,
Rick -
I'm pretty fresh at this and started recently with this thread. The content is top notch. However, and this is just my opinion, it seems the methods could use a little tidying up perhaps. Most of the ideas are obviously still valid and the fun lies in trying to get it to work regardless of the state of the path.
The folks in this thread are very helpful also, so there's that to keep you pumped :) jflsakfja has stated he intends on updating it eventually and BBcan177 is working on a package that will take out the script portion mentioned at the 2nd step of the guide.
I hope this isn't too jibber jabber :)
-
Everything (in life) is a work in progress.
-
However, and this is just my opinion, it seems the methods could use a little tidying up perhaps. Most of the ideas are obviously still valid and the fun lies in trying to get it to work regardless of the state of the path.
The folks in this thread are very helpful also, so there's that to keep you pumped :) jflsakfja has stated he intends on updating it eventually and BBcan177 is working on a package that will take out the script portion mentioned at the 2nd step of the guide.
I hope this isn't too jibber jabber :)
Not at all ;D
And you are right, it has become a long thread. I printed it some months ago, it was 65 pages. That takes 1 week of analysis and cross checking if you aren't as skilled (such as I am in these matters). JFL has said he will write a new tutorial, and, like you said, he will probably wait until BB is done with pfBlockerNG to incorporate parts of that package in the tuto too (I think). And he will add to the tuto (if I understood correctly) how to do mass maintenance of rules using the SID-config files Bill so kindly added to Snort.
JFL has one prominent problem: he is loaded with work and doesn't have much time ATM :-[
-
Yea, apologies to everyone for taking so long, but I've been busy with work as Mr. Jingles has stated. One can only do so much with one head, two arms and two legs. I'm not an octopus :P
-
Believe me, I understand busy. Thanks for the responses guys! Really. I'll just be patient and wait for the new items. At least I'm back to a little free time to even post on the forum.
Rick
-
With the upgrade to 2.2 and ubound being able to contact other DNS servers freely, a few FPs might have cropped up in your blocked hosts list.
Rules 2200075, 2240003 and 2102329 need to go.
-
Hi, will you update the blue prnt to set PfBlockerNG as list blocker?
Thank You
-
Of course, wasn't that why pfBlockerNG was created for in the first place? (to make lists easier to manage) ;)
The updated guide is coming. But if everybody could ease up on the "are we there yet?" questions I would appreciate it ;D
As soon as the new version is out, both topics (snort and suricata) will be updated to show where to find the new version, and a topic dedicated to discussing the new guide will be created.
-
Since I like transparency, just letting anyone know that I'm waiting for permission to go ahead and start public work on the guide. Some parts of the guide have been completed offline, waiting to be pushed when the time comes.
Here's the relevant topic. https://forum.pfsense.org/index.php?topic=88244. An email has been sent to the mentioned address as well.
Edit: brain-farting-typo
-
Thanks for the guide jflsakfja, it's obvious that you've put a lot of work into it and I look forward to seeing it completed. I have one suggestion though, when you publish the guide it might be better to use pictures (maybe pics showing the firewall rules on all the interfaces) or indenting, similar to what you did with configuring the "pfsense ports". For example, the "outgoing ports" rule creation gets a little lost in a paragraph format in my opinion.
"Head over to an interface's tab and set up a an allow rule. Source should be the interface's subnet. The destination should be any, and for the ports use the outgoing ports alias created above. Destination should be any. Otherwise identical to the webgui rule."
-
That's exactly what I'm planning to do eventually, hence github, hence github pages (a little less known feature of github) ;)
Something along the lines of: http://jflsakfja.github.io/test-page
It's gonna be good, I promise that :-)
-
@jflsakfja:
That's exactly what I'm planning to do eventually, hence github, hence github pages (a little less known feature of github) ;)
Something along the lines of: http://jflsakfja.github.io/test-page
It's gonna be good, I promise that :-)
I can't wait to see it, really. I'm learning a lot just from reading thru your examples. Forgive me if you've mentioned this before but do you have a date in mind for the full release?
-
I took a little break and worked on something else to give my mind a rest. I have a newer box and am working on getting it up now :) I gotta say, it sure is nice to see PFBlockerNG in the packages list. I can't wait to get deep into the the suricata after, mwa ha ha!
-
Here's a good one for Suricata, no need for pfBlocker ;)
drop ip any any <> $HOME_NET any (msg:"GeoIP Country Block"; geoip:!US,CA,BE,CZ,FR,DE,UK,NL,DK,FI,IE,NO,CH,JP,AU,NZ,SE,IS; classtype:policy-violation; sid:7710002; rev:1;)
Feel free to add/remove countries as you wish…
F.
-
Actually that's the exact rule that the guide is recommending not to use, for a reason or two ;-)
Why spend CPU/RAM analyzing packets that you know you'll drop? Packets that by the time you've finished analyzing them, a small number will get through (suricata/snort doesn't work on the live traffic, but a copy of that traffic).
A rule like that will take most of the RAM suricata is using. If you need a 2nd interface, double it. 3rd triple it and so on. A pfsense rule though will not take that much RAM.
Blocking by countries is NOT as attractive as it sounds. Most hosting providers don't rent datacenter space/servers in the country their visitors are. Blocking the US for example (as you should, see NSA saga) will get rid of most of the "known internet". Admittedly not a bad thing to do, but.There is no date on the new guide. I need the pf guys to give me the OK to go ahead with the guide. It's their move now. I'm pretty much sitting around waiting for their answer.
-
Yea I understand it should be at the firewall level, not at the IDS one in //, but still try it… with some decent hardware; pfSense & Suricata geoIp rule, try to visit a banned country site and tell me how much data was passed before the drop/block kicked in...Also compare the memory footprint of this option vs pfblocker or an alias list...
Concerning the NSA, no need trying to fight it; they operate at a different layer...Imagine if they had to opperate at the "user" level...
Just intercept/inject bigger hardware...you will never see them, they will always catch all...
F.