Taming the beasts… aka suricata blueprint

G.D. Wusser Esq.

@jflsakfja:

So long and thanks for all the fish.

Farewell. Thank you for everything.
Hoping you will return.

pfsenseboonie

Hi I am trying to create the golden custom rules and need help…

alert tcp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert tcp $EXTERNAL_NET [0:1023] -> any [0:1023](msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert udp $EXTERNAL_NET [0:1023] -> any [0:1023] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)

the first two are to block incoming to closed ports.
the last two to block incoming from low ports to low ports.

How should i adjust them in the msg bit or any other comments on them.

Thanks.

lobotiger

Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum.  Is it worth reading 30 pages to get this setup?  Is the snort page any better?

LoboTiger

n3by

My advice is to install Suricata if possible.
Yesterday I just had to uninstall Snort and installed Suricata from one remote site after I seen high CPU load and high CPU temp without traffic. Reason Snort >10-15% CPU - in the same conditions, now it is ok Suricata 1-2% CPU.
The other site had Suricata installed and no problems; both sites are running pfSense 2.2.5 & vpn site to site.

Downloadski

@lobotiger:

Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum.  Is it worth reading 30 pages to get this setup?  Is the snort page any better?

LoboTiger

I am a absolute beginner and i found this thread very interesting to get some understanding of the principles of good security.
So i wil re-read it and start to implement it.

TDJ211

@lobotiger:

Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum.  Is it worth reading 30 pages to get this setup?  Is the snort page any better?

LoboTiger

It's probably the best read you'll find on the net about IDS/IPS security. Most of what you need to know is in the first few pages anyway….

glint.bladesong

SO… all quiet on the western front?

Did I miss a memo somewhere about what happened to this project, or the guide v2?

2chemlud

Not an expert, but I guess… yes

https://forum.pfsense.org/index.php?topic=88244.0

TDJ211

Thats not it….They eventually gave him permission to use a disclaimer and from that point on, the project was under way. But then  jflsakfja got into a serious car accident and he's just had to put all of this on pause til he gets better.

glint.bladesong

If that is indeed that case then he has my deepest and genuine sympathies and I wish him a hearty, fast and total recovery.

pfBasic

First off, great topic! I am completely new to all of this and I've spent hours reading through this topic and looking out over the internet to try to understand it.

The reason I made an account and posted is because I attempted to type up a How-To for the super-layman.
I attached it here and would love to get your feedback on it. There are certainly fundamental errors in it simply because I do not understand this stuff and my interpretations of what's going on are bound to be incorrect (hopefully not all the time).
If those of you who know what's going on would be so kind as to give me feedback and correct me, I'll revise and re-post the corrected copy. The intent is to have a document that I or someone like myself could pick up and use to setup pfSense in a secure way without any prior knowledge.

So I got on eBay and for $130 purchased a SFF HP with an i5-2400, 8GB RAM and 640GB HDD and an Intel PRO/1000 PT dual NIC. I know it's overkill, but it was cheap.
Going through MANY hours of youtube tutorials on pfSense and networking in general I learned that most of what I want to do on pfSense can be achieved by simply following instructions without very much understanding. However, it seemed to me that Firewall rules (what pfSense was actually made for) actually needed to be understood at least on a basic level since it is so specific to what you're using it for. Then I found this thread, I read through it, and didn't understand much. So I read through more, researched things online and started typing up a step-by-step document that I could use to accomplish each task and have some understanding of what I was doing. I didn't accomplish that completely, there are things that I know I don't fully understand, and I'm sure other things that I misunderstand.
It's worth noting that I haven't actually been able to attempt any of this on pfSense yet.

Anyways, thank you for what you've done and I'd appreciate any of your expertise and guidance!

@jflsakfja:

Here we go!

Firewalling
Always whitelist, NEVER blacklist…

<<<<<everything i="" tried="" to="" understand="" and="" included="" in="" my="" writeup="" thus="" far="" is="" contained="" between="" these="" two="" quotes="" from="" the="" op.="">>>>>> </everything>

…Back to where we left. Nobody likes his internet being down (I grew tired of having to explain that the Internet was designed to survive a nuclear holocaust without it being down, if you can't beat them, join them). So hurry up with the other interfaces as well.

pfBasic

I reformatted the tables in the word document so that I could publish what I'm trying to do directly here and no one has to download the word document. There are a lot of hyperlinks that are included on the word doc but not on this post, so if you see something that looks like it should be hyperlinked, it is on the .doc.

ANY help you guys can give me would be greatly appreciated!

I'm reading through tons of BBCan117's posts on pfBlockerNG trying to learn how to use it to accomplish this setup. I'll post that as soon as I'm done, but remember my done does not equal a finished product. I'll need correction from you guys to get this right.

–---------------------------------------

EDIT: Removed due to potentially misleading info.

BBcan177

@pfBasic:

I'm reading through tons of BBCan117's posts on pfBlockerNG trying to learn how to use it to accomplish this setup. I'll post that as soon as I'm done, but remember my done does not equal a finished product. I'll need correction from you guys to get this right.

Thanks for all your efforts.. :)

Just to note, that my posts in relation to the script should be ignored, as its now superceded by the package pfBlockerNG…

https://forum.pfsense.org/index.php?topic=102470.0
https://forum.pfsense.org/index.php?topic=86212.0

pfBasic

@BBcan177:

@pfBasic:

I'm reading through tons of BBCan117's posts on pfBlockerNG trying to learn how to use it to accomplish this setup. I'll post that as soon as I'm done, but remember my done does not equal a finished product. I'll need correction from you guys to get this right.

Thanks for all your efforts.. :)

Just to note, that my posts in relation to the script should be ignored, as its now superceded by the package pfBlockerNG…

https://forum.pfsense.org/index.php?topic=102470.0
https://forum.pfsense.org/index.php?topic=86212.0

Yes sir, I am reading through your threads on pfBNG and trying to figure out how to use that to accomplish this threads intent without messing it up!

kody

pfBasic, did you just edit/reformat the content in the original post by “jflsakfja”?

Or, did you adapt the content in the original post to a later version of pfSense? If so, which version did you use for your document?

Thanks.

neonmatt

PFBasic, the word doc looks nice.  I've come back to this after a long time working on other stuff, so thanks for condensing this very long thread.  I look forward to implementing Suricata soon  (getting ready to set aside some time to get into it without interruption).

I hope it's OP is well and doing great things (I'm sure that's a given).

pfBasic

I'm glad the documents are helping out. I've finally started implementing all of this stuff on my own and there's a lot in the document that I need to change/add/update. So don't just use that document to set your system up, you'll have to do some of your own reading as well.

I simply copy/pasted and added explanations as best I could and tried to update some stuff based on new releases.

I too am nearing the point where I want to implement suricata as described here. Unfortunately I have absolutely NO idea what the "Golden Rules" are or how to add them to pfSense.

If anyone can help me out with the "Golden Rules" that please PM me, I'm lost.

EDIT: for anyone stumbling across this thread again, see quoted post, these are the "golden rules" as I understand them.
@pfBasic:

drop tcp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, TCP"; classtype:network-scan; sid:9000; rev:1;)
drop udp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, UDP"; classtype:network-scan; sid:9001; rev:1;)

$MY_NET and $MY_PORT are variables you'll need to specify as necessary for your own network in /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section. The "!" in front of the variables means "not", so it would read:
drop tcp/udp traffic from "anywhere not on my network" on any port going to anywhere on "any port not specifically allowed on my network"

perth

PFFEEEEEEEEWWWW, made it!!!

Let me start of by saying thank you jflsakfja, you're a real Frood & will be missed.
To BBcan177, Cino, bmeeks/Bill, and yes, The Eternal Noob Mr. Jingles/Hollander thank you too. This thread would not be what it is without your contributions.
PM me a way to send you $7 and you can have a "serious beer" ;) on me. (Provided I don't have to sign up for some overly shady or new startup run by 3 ppl…)

I've copy/pasted "all" instructional posts from this topic into a text document. I've included some troubleshooting posts as well. Excluding the first entry of BBcan117 informing everyone to use pfBlockerNG instead of his script, all posts are in chronological order; all posts include attribution & a direct link to the original post. I thought I'd make it available to others: https://bpaste.net/raw/0352fd6f5706 as it saves a lot of reading. But let me be clear: this document is intended to serve as my own starting point for understanding this setup before attempting to implement it. It's not some well formatted nor updated guide. Same data, with non-critical discussion posts removed.

@pfBasic: RE: Golden Rules
See:
@jflsakfja:

…QUIZ: Who remembers why low (privileged ports) are useful?

Using the low ports we can detect port scans looking like legitimate traffic reaching "official" server ports.
...
In other words, packets from a source NOT our home network (or belonging to an external network) and a source port of any, reaching a port NOT in use on our home network, will alert us.
Congratulations young grasshopper, you have just created the world's top snort/suricata rule. It is internally referred to in The Company as "The Golden Standard for writing IDS/IPS rules" or, depending on the day "The two rules to rule them all". Why is it the golden standard? Those of you that failed to see that it is impossible to cause a false positive by this rule so far are dangerously close to failing the class. Unless you ignored a port in use (which shouldn't happen all that often) a packet that triggers this rule is a packet that will not route across pfsense. Simply put: a legitimate alert.
Be extremely careful with the knowledge. It can be used for good, or it can cause great harm. These two (a TCP and a UDP), the "The two rules to rule them all", rules accounts for 10K monthly banned hosts (hosts set up to be unbanned after 28 days, but trigger the rule before that).
...

(I'm going to try and rephrase this such than "anyone" can understand it, because this is visible to the world, not because I have an opinion on your mental capabilities pfBasic;)
IOW: The Golden Rules appear to be two custom Suricata rules you create that are tailored your your network. Tailored to look for traffic coming in from outside your network destined for unused privileged ports. Privileged ports are ports 1 though port 1024, they are ports reserved for services like http(s), ssh, ftp, etc. If there's something that should be reachable from outside your network on these ports it's because "you" are intentionally running a "server". So you know to expect traffic destined to a few specific ports in this range, right? Therefore traffic destined for those ports is expected and you exclude from these rules; because drum roll all unexpected traffic destined for privileged ports is basically guaranteed to be some form of malicious activity (probably a port scan). These rules allow you to detect that undesired traffic & begin dropping traffic to/from the offending source IPs. Dropping all further traffic to/from these IPs stops those IPs from being able to continue to attack your network.

To put it (my understanding) more generically, intelligently, and far more succinctly: the Golden Rules detect traffic to ports explicitly blocked by the firewall. Detecting traffic to explicitly blocked ports provides a high quality method of identifying bad actors so that you can drop all further traffic to/from that IP. Typically you don't explicitly block ports higher than 1024 as they can (and are) used for legitimate traffic without you taking any special action (like installing a web server daemon). (Though 8080 might be a good exception to that rule.)

Hope this all helps! :)

Mr. Jingles

@perth:

PFFEEEEEEEEWWWW, made it!!!

-snip-

I just hit the thank you button since your post is very friendly and informative, but I'm told I already thanked somebody in this thread in july 2014, and more thanks are forbidden, this appears the current state of things in the year of our evolution 2016 ( ;D ;D ;D ).

So I'll simply say it here: thank you for your post  ;D

I especially like it that you like to offer the package devs a beer, which is how I thank people too. Since I'm only the eternal noob, that offer can never be for me, but you indeed mentioned JFL, BB, Bill, Cino; great people on this board, true Open Source people.

molykule

ACTION: BLOCK
DISABLED: DO NOT ✓
QUICK: ✓
INTERFACE: Gnet24 (CTRL+Click all interfaces that you don’t want to access LAN)
DIRECTION: ANY
TCP/IP VERSION: IPv4 & IPv6 (I will use only IPv4)
PROTOCOL: TCP
SOURCE: ANY
DESTINATION: ANY
DESTINATION PORT RANGE: OUTGOING_PORTS

Hi,

I am confused on the last bit of rules here by pfBasic (pasted above). Doesnt this rule means to stop all the traffic on the other interfaces (Gnet24) on outgoing_ports. Shouldnt the destination be the LAN here or am i missing something,
thanks for your great tutorial in word. It helped me a lot,
molykule