Taming the beasts… aka suricata blueprint

asv345h

I've been thru this thread in detail and I'm not sure I understand the purpose of these "golden rules". The default block rule on the WAN interface will catch them anyway. What am I not seeing?

pfBasic

the point is to add potential attackers to the snort2c list so that they are blocked even if they do make a legitimate connection attempt.

firewall rules alone won't stop that.

It's interesting in theory, I'm not sure that it's actually very useful in practice.

n3by

Added that Golden rules on two hosts located in different country, and here are some numbers in ~12h, IPs that try to access inexistent servers on low ports :

• first host blocked > 200 IPs
• second host blocked >500 IPs

When they try to access servers available on this hosts they are already blocked.

If you think this rules are not required for you then it is best not to install Suricata/Snort, it will do almost nothing good to your network, will just overload the CPU and cause trouble when blocked legitimate hosts.


pfBasic

These rules are by no stretch of the imagination the best rules for snort suricata. The proper implementation of the free snort and ET rules is easy more valuable.

asv345h

the point is to add potential attackers to the snort2c list so that they are blocked even if they do make a legitimate connection attempt.

That makes sense now. If you get port scans on non-used ports, say 23, then, when the same ip scans port 80, it will be auto blocked even if that port is forwarded to an internal server. I guess that assumes the auto generated block rules are placed after the web servers allow rule. I'm not sure how the auto-blocking works though.

n3by

In ~48h using rules to block non existent services on first 1000 ports (and few others) each Suricata from my 2 servers blocked ~1000 IPs without any false positive.

I can say this is a good start for anybody.

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [3389] (msg:"Admin Rule NO SERVER RDP TCP"; classtype:network-scan; sid:990050; rev:1;)
drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5500] (msg:"Admin Rule NO SERVER VNC TCP"; classtype:network-scan; sid:990052; rev:1;)
drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5800] (msg:"Admin Rule NO SERVER VNC TCP"; classtype:network-scan; sid:990053; rev:1;)
drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5900] (msg:"Admin Rule NO SERVER VNC TCP"; classtype:network-scan; sid:990054; rev:1;)
drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [4899] (msg:"Admin Rule NO SERVER RADMIN TCP"; classtype:network-scan; sid:990055; rev:1;)
drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [1433] (msg:"Admin Rule NO SERVER MSSQL TCP"; classtype:network-scan; sid:990057; rev:1;)
drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5060] (msg:"Admin Rule NO SERVER SIP TCP"; classtype:network-scan; sid:990059; rev:1;)
drop udp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5060] (msg:"Admin Rule NO SERVER SIP UDP"; classtype:attempted-recon; sid:9900060; rev:1;)
drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [8172] (msg:"Admin Rule NO SERVER IIS TCP"; classtype:network-scan; sid:990061; rev:1;)
drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [31337] (msg:"Admin Rule NO SERVER Back Orifice TCP"; classtype:network-scan; sid:990063; rev:1;)
drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [47001] (msg:"Admin Rule NO SERVER WinRM TCP"; classtype:network-scan; sid:990064; rev:1;)

pfBasic

Those two rules keep ~20k+ IPs on my 28 day snort2c table.

asv345h

I was running in-line which is why those rules seemed to have little purpose. Switched to legacy - I get it now.

n3by

Doublepulsar detection Snort/Suricata rules

https://github.com/countercept/doublepulsar-detection-script/blob/master/doublepulsar_snort_rules.rules

# Authors: Jayden Zheng (@fuseyjz) and Wei-Chea Ang (@77_6A)
# Company: Countercept
# Website: https://countercept.com
# Twitter: @countercept

alert tcp any any -> $HOME_NET 445 (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand Request"; flow:to_server, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|0E 00|"; distance:56; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618009; classtype:attempted-user; rev:1;)

alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 81 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|51 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618008; classtype:attempted-user; rev:1;)

alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 82 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|52 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618010; classtype:attempted-user; rev:1;)

SLIMaxPower

@ecfx:

Be careful with chosen ports, not to be used by normal applications because you will cut access to this ports.

You will put restriction rule from LAN only if you want to have specifics designated computers that can access the admin ports.

Attached floating rule for WAN and rule for LAN.

p.s.
you can use as destination: "This firewall (self)" instead of any

Another newbie trying to get this sorted on a home net.  I followed the initial post and blocked all traffic.

When I enabled the wan floating rule and lan rule I get locked out of the gui and have to revert to a previous config and reboot to get access to the box again.

sheen73

Hi All,
Very new to Pfsense, just started to research snort and suricata. Came to this post  and have read through it but still stuck. I am using Pfsense 2.3.4 and open VPN client with PIA, I have NAT setup to direct lan / wan to the PIA interface. I have a firewall rule for lan on LANnet to use the PIA DHCP gateway.

As soon as I apply the below instructions, my internet access shuts down. Note only interfaces I have are LAN, WAN, PIA, OpenVPN (not used and does not exist, not sure why its on the list)

"Next up Floating tab:
Set up a rule but make these changes:
Action Block
Quick TICKED!!!
Interface Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC
Direction any
Source any
Destination any"

I think I am misunderstanding this portion

"Head over to an interface's tab and set up a an allow rule. Source should be the interface's subnet. The destination should be any, and for the ports use the outgoing_ports alias created above. Destination should be any. Otherwise identical to the webgui rule. Warning! This allows any host to access any other host on other interfaces using those ports. If this is not needed (and generally it shouldn't), finish the rule, and head over to the floating rules tab."

What am I supposed to do here? The floating rule takes precedent over all other rules 1st, any rule after this would still be blocked no? I added another LAN firewall rule and set source to LANNet and destination ports to the outbound port alias and no luck.

Any tips?
Thanks!

rdm_577

Hello all,

I signed up for this forum specifically to ask this question of this community / thread. Thanks in advance.

I'm greatly interested in setting up a pfsense firewall in the manner described under this thread but I have basically one reservation about doing so and therefore I'd like an honest assessment from those that have gone before me.  I am NOT an IT professional but I am a reasonably intelligent and computer savvy novice with above average understanding of routed networks.  I don't mind doing my own research / problem solving and while I'm relatively new to Unix / Linux I'm a fairly quick learner.  I've read the entire thread, multiple times.

Given those facts, if I correctly set up pfSense according to this guide, realistically what on-going time commitment am I making with respect to updating the rules, known threat list, etc.  Once I get the firewall up and running according to this guide, will it run without much tinkering, problem solving, and updating or will it turn into a time sucking black hole that takes away from my regular job, wife, children, and hobbies that I prefer to network administration?

I have a simple home network with limited services and requirements.  I currently run dd-wrt using multiple lans / vlans for the various network segments that I have in house but am interested in upgrading my perimeter security as long as it can be done without becoming a full time network admin job on top of my other commitments.

Thoughts and comments are appreciated.

pfBasic

I started on pfSense in the same boat less the understanding of routed networks.

I've spent a lot of time messing around on pfSense but 95% of that time he been out of curiosity, not to make it work.

I wouldn't recommend following this guide exactly, it's old and there are better ways to do much of this.

Suricata can be a time sucker. You probably don't need it on a home network. Even if you only use the "Golden Rules" on WAN it can cause some issues with certain types of setups.

You can get a stable filtered and secure home network up and running pretty quickly with just firewall rules, pfBlockerNG and DNSBL.

Later on if you want to play around with it and have some time to deal with false positives check out suricata.

Id recommend avoiding squid and it's related packages entirely on a home network. It sounds cool in theory but in practice is more of a pain than a help on small home networks.

coliflower

Hello all,

I am not sure to be right her - so sorry in advance in case to be wrong.

For some weeks I have some troubles with my pfSense on APU1D4 :-(
The symptom is: I have no connection to internet - there is no public IP on my GW …
If I restart the pfSense, it works again for some time …
After some weeks I also tried to restart the suricata service and it helps, too.

Does it mean there is something NOK wit suricata on my pfSense ?

I did not change anything before the symptom occurred :-(
pfSense and suricata is on the last level.

if anybody know the direction to start investigation, please help :-)

Thanks a lot in advance !

stephenw10

Suricata/Snort is often a good place to look if you find things spontaneously get blocked.

Try running Suricata in non-blocking mode for a some time to test that.

You should also be able to clear to blocked hosts lists if that is happening and restore connectivity that way. You'll then need to find out what is being blocked and by which rules and take steps to prevent it happening again.

Steve

coliflower

Hello Steve,

thank you for your reply.

Suricata is running as default, pattern-match is AC, block and Barnyard2 is DISABLED.
If I look to Interfaces/WAN-Rules than I see „Rule will alert on traffic if triggered“ under Action header.

Any further ideas ?

Dariusz

stephenw10

If blocking is disabled then it's not Suricata or at least not in the expected way. It might be using all the available resources for example. You should see something logged if so though.

You have other packages installed?

How exactly is this presenting? You say the gateway looses its IP? The WAN gateway? The interface address itself? What type of WAN is it?

Steve

coliflower

OK … For a test I stopped the Suricata service to see whether I will see the same symptom „no internet“ or not …

I have other packages -> nmap and pfBlockerNG where I only put some outgoing white-list countries on the internal LAN-Interface.

The WAN is connected on a cable-modem with an public IPv4 84.112.x.x DHCP (ISP = UPC).
The Gateway widget shows me offline with red background and if I look to the dynamic DNS status than there is the old IP-address in red instead of green.
If this occurs there is no internet on my LAN-net (if I put the cable from cable-modem directly to my MBP, than it works.
Or if I restart the pfSense itself than I have internet, too

Dariusz

pfBasic

@stephenw10:

Try running Suricata in non-blocking mode for a some time to test that.

You should also be able to clear to blocked hosts lists if that is happening and restore connectivity that way.@coliflower:

Suricata is running as default, pattern-match is AC, block and Barnyard2 is DISABLED.

He already told you what you need to do.
Go to "Services / Suricata / Edit Interface Settings - Your_Interface"

Scroll down the page to where it says "Alert and Block Settings" Below that you'll see "Block Offenders" - UNcheck the box. Save, Apply.

Now, go to "Diagnostics / Tables", select "snort2c" from the dropdown menu - click "Empty Table".

Now I'm betting that your internet will be working again just as well as it does after you reboot it?

Over the next hours/days/weeks/months you'll need to analyze the alerts you see in Suricata and decide whether those alerts are false positives or not. Disable or suppress false positives as necessary.

DO NOT turn blocking back on until you have spent some time removing false positives (there will be a lot of them). If, after turning blocking back on your network has issues in the following days, your first suspicion should be suricata. Simply turn off blocking, clear your snort2c table and if all is well again then you know you have more false positives to weed out before you turn blocking back on.

IDS/IPS are not plug and play. Learn them before you turn on blocking or you are just going to break things.

stephenw10

This could also potentially be something like the WAN DHCP lease failing to renew correctly.

Instead of rebooting pfSense you might try instead:
Resaving the WAN settings.
Running ifconfig DOWN/UP on the WAN.
Disconnecting and resconnecting the WAN Ethernet cable.

See if any of those restore connectivity.

Steve