Taming the beasts… aka suricata blueprint
-
Be careful with chosen ports, not to be used by normal applications because you will cut access to this ports.
You will put restriction rule from LAN only if you want to have specifics designated computers that can access the admin ports.
Attached floating rule for WAN and rule for LAN.
p.s.
you can use as destination: "This firewall (self)" instead of anyAppreciate it! Thanks a lot. Kudos.
-
So long and thanks for all the fish.
-
@jflsakfja:
So long and thanks for all the fish.
Oh, NO. r you leaving us? whats happening?
-
@jflsakfja:
So long and thanks for all the fish.
Farewell. Thank you for everything.
Hoping you will return. -
Hi I am trying to create the golden custom rules and need help…
alert tcp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert tcp $EXTERNAL_NET [0:1023] -> any [0:1023](msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert udp $EXTERNAL_NET [0:1023] -> any [0:1023] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)the first two are to block incoming to closed ports.
the last two to block incoming from low ports to low ports.How should i adjust them in the msg bit or any other comments on them.
Thanks.
-
Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum. Is it worth reading 30 pages to get this setup? Is the snort page any better?
LoboTiger
-
My advice is to install Suricata if possible.
Yesterday I just had to uninstall Snort and installed Suricata from one remote site after I seen high CPU load and high CPU temp without traffic. Reason Snort >10-15% CPU - in the same conditions, now it is ok Suricata 1-2% CPU.
The other site had Suricata installed and no problems; both sites are running pfSense 2.2.5 & vpn site to site. -
Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum. Is it worth reading 30 pages to get this setup? Is the snort page any better?
LoboTiger
I am a absolute beginner and i found this thread very interesting to get some understanding of the principles of good security.
So i wil re-read it and start to implement it. -
Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum. Is it worth reading 30 pages to get this setup? Is the snort page any better?
LoboTiger
It's probably the best read you'll find on the net about IDS/IPS security. Most of what you need to know is in the first few pages anyway….
-
SO… all quiet on the western front?
Did I miss a memo somewhere about what happened to this project, or the guide v2?
-
Not an expert, but I guess… yes
https://forum.pfsense.org/index.php?topic=88244.0
-
Thats not it….They eventually gave him permission to use a disclaimer and from that point on, the project was under way. But then jflsakfja got into a serious car accident and he's just had to put all of this on pause til he gets better.
-
If that is indeed that case then he has my deepest and genuine sympathies and I wish him a hearty, fast and total recovery.
-
First off, great topic! I am completely new to all of this and I've spent hours reading through this topic and looking out over the internet to try to understand it.
The reason I made an account and posted is because I attempted to type up a How-To for the super-layman.
I attached it here and would love to get your feedback on it. There are certainly fundamental errors in it simply because I do not understand this stuff and my interpretations of what's going on are bound to be incorrect (hopefully not all the time).
If those of you who know what's going on would be so kind as to give me feedback and correct me, I'll revise and re-post the corrected copy. The intent is to have a document that I or someone like myself could pick up and use to setup pfSense in a secure way without any prior knowledge.So I got on eBay and for $130 purchased a SFF HP with an i5-2400, 8GB RAM and 640GB HDD and an Intel PRO/1000 PT dual NIC. I know it's overkill, but it was cheap.
Going through MANY hours of youtube tutorials on pfSense and networking in general I learned that most of what I want to do on pfSense can be achieved by simply following instructions without very much understanding. However, it seemed to me that Firewall rules (what pfSense was actually made for) actually needed to be understood at least on a basic level since it is so specific to what you're using it for. Then I found this thread, I read through it, and didn't understand much. So I read through more, researched things online and started typing up a step-by-step document that I could use to accomplish each task and have some understanding of what I was doing. I didn't accomplish that completely, there are things that I know I don't fully understand, and I'm sure other things that I misunderstand.
It's worth noting that I haven't actually been able to attempt any of this on pfSense yet.Anyways, thank you for what you've done and I'd appreciate any of your expertise and guidance!
@jflsakfja:
Here we go!
Firewalling
Always whitelist, NEVER blacklist…<<<<<everything i="" tried="" to="" understand="" and="" included="" in="" my="" writeup="" thus="" far="" is="" contained="" between="" these="" two="" quotes="" from="" the="" op.="">>>>>> </everything>
…Back to where we left. Nobody likes his internet being down (I grew tired of having to explain that the Internet was designed to survive a nuclear holocaust without it being down, if you can't beat them, join them). So hurry up with the other interfaces as well.
-
I reformatted the tables in the word document so that I could publish what I'm trying to do directly here and no one has to download the word document. There are a lot of hyperlinks that are included on the word doc but not on this post, so if you see something that looks like it should be hyperlinked, it is on the .doc.
ANY help you guys can give me would be greatly appreciated!
I'm reading through tons of BBCan117's posts on pfBlockerNG trying to learn how to use it to accomplish this setup. I'll post that as soon as I'm done, but remember my done does not equal a finished product. I'll need correction from you guys to get this right.
–---------------------------------------
EDIT: Removed due to potentially misleading info.
-
I'm reading through tons of BBCan117's posts on pfBlockerNG trying to learn how to use it to accomplish this setup. I'll post that as soon as I'm done, but remember my done does not equal a finished product. I'll need correction from you guys to get this right.
Thanks for all your efforts.. :)
Just to note, that my posts in relation to the script should be ignored, as its now superceded by the package pfBlockerNG…
https://forum.pfsense.org/index.php?topic=102470.0
https://forum.pfsense.org/index.php?topic=86212.0 -
I'm reading through tons of BBCan117's posts on pfBlockerNG trying to learn how to use it to accomplish this setup. I'll post that as soon as I'm done, but remember my done does not equal a finished product. I'll need correction from you guys to get this right.
Thanks for all your efforts.. :)
Just to note, that my posts in relation to the script should be ignored, as its now superceded by the package pfBlockerNG…
https://forum.pfsense.org/index.php?topic=102470.0
https://forum.pfsense.org/index.php?topic=86212.0Yes sir, I am reading through your threads on pfBNG and trying to figure out how to use that to accomplish this threads intent without messing it up!
-
pfBasic, did you just edit/reformat the content in the original post by “jflsakfja”?
Or, did you adapt the content in the original post to a later version of pfSense? If so, which version did you use for your document?
Thanks.
-
PFBasic, the word doc looks nice. I've come back to this after a long time working on other stuff, so thanks for condensing this very long thread. I look forward to implementing Suricata soon (getting ready to set aside some time to get into it without interruption).
I hope it's OP is well and doing great things (I'm sure that's a given).
-
I'm glad the documents are helping out. I've finally started implementing all of this stuff on my own and there's a lot in the document that I need to change/add/update. So don't just use that document to set your system up, you'll have to do some of your own reading as well.
I simply copy/pasted and added explanations as best I could and tried to update some stuff based on new releases.
I too am nearing the point where I want to implement suricata as described here. Unfortunately I have absolutely NO idea what the "Golden Rules" are or how to add them to pfSense.
If anyone can help me out with the "Golden Rules" that please PM me, I'm lost.
EDIT: for anyone stumbling across this thread again, see quoted post, these are the "golden rules" as I understand them.
@pfBasic:drop tcp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, TCP"; classtype:network-scan; sid:9000; rev:1;) drop udp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, UDP"; classtype:network-scan; sid:9001; rev:1;)
$MY_NET and $MY_PORT are variables you'll need to specify as necessary for your own network in /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section. The "!" in front of the variables means "not", so it would read:
drop tcp/udp traffic from "anywhere not on my network" on any port going to anywhere on "any port not specifically allowed on my network"