Suricata 2.0.3 pkg v2.0.2 - Release Notes

BBcan177

Hi fsansfil,

I would suggest you make a new modify-sid (and enable/disable sid also) because if you use the "Sample" Ones, they will be overwritten when you do any re-install or Package Updates.

Did you click the "Rebuild" Checkboxes beside the Interface Names?

fsansfil

Hey there,

Thanks for the quick reply. Just tested it again, this time with a newly created modify.config, did checked rebuild in front of the interface (LAN), still nothing. Seems the check rebuild button dont save, every refresh it goes back to uncheck…

Thanks.

F.

BBcan177

The Rebuild Checkbox does not stay checked after you hit save…

Once you make you Sid Mgmt Changes, Click "Rebuild" then save.

Goto the Interface (ie: LAN) click "Edit"

LAN Rules: and Look for the Rule that you modified to see if the changes were made to the Rule.

gogglespisano

Here's a good example of the need to have control over blocking by the alert priority level.

These are from windows update trying to download new updates today.

10/15/2014-08:57:59.102113,Block Src,1,2015744,3,ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging),Misc activity,3,TCP,96.17.15.72,80
10/15/2014-08:59:32.716282,Block Src,1,2014819,3,ET INFO Packed Executable Download,Misc activity,3,TCP,96.17.15.96,80

If the IPS cries wolf too much it'll get turned off.  Other than during the initial setup, I've only had one alert with pri < 3 that's been a false positive.  I've had a couple dozen pri 3 that have been false positives since the initial setup about a week ago.  The choice seems to be between constant monitoring for false positives or turning off large blocks or categories of rules, neither of which I'd like to do.

Is there a simple solution to this situation I've missed?

-Stuart

bmeeks

@gogglespisano:

Here's a good example of the need to have control over blocking by the alert priority level.

These are from windows update trying to download new updates today.

10/15/2014-08:57:59.102113,Block Src,1,2015744,3,ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging),Misc activity,3,TCP,96.17.15.72,80
10/15/2014-08:59:32.716282,Block Src,1,2014819,3,ET INFO Packed Executable Download,Misc activity,3,TCP,96.17.15.96,80

If the IPS cries wolf too much it'll get turned off.  Other than during the initial setup, I've only had one alert with pri < 3 that's been a false positive.  I've had a couple dozen pri 3 that have been false positives since the initial setup about a week ago.  The choice seems to be between constant monitoring for false positives or turning off large blocks or categories of rules, neither of which I'd like to do.

Is there a simple solution to this situation I've missed?

-Stuart

There is currently no capability for filtering by PRIORITY for block actions in the Suricata or Snort packages.  That will require rewrites of the custom patch that is compiled into both Snort and Suricata in order to implement blocking by interfacing with the pf firewall in pfSense.  Just thinking about it off the cuff, I don't see too much of a problem implementing it in the near future.  But that is just off the cuff without a detailed code review.  Could be there is something that might prove to be an obstacle to implementing the feature.

Bill

bmeeks

@fsansfil:

Hey there,

Thanks for the quick reply. Just tested it again, this time with a newly created modify.config, did checked rebuild in front of the interface (LAN), still nothing. Seems the check rebuild button dont save, every refresh it goes back to uncheck…

Thanks.

F.

BBcan177 is correct in describing the steps.  The new SID MGMT tab takes the configuration files and uses the instructions within to create a list of rules Suricata will use for inspecting traffic.  Literally, the primary purpose of the SID MGMT tab itself is to let you upload, edit and assign various text configuration files to your interfaces.  Saving simply does this part.  The actual creation of the new list of rules for Suricata to use for network traffic inspection happens in these three cases:

1.  You click the REBUILD checkbox next to the interface on the SID MGMT tab.  That will not only save the file assignments as described above, but will trigger the creation of a new list of rules for the interface.  Once the list is created, the running Suricata process is sent a "live rule reload" signal.  You will see this in the suricata.log file viewed in the LOGS VIEW tab for the interface.  As BBcan177 said, you can then go to the CATEGORIES or RULES tabs for the interface and see the new color-coded icons beside the impacted text rules.

2.  Once auto-SID management is enabled, every time you click SAVE on any other interface tabs, the list of rules is rebuilt using the logic in the assigned SID MGMT configuration files.

3.  Finally, when an automatic download of updated rules occurs via the scheduled update job, a new rules list is generated and Suricata is signaled to load it.

Bill