Suricata config questions



  • Hello,

    I'm running the latest suricata 2.0.3 v2.0.2 on BETA 2.2 and I have a few questions…

    1. I seem limited to a few hundreds of custom rules I can add via the web interface, is there a way I can add more?

    2. HOME_NET : Is there anyway I can use the suricata.yaml to configure it or maybe in the advanced configuration pass-through ? Change it to HOME_NET: "[127.0.0.1/32,192.168.1.0/24]".
      No matter how I work with the Pass Lists options w/ or w/o aliases I always seems to get some IPV6 addresses and unwanted local subnet.

    3. /var/db/suricata/iprep  can I put some list in this folder?

    4. host-mode:router vs host-mode:sniffer-only? active? any difference?

    5. alert versus drop rules? any difference? I ask that because even the ET DROP set of rules are in alert ;) and If i change a rule to drop I get [wDrop] in syslog…

    Thanks a bunch for helping me. Cheers!!



  • @fsansfil:

    Hello,

    I'm running the latest suricata 2.0.3 v2.0.2 on BETA 2.2 and I have a few questions…

    1. I seem limited to a few hundreds of custom rules I can add via the web interface, is there a way I can add more?

    2. HOME_NET : Is there anyway I can use the suricata.yaml to configure it or maybe in the advanced configuration pass-through ? Change it to HOME_NET: "[127.0.0.1/32,192.168.1.0/24]".
      No matter how I work with the Pass Lists options w/ or w/o aliases I always seems to get some IPV6 addresses and unwanted local subnet.

    3. /var/db/suricata/iprep  can I put some list in this folder?

    4. host-mode:router vs host-mode:sniffer-only? active? any difference?

    5. alert versus drop rules? any difference? I ask that because even the ET DROP set of rules are in alert ;) and If i change a rule to drop I get [wDrop] in syslog…

    Thanks a bunch for helping me. Cheers!!

    Answers by number –

    1.  You can paste in as many as the textarea control will hold.  I have not counted how many will fit.  That would be impacted by how long each rule was.  The original idea for the custom rules was for only a few (like maybe 50 or 100 but not a thousand or more).

    2.  You can create a PASS LIST and uncheck all the checkboxes so it will not include local nets, DNS servers, gateways, etc.  It may still include Link-Local IPv6 addresses, though.  Have not specifically tested that.  Even if it does, they should not be a problem.  You create an Alias for all the custom address ranges you want.

    3.  At the moment you can only upload there manually outside of the GUI.  The IP REPUTATION is not yet implemented in the Suricata package.  I just created the directory for future use.

    4.  In this package, considering how it works on pfSense, there is no difference in these two settings.

    5.  Again, in this package with its custom internal patches and configuration for pfSense, ALERT is the same as DROP when you enable the "block offenders" option.  Any ALERT is treated as something to DROP.  It's not the same as Suricata installed on other platforms where you must change some rules to use the "drop" keyword when you want IPS mode.

    Bill



  • Thanks Bill for the quick reply and your great work!

    Cheers



  • @fsansfil:

    Thanks Bill for the quick reply and your great work!

    Cheers

    My vision for the future of the Suricata package on pfSense is to use the new Netmap API for high-speed inline IPS mode when or if it is implemented.  The package would also offer more GUI configurable options for dropping based on event PRIORITY, for dropping all alerts, or for dropping only when the rule action was changed to drop.

    The idea is that some users might want any Suricata alert to cause the corresponding packet (or packets) to be dropped.  This is the simplest to administer and is how the package works today.  But other users might prefer a more traditional hybrid system where some less severe detection events simply alert, and other more severe events are dropped.  The determination of "severe" could be based on PRIORITY or by using the new SID MGMT feature to change some rules' action from "alert" to "drop".

    Bill



  • Thats sweet. This is the challenge, make the package work for first time user and give all the hybrid or advanced feature for those who want to customize it, scale it.
    Also, two things Ive learned while playing with suricata or snort; half the rules wont trigger because of misconfigured $HOME, $PORT, or <direction>etc… and you really need to adapt it to your environment, so this means custom rules, alot of custom rules...

    Right now I dont have full control over $HOME_NET... for an example, I have suricata on WAN, LAN and not on OPT1. But no matter what I do, I end up with the OPT1 network in the $HOME_NET (white/pass list) of the LAN Suricata...Let us use aliases to fully define $HOME_NET, $EXTERNAL... etc.

    Custom rules, It would be nice yo be able to invoke one of our list, not just copy-paste into the web interface (limited in numbers at this time)

    Thanks again for your great work !!!

    F.</direction>



  • @fsansfil:

    Right now I dont have full control over $HOME_NET… for an example, I have suricata on WAN, LAN and not on OPT1. But no matter what I do, I end up with the OPT1 network in the $HOME_NET (white/pass list) of the LAN Suricata...Let us use aliases to fully define $HOME_NET, $EXTERNAL... etc.

    Are you creating the custom HOME_NET list this way?

    1.  Go to Firewall…Alias and create one or more aliases as necessary to define your custom HOME_NET.  You might have to create several sub-aliases, and then combine them into a single master alias.

    2.  Create a Pass List on the PASS LIST tab.  Give it a name.  Maybe "my_homenet" or something.

    3.  Within that Pass List, uncheck all the checkboxes.  Then assign the alias created in step #1 to the ADDRESS field.  Save the Pass List.

    4.  Go to the INTERFACE SETTINGS tab for the interface you want to customize HOME_NET for.  In the HOME_NET drop-down, select the Pass List created in step #2.  Save the change.

    5.  Restart Suricata on the interface to pick up the change in HOME_NET.

    Following these steps should let you create a HOME_NET variable containing only exactly what you want.  You can also customize a number of the PORT_VARIABLEs on the VARIABLES tab.  Just first create one or more aliases to define your custom ports, then assign those aliases to the port variables on the VARIABLES tab.

    @fsansfil:

    Custom rules, It would be nice yo be able to invoke one of our list, not just copy-paste into the web interface (limited in numbers at this time)

    Providing the ability to upload and use a custom file should be pretty easy to implement.  I will put that on my TODO list of new features.

    Bill


Log in to reply