Preview of two new feautures in upcoming Suricata 2.0.4 pkg v2.1 update

bmeeks

An upgrade of the Suricata package to binary version 2.0.4 is coming soon.  Along with a number of bug fixes, this update will introduce two new features to the Suricata package on pfSense:  (1) GeoIP rule support and (2) IP Reputation rule support.

Here is a quick preview of these new features in operation.

GeoIP Support
The GeoIP option allows you to create rules using the "geoip:" keyword.  You specify country codes in the rules.  At runtime, Suricata uses the free Legacy GeoIP databases (IPv4 and IPv6) along with the FreeBSD GeoIP shared library to resolve IP addresses to country of origin.  Below is an example of this feature.

1.  On the GLOBAL SETTINGS tab under Rules Update Settings, check the box to enable auto-download of GeoIP database updates.  The free databases are updated on the first Tuesday of each month.  When this setting is enabled, a cron task will auto-update the database files at midnight on the 8th of each month.

2.  Go to the RULES tab for the Suricata interface where you want to use GeoIP and select Custom Rules in the Category drop-down.  Enter one or more rules.  A simple example to identify IP addresses in Japan is shown below.  Click SAVE.

3.  Here are the alerts generated by browsing to a Japanese company's web site.

IP Reputation Support
Using IP Reputation lists in Suricata is quite different from the way it is handled by Snort.  The two distinct differences are the strict format requirements for the IP reputation files themselves, and the fact you must create special IP Reputation rules (as custom rules in the pfSense packge) in order to actually use the IP reputation lists.  Here is the official Suricata documentation for IP Reputation:  https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IP_Reputation

The example below assumes you have a valid subscription to a commercial IP Reputation product such as IQRisk supplied by Emerging Threats.  There are other alternatives, but not many currently match the strict formatting required by Suricata.

Suricata requires a Categories file with a specific format.  This file provides the cross reference between category codes and their corresponding short name and description.  Here is a sample of the IQRisk categories file.  The line highlighted shows the entry for CnC hosts.

1.  Go to the IP LISTS tab and enable download of the IQRisk files.  You must have a subscriber code.  A link is provided on the tab if you wish to purchase one.  Check the box to enable IQRisk downloads and provide your IQRisk subscriber code.  Click SAVE.  The IQRisk files will be downloaded and then appear in the file list (as shown below).

2. Next, go to the IP REP tab for the Suricata interface where you want to use IP reputation rules.  Click the checkbox to enable IP Reputation on the interface.  Before clicking SAVE, click the plus sign (+) in the Assign Categories File area and choose a valid categories file.  Do the same in the IP Reputation Lists area, then click SAVE.

You will likely need to increase the Host Memcap setting if you use large IP lists.  To see if you need to, check the suricata.log file under the LOGS VIEW tab.  The section to examine is highlighted below. Ensure the host memory usage is below the maximum.

3. Next go to the RULES tab and create custom rules using the iprep: rule option and click SAVE.  A simple example is shown below.

4. Here is a series of alerts generated from the rule above using a test virtual machine.

Bill

charliem

Thanks for working on this, and posting the heads-up.

The current ntopng package is compiled with support for geoip as well, but it needs manual intervention for it to work (https://forum.pfsense.org/index.php?topic=82763.msg460680#msg460680)  And I see someone else has posted asking about geoip support in bind (https://forum.pfsense.org/index.php?topic=85232.0)

Any thought on how best to avoid duplication of geoip data within the individual pbi packages?  I'm new to pbi, but packages appear to include everything they need in terms of libraries and data files; versatile but not very efficient.  Could geoip be packaged separately into a common location?  And then change ntopng, suricata, and bind to use geoip if found in the common location?

bmeeks

@charliem:

Thanks for working on this, and posting the heads-up.

The current ntopng package is compiled with support for geoip as well, but it needs manual intervention for it to work (https://forum.pfsense.org/index.php?topic=82763.msg460680#msg460680)  And I see someone else has posted asking about geoip support in bind (https://forum.pfsense.org/index.php?topic=85232.0)

Any thought on how best to avoid duplication of geoip data within the individual pbi packages?  I'm new to pbi, but packages appear to include everything they need in terms of libraries and data files; versatile but not very efficient.  Could geoip be packaged separately into a common location?  And then change ntopng, suricata, and bind to use geoip if found in the common location?

Another package maintainer has asked me about this.  It would be a logical design to have a GeoIP package whose data is shared by all geoip consumer packages.

Bill

marcelloc

@charliem:

And then change ntopng, suricata, and bind

and pfblocker, varnish , pfsense, ….  ;D