Suricata 3.0 Inline dropsid.conf Options



  • I just started messing with the dropsid.conf file to change rules to drop while Suricata is set to inline mode. What I want suricata to do is drop traffic based off of the IPS setting I select and drop any rules that generate an alert; only if they are enabled. I am posting the settings that I have put in my dropsid.conf file and wanted to see if this will work.

    
    pcre:pcre:security-ips\s*drop
    pcre:pcre:balanced-ips\s*drop
    pcre:pcre:connected-ips\s*drop
    
    # Example of modifying state for specific categories entirely
    snort_,emerging-
    
    

    Will this drop more traffic than I intend? If a rule is disabled or suppressed will it still be dropped?

    Thanks for your help.



  • @cplmayo:

    I just started messing with the dropsid.conf file to change rules to drop while Suricata is set to inline mode. What I want suricata to do is drop traffic based off of the IPS setting I select and drop any rules that generate an alert; only if they are enabled. I am posting the settings that I have put in my dropsid.conf file and wanted to see if this will work.

    
    pcre:pcre:security-ips\s*drop
    pcre:pcre:balanced-ips\s*drop
    pcre:pcre:connected-ips\s*drop
    
    # Example of modifying state for specific categories entirely
    snort_,emerging-
    
    

    Will this drop more traffic than I intend? If a rule is disabled or suppressed will it still be dropped?

    Thanks for your help.

    Second question first – disabled or suppressed rules should not result in DROPs.  The SID MGMT process first walks through the enablesid and disablesid files to generate a list of rules that are "enabled".  Then that list is fed to the dropsid and modifysid files where the action can be changed to DROP (from ALERT) and some content could be changed in the rule body.  Suppression is a feature of the Suricata binary itself and not related to rule state (other than it is not necessary to suppress a disabled rule).  Rules in a Suppress List "fire", but any alert or drop action is suppressed.  That's different from disabling a rule, because disabled rules never get evaluated and thus can never "fire".

    The Suricata package generates a single rules file that contains only enabled rules.  That rules file is the one used by the interface.  There is a separate rules file for each interface.  It will be in a sub-directory for the interface and is called suricata.rules in the Suricata package.  The single rules file per interface is created by scanning all the enable rule category files, including any IPS Policy metadata, and adding the enabled rules from each category to the single master file.

    Now for your first question.  When you choose to use the IPS-Policy set of rules from the Snort VRT package, during the process of building that suricata.rules file I talked about above, the code will search all the Snort VRT files and pull in every single rule that has IPS Policy metadata matching your choice (connectivity, balanced or security).  All of those rules will then get enabled (even if they are not default enabled in the specific native rules file they were picked from).

    I would not advocate changing the action keyword of the IPS Policy rules.  The Snort VRT has already done that.  Part of the metadata string for those rules is the suggested action of "drop" or "alert".  The vast majority (and I mean the really vast majority) are set to DROP in the metadata.  So if you just put the IPS Policy tag in the dropsid file, those rules will get changed to DROP.  That's what I would do.  I think the string you have in your example will actually not work and result in no rules matching up.

    Bill



  • Nub here requesting clarity on a statement:

    So if you just put the IPS Policy tag in the dropsid file, those rules will get changed to DROP.  That's what I would do.  I think the string you have in your example will actually not work and result in no rules matching up.

    From the dropsid.conf example file:

    # The following example modifies state for Snort VRT rules tagged with IPS 
    # Policy Security and ips drop
    # -----------------
    # pcre:"pcre:security-ips\s*drop"
    

    If you have a moment, would you be willing to help me understand what you mean by just putting in the IPS Policy tag?  My google-foo led me to a seclist post that was in line with the Cpl.  My goal is to drop the leakage that the legacy version couldn't cover.  I slapped in the pcre regex, performed a rebuild, restarted the suricata service and now am in an observation phase.  Currently reading through your other posts to see if you've already answered this.

    Said seclist post:
    http://seclists.org/snort/2013/q1/1114



  • Just put this line in the dropsid.conf file –

    pcre:security-ips
    

    That should result in all the IPS Policy-Security rules getting selected, enabled, and set to DROP.

    Bill



  • Thank you for the super fast reply kind Sir!

    Winner winner chicken dinner post I found in your post history:
    https://forum.pfsense.org/index.php?topic=108365.msg603749#msg603749

    # Category DROPS - All emerging categories
    emerging-activex,emerging-attack_response,emerging-botcc.portgrouped,emerging-botcc,emerging-chat,emerging-ciarmy,emerging-compromised,emerging-current_events,emerging-deleted,emerging-dns,emerging-dos,emerging-drop,emerging-dshield,emerging-exploit,emerging-ftp,emerging-games,emerging-icmp,emerging-icmp_info,emerging-imap,emerging-inappropriate,emerging-info,emerging-malware,emerging-misc,emerging-mobile_malware,emerging-netbios,emerging-p2p,emerging-policy,emerging-pop3,emerging-rbn-malvertisers,emerging-rbn,emerging-rpc,emerging-scada,emerging-scan,emerging-shellcode,emerging-smtp,emerging-snmp,emerging-sql,emerging-telnet,emerging-tftp,emerging-tor,emerging-trojan,emerging-user_agents,emerging-voip,emerging-web_client,emerging-web_server,emerging-web_specific_apps,emerging-worm
    
    #try next:
    #emerging*
    
    #  PCRE IPS Policy DROPS  |
    # -----------------
    pcre:pcre:security-ips\s*drop
    

    In addition to this I missed the checkbox for "Enable Automatic SID State Management" (attached screenshot for future pfsense friends).

    Screenshot of drop is attached (redtext;blotted out my public ip).

    Overkill - attached screenshot of the "Interface SID Management File Assignments" block and screenshot of the whole page.









Log in to reply