suricata ips mode configuration

by ccrr10   Last Updated October 19, 2019 16:00 PM

I installed Suricata and Shorewall on device with 3 NIC and a wifi card, I wanted to configure Suricata as IPS. I followed several instructions both from the manual and from several blogs. I have strong doubts that Suricata, with my configuration, is not working as IPS. I have enabled several rules to drop to test the configuration. I also created a custom rule, but I don't get the desired result. I need help where I'm wrong in the setup. Below I attach the custom rule I made. Thanks.

network/interfaces: -# The loopback network interface

auto lo

iface lo inet loopback

-# Wan interface

allow-hotplug enp1s0

auto enp1s0

iface enp1s0 inet dhcp

-# first Lan interface

auto enp2s0

iface enp2s0 inet manual

pre-up ip link set $IFACE up

post-down ip link set $IFACE down

-# second Lan interface

auto enp3s0

iface enp3s0 inet manual

pre-up ip link set $IFACE up

post-down ip link set $IFACE down

-# wireless settings

auto wlp5s0

iface wlp5s0 inet manual

pre-up ip link set $IFACE up

post-down ip link set $IFACE down

-#Bridge

auto br0

iface br0 inet static

bridge_ports enp2s0 enp3s0 wlp5s0

address 192.168.8.1

netmask 255.255.255.0

broadcast 192.168.8.255

network 192.168.8.0

up /sbin/brctl stp br0 on

shorewall/rules:

NFQUEUE(0,bypass) all all tcp,udp !5194

shorewall/policy:

fw all ACCEPT

vpn loc ACCEPT

loc net DROP info

net all DROP info

all all DROP info

suricata/rules/local.rules:

drop tcp any any -> any any (msg:"tldp is bloccato"; content:"tldp.org"; http_header; nocase; classtype:bad-unknown; sid:1000004; rev:1;)

suricata/fast.log:

10/19/2019-17:02:26.070723 [wDrop] [] [1:2009582:3] ET SCAN NMAP -sS window 1024 [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 185.176.27.18:58195 -> 192.168.1.128:4594 10/19/2019-17:02:43.586497 [wDrop] [] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 58.223.124.116:44802 -> 192.168.1.128:1433 10/19/2019-17:02:43.586497 [] [1:2403343:52827] ET CINS Active Threat Intelligence Poor Reputation IP group 44 [] [Classification: Misc Attack] [Priority: 2] {TCP} 58.223.124.116:44802 -> 192.168.1.128:1433 10/19/2019-17:03:50.338437 [wDrop] [] [1:2009582:3] ET SCAN NMAP -sS window 1024 [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 45.136.109.248:52950 -> 192.168.1.128:3761 10/19/2019-17:04:56.341478 [wDrop] [] [1:2009582:3] ET SCAN NMAP -sS window 1024 [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 185.137.234.186:46359 -> 192.168.1.128:59808 10/19/2019-17:05:02.576873 [wDrop] [] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 149.154.167.92:443 -> 192.168.1.128:39118 10/19/2019-17:05:04.396305 [wDrop] [] [1:2402000:5336] ET DROP Dshield Block Listed Source group 1 [] [Classification: Misc Attack] [Priority: 2] {TCP} 185.142.236.35:27962 -> 192.168.1.128:5938 10/19/2019-17:05:13.080201 [wDrop] [] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 149.154.167.92:443 -> 192.168.1.128:39120 10/19/2019-17:05:39.433717 [wDrop] [] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 149.154.167.92:443 -> 192.168.1.128:39130 10/19/2019-17:06:03.692835 [wDrop] [] [1:2009582:3] ET SCAN NMAP -sS window 1024 [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 185.176.27.18:58195 -> 192.168.1.128:4489

suricata.yaml:

vars:

address-groups:

HOME_NET: "[192.168.1.0/24,192.168.8.0/24,172.16.23.0/24]"

EXTERNAL_NET: "!$HOME_NET"

HTTP_SERVERS: "$HOME_NET"

SMTP_SERVERS: "$HOME_NET"

SQL_SERVERS: "$HOME_NET"

DNS_SERVERS: "$HOME_NET"

TELNET_SERVERS: "$HOME_NET"

AIM_SERVERS: "$EXTERNAL_NET"

DNP3_SERVER: "$HOME_NET"

DNP3_CLIENT: "$HOME_NET"

MODBUS_CLIENT: "$HOME_NET"

MODBUS_SERVER: "$HOME_NET"

ENIP_CLIENT: "$HOME_NET"

ENIP_SERVER: "$HOME_NET"

port-groups:

HTTP_PORTS: "80"

SHELLCODE_PORTS: "!80"

ORACLE_PORTS: 1521

SSH_PORTS: 5022

DNP3_PORTS: 20000

MODBUS_PORTS: 502

default-rule-path: /etc/suricata/rules

rule-files:

  • local.rules

  • botcc.rules

....

classification-file: /etc/suricata/rules/classification.config

reference-config-file: /etc/suricata/reference.config

host-mode: router

action-order:

  • pass

  • drop

  • reject

  • alert

host-os-policy:

linux: [192.168.1.0/24,192.168.8.0/24,172.16.23.0/24]

stream:

memcap: 64mb

checksum-validation: yes # reject wrong csums

inline: yes

reassembly:

memcap: 256mb

depth: 1mb                  # reassemble 1mb into a stream

toserver-chunk-size: 2560

toclient-chunk-size: 2560

randomize-chunk-size: yes

profiling:

rules:

enabled: yes

filename: rule_perf.log

append: yes

sort: avgticks

limit: 100

json: yes

keywords:

enabled: yes

filename: keyword_perf.log

append: yes

rulegroups:

enabled: yes

filename: rule_group_perf.log

append: yes

packets:

enabled: yes

filename: packet_stats.log

append: yes

csv:

  enabled: no

  filename: packet_stats.csv

locks:

enabled: no

filename: lock_stats.log

append: yes

pcap-log:

enabled: no

filename: pcaplog_stats.log

append: yes

-#nfq:

-# mode: accept

-# repeat-mark: 1

-# repeat-mask: 1

-# bypass-mark: 1

-# bypass-mask: 1

-# route-queue: 2

-# batchcount: 20

-# fail-open: yes

nflog:

  • group: 2

    buffer-size: 18432

  • group: default

    qthreshold: 1

    qtimeout: 100

    max-size: 20000

capture:

netmap:

  • interface: br0

  • interface: default

pfring:

  • interface: enp1s0

    threads: 1

    cluster-id: 99

    cluster-type: cluster_flow

    • interface: default

napatech:

hba: -1

streams: [1, 2, 3]

mpipe:

load-balance: dynamic

iqueue-packets: 2048

inputs:

  • interface: xgbe2

  • interface: xgbe3

  • interface: xgbe4

Tags : shorewall ips


Related Questions


Updated October 22, 2015 06:00 AM

Updated May 28, 2017 04:00 AM

Updated April 26, 2016 10:00 AM

Updated October 09, 2017 11:00 AM