Defining a pass list in Suricata.
In the first article about Suricata, we covered basic installation as well as global settings. In this article, we will continue our look at configuration.
In Global Settings, you must choose a set of rules to download, as well as update settings for those rules. Once you do that and save the settings, you can move on to the “Update Rules” tab. I chose the ETOpen rule and Snort VRT rules, set my update interval to 12 hours, and my update start time to 04:00, and saved the settings.
By clicking on the “Update Rules” tab, you can download the enabled rule sets. Under “Update Your Rule Set“, you can press “Check“, which will download an update if available, or “Force” to force an update. A separate screen will load once downloading begins; press the “Return” button to return to the “Update Rules” tab. The “Installed Rule Set MD5 Signature” should now be updated with both the MD5 signature hash and MD5 signature date of the downloaded rules. You can also view the log by clicking on the “View” button.
If you are running Suricata for the first time, you can skip past the “Alerts” and “Blocked” tabs for now, and go straight to “Pass Lists“. Here you can create pass lists, which are lists of hosts which will never be blocked by Suricata. Click on the “plus” button on the right side to add a pass list. You can specify a “Name” and “Description” for the file in the top two edit boxes. In the “Add auto-generated IP Addresses” section, there are six check boxes covering categories such as local networks, WAN IPs, and VPNs. Check whichever categories of IPs you don’t want to be blocked. Beneath that is the “Assigned Aliases” edit box, which allows you to add a custom IP address from a configured alias. If you have any aliases that you do not want to be blocked, you can add them here. Press the “Save” button at the bottom of the page to save these settings.
Adding an Interface with Suricata
You should be ready to add your first Suricata interface now. Click on the “Suricata Interfaces” tab and press the “plus” button on the right side of the page to add an interface. Once you do, there will be seven new additional tabs covering all the settings for that interface. On the first tab, there are several sections. In “General Settings“, the “Enable” check box will enable Suricata inspection on the interface. The “Interface” dropdown box allows you to select the interface. In this case, we will leave it set to WAN. In the “Description” field; we can enter a meaningful description for this interface; we’ll leave it as “WAN“. In “Logging Settings“, you can set a number of preferences related to logging, but we should take note of a few of these settings. First there is the “Send Alerts to System Log” (to send alerts to the firewall’s system log) and “Enable Stats Log” (to log statistics for the interface). Next is the “Stats Update Interval” (in seconds). The default is 10 seconds. If you’re concerned about the size of the log file, you may want to alter “Max Packet Log File Size” (the maximum size in megabytes of the packet log file) and “Max Packet Log Files” (the maximum number of packet log files to maintain).
The next section is “Alert Settings“. The “Block Offenders” check box will automatically block hosts that generate a Suricata alert. Once a host is blocked, they may still have entries in the firewall’s state table and persistent connections; checking the “Kill States” check box will kill firewall states for the blocked IP so the host will no longer have access through your firewall. The “Which IP to Block” dropdown list allows you to select which IP from the packet you wish to block: the source IP, destination IP, or both. Choosing both is the recommended option and is the default value.
Scrolling further down the page, we reach the “Networks Suricata Should Inspect and Protect” section. The “Home Net” dropdown box allows you to define the home net you want this interface to use; the default is local networks, WAN IPs, gateways, VPNs and virtual IPs, but you can create an alias to define friendly IPs. The “External Net” dropdown box defines networks not in the home net. The “Pass List” allows you to choose the pass list you want this interface to use; if you defined one or more pass lists earlier, you can specify them here. Clicking on the “Save” button at the bottom of the page allows you to save these settings.
This is a good start, but we have only scratched the surface on interface settings. In the next article, we we continue our look at these settings.
External Links:
The official Suricata web site
The post Suricata Intrusion Detection System: Part Two appeared first on pfSense Setup HQ.