Wiki

User Tools

Site Tools

Trace:
pfsense:suricata:custom_rules

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:suricata:custom_rules [2021/01/06 12:00] peterpfsense:suricata:custom_rules [2021/01/21 10:21] (current) – removed peter
Line 1: Line 1:
-====== PFSense - Suricata - Custom Rules ====== 
- 
-<WRAP warning> 
-**WARNING:**  Every custom rules must have a unique SID!!! 
- 
-Make sure you pick a starting SID number that does not conflict with any existing SIDs from other enabled rules. 
- 
-Usually from 1000000. 
-</WRAP> 
- 
----- 
- 
-Navigate to **Services -> Suricata -> Interfaces -> INTERFACE > INTERFACE Rules -> custom rules**. 
- 
-Choose CUSTOM RULES in the Category drop-down and then type in the rules you need. 
- 
-{{:pfsense:suricata:pfsense_-_suricata_-_wan_-_custom_rules.png?800|}} 
- 
----- 
- 
-There are plenty of examples on the web. 
- 
-You can add restrictions by protocol, port and source or destination IP address. 
- 
-<WRAP important> 
-**WARNING:**  Just really think about what your rule is allowing when creating it. 
-</WRAP> 
- 
- 
-<code> 
-alert tcp [$EXTERNAL_NET,!8.8.8.8] any -> $HOME_NET [80,443] 
- 
-alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1;classtype:icmp-event) 
- 
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,8080] (msg:"HTTP Port Unauthorized"; appid: http; classtype:policy-violation; sid:12171008; rev:1;) 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"HTTPS Port Unauthorized"; appid: https; classtype:policy-violation; sid:12171009; rev:1;) 
- 
-pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:100000;) 
- 
-pass ip 192.168.1.22/32 80 <- any any (msg: "Pass List Entry - allow all traffic to/from 192.168.1.22/32"; sid:1000006; 
-</code> 
- 
-<WRAP info> 
-**INFO:**  Notice the direction symbol is "<>" which stands for "any" as opposed to "->" which signifies a specific direction (from 1.2.3.4 to any other IP). 
- 
-So the rule using "<>" would mimic the old Legacy Mode Pass List operation whereby IP address 1.2.3.4 would never get blocked. 
-</WRAP> 
- 
----- 
- 
-===== Protocol Anomalies Detection ===== 
- 
-Suricata IDS/IPS/NSM is also capable of doing protocol anomaly detection. 
- 
-Please find below a few self explanatory rule examples (look at the rule msg) of how to do this: 
- 
-<code> 
-HTTP 
- 
-alert tcp any any -> any ![80,8080] (msg:"SURICATA HTTP but not tcp port 80, 8080"; flow:to_server; app-layer-protocol:http; sid:2271001; rev:1;) 
-alert tcp any any -> any 80 (msg:"SURICATA Port 80 but not HTTP"; flow:to_server; app-layer-protocol:!http; sid:2271002; rev:1;) 
- 
-HTTPS 
- 
-alert http any any -> any 443 (msg:"SURICATA HTTP clear text on port 443"; flow:to_server; app-layer-protocol:http; sid:2271019; rev:1;) 
- 
-TLS 
- 
-alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not TLS"; flow:to_server; app-layer-protocol:!tls; sid:2271003; rev:1;) 
- 
-FTP 
- 
-alert tcp any any -> any ![20,21] (msg:"SURICATA FTP but not tcp port 20 or 21"; flow:to_server; app-layer-protocol:ftp; sid:2271004; rev:1;) 
-alert tcp any any -> any [20,21] (msg:"SURICATA TCP port 21 but not FTP"; flow:to_server; app-layer-protocol:!ftp; sid:2271005; rev:1;) 
- 
-SMTP 
- 
-alert tcp any any -> any ![25,587,465] (msg:"SURICATA SMTP but not tcp port 25,587,465"; flow:to_server; app-layer-protocol:smtp; sid:2271006; rev:1;) 
-alert tcp any any -> any [25,587,465] (msg:"SURICATA TCP port 25,587,465 but not SMTP"; flow:to_server; app-layer-protocol:!smtp; sid:2271007; rev:1;) 
- 
-SSH 
- 
-alert tcp any any -> any !22 (msg:"SURICATA SSH but not tcp port 22"; flow:to_server; app-layer-protocol:ssh; sid:2271008; rev:1;) 
-alert tcp any any -> any 22 (msg:"SURICATA TCP port 22 but not SSH"; flow:to_server; app-layer-protocol:!ssh; sid:2271009; rev:1;) 
- 
-IMAP 
- 
-alert tcp any any -> any !143 (msg:"SURICATA IMAP but not tcp port 143"; flow:to_server; app-layer-protocol:imap; sid:2271010; rev:1;) 
-alert tcp any any -> any 143 (msg:"SURICATA TCP port 143 but not IMAP"; flow:to_server; app-layer-protocol:!imap; sid:2271011; rev:1;) 
- 
-SMB 
- 
-alert tcp any any -> any 139 (msg:"SURICATA TCP port 139 but not SMB"; flow:to_server; app-layer-protocol:!smb; sid:2271012; rev:1;) 
- 
-DCERPC 
- 
-alert tcp any any -> any [80,8080] (msg:"SURICATA DCERPC detected over port tcp 80,8080"; flow:to_server; app-layer-protocol:dcerpc; sid:2271013; rev:1;) 
- 
-DNS 
- 
-alert tcp any any -> any 53 (msg:"SURICATA TCP port 53 but not DNS"; flow:to_server; app-layer-protocol:!dns; sid:2271014; rev:1;) 
-alert udp any any -> any 53 (msg:"SURICATA UDP port 53 but not DNS"; flow:to_server; app-layer-protocol:!dns; sid:2271015; rev:1;) 
- 
-MODBUS 
- 
-alert tcp any any -> any 502 (msg:"SURICATA TCP port 502 but not MODBUS"; flow:to_server; app-layer-protocol:!modbus; sid:2271018; rev:1;) 
-</code> 
- 
- 
- 
-===== References ===== 
- 
-https://www.cnblogs.com/lsgxeva/p/11392627.html 
- 
-http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html 
- 
-https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Protocol_Anomalies_Detection 
  
pfsense/suricata/custom_rules.1609934402.txt.gz · Last modified: 2021/01/06 12:00 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki