Differences

This shows you the differences between two versions of the page.

--- pfsense:suricata:install_suricata [2021/01/06 12:46] – [Created a suppress list] peter
+++ pfsense:suricata:install_suricata [2021/01/22 13:59] (current) – [PFSense - Suricata - Install Suricata] peter
@@ Line 1: / Line 1: @@
 ====== PFSense - Suricata - Install Suricata ======
-===== Install the Suricata Package =====
+There are multiple parts to this:
-Navigate to **System -> Package Manager -> Available Packages**.
+  - [[PFSense:Suricata:Install Suricata:Install the Suricata Package|Install the Suricata Package]]
+  - [[PFSense:Suricata:Install Suricata:Configure Global Settings|Configure Global Settings]]
-Search for **suricata**.
+  - [[PFSense:Suricata:Install Suricata:Create Suppress Lists|Create Suppress Lists]]
+  - [[PFSense:Suricata:Install Suricata:Have Suricata Monitor the WAN Interface|Have Suricata Monitor the WAN Interface]]
-{{:pfsense:suricata:pfsense_-_system_-_package_manager_-_suricata.png?800|}}
+  - [[PFSense:Suricata:Install Suricata:Have Suricata Monitor the LAN Interface|Have Suricata Monitor the LAN Interface]]
-Install it.
-{{:pfsense:suricata:pfsense_-_system_-_package_manager_-_package_installer_-_suricata.png?800|}}
-The Installation Completes:
-{{:pfsense:suricata:pfsense_-_system_-_package_manager_-_package_installer_-_suricata_-_complete.png?800|}}
-<WRAP info>
-**NOTE:**  You should see a **Suricata** option under the **Services** menu.
-</WRAP>
 ----
-===== Enable Rule Download =====
-Enter settings to download Snort and ET rules.
-Navigate to **Services -> Suricata -> Global Settings**.
-In **Please Choose The Type Of Rules You Wish To Download**:
-  * Install ETOpen Emerging Threats rules:  **Checked**.
-  * Install ETPro Emerging Threats rules:  **Not Checked**.
-  * ETPro Subscription Configuration Code:  **<blank>**.
-  * Install Snort rules:  **Checked**.
-  * Snort Rules Filename:  **snortrules-snapshot-29170.tar.gz**.
-  * Snort Oinkmaster Code:  **Set this to your personal Oinkmaster Code obtained from your snort account page**.
-  * Install Snort GPLv2 Community rules:  **Checked**.
-  * Hide Deprecated Rules Categories:  **Not Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_global_settings_-_please_choose_the_type_of_rules_you_wish_to_download.png?800|}}
-----
-In **Rules Update Settings**:
-  * Update Interval:  **6 Hours**.
-  * Update Start Time:  **00:10**.  The default.
-  * Live Rule Swap on Update:  **Checked**.
-  * GeoLite2 DB Update:  **Checked**.
-  * GeoLite2 DB License Key:  **Enter your personal MaxMind GeoLite2 DB key**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_global_settings_-_rules_update_settings.png?800|}}
-----
-In **General Settings**:
-  * Remove Blocked Hosts Interval:  **1 Hour**
-  * Log to System Log:  **Not Checked**.
-  * Keep Suricata Settings After Deinstall:  **Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_global_settings_-_general_settings.png?800|}}
-----
-===== Manually update the rules =====
-Navigate to **Services -> Suricata -> Updates**.
-Click **Update**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_updates.png?800|}}
-----
-===== Have Suricata Monitor the WAN Interface =====
-Navigate to **Services -> Suricata -> Interfaces**.
-Click **Add**.
-In **General Settings**:
-  * Enable:  **Checked**.
-  * Interface:  **WAN (pppoe0)**.
-  * Description:  **WAN**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_general_settings.png?800|}}
-----
-In **Logging Settings**:
-  * Send Alerts to System Log:  **Not Checked**.
-  * Enable Stats Collection:  **Not Checked**.
-  * Enable HTTP Log:  **Checked**.
-  * Append HTTP Log:  **Checked**.
-  * Log Extended HTTP Info:  **Checked**.
-  * Enable TLS Log:  **Not Checked**.
-  * Enable File-Store:  **Not Checked**.
-  * Enable Packet Log:  **Not Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_logging_settings.png?800|}}
-----
-In **EVE Output Settings**:
-  * EVE JSON Log:  **Not Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_eve_output_settings.png?800|}}
-----
-In **Alert and Block Settings**:
-  * Block Offenders:  **Checked**.
-  * IPS Mode:  **Legacy Mode**.
-  * Kill States:  **Checked**.
-  * Which IP to Block:  **Both**.
-  * Block On DROP Only:  **Not Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_alert_and_block_settings.png?800|}}
-----
-In **Performance and Detection Engine Settings**:
-  * Run Mode:  **AutoFP**.
-  * Max Pending Packets:  **1024**.
-  * Detect-Engine Profile:  **High**.
-  * Pattern Matcher Algorithm:  **Auto**.
-  * Signature Group Header MPM Context:  **Auto**.
-  * Inspection Recursion Limit:  **3000**.
-  * Delayed Detect:  **Not Checked**.
-  * Promiscuous Mode:  **Checked**.
-  * Interface PCAP Snaplen:  **1518**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_performance_and_detection_engine_settings.png?800|}}
-----
-In **Networks Suricata Should Inspect and Protect**:
-  * Home Net:  **default**:
-  * External Net:  **default**.
-  * Pass List:  **default**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_networks_suricata_should_inspect_and_protect.png?800|}}
-----
-In **Alert Suppression and Filtering**:
-  * Alert Suppression and Filtering:  **default**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_alert_suppression_and_filtering.png?800|}}
-----
-In **Arguments here will be automatically inserted into the Suricata configuration**:
-  * Advanced Configuration Pass-Through:  **<blank>**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_arguments_here_will_be_automatically_inserted_into_the_suricata_configuration.png?800|}}
-----
-===== Set Categories for the WAN Interface to Monitor =====
-Click on **WAN Categories**.
-In **Select the rulesets (Categories) Suricata will load at startup**:
-  * Within each Ruleset, click the checkbox against whichever rules to enable.
-  * Ruleset: ET Open Rules:
-    * emerging-attack_response.rules
-    * emerging-botcc.portgrouped.rules
-    * emerging-botcc.rules
-    * emerging-ciarmy.rules
-    * emerging-coinminer.rules
-    * emerging-compromised.rules
-    * emerging-current_events.rules
-    * emerging-dos.rules
-    * emerging-dshield.rules
-    * emerging-exploit.rules
-    * emerging-malware.rules
-    * emerging-mobile_malware.rules
-    * emerging-phishing.rules
-    * emerging-scan.rules
-    * emerging-worm.rules
-  * Ruleset: Snort Text Rules:
-    * snort_attack-responses.rules
-    * snort_backdoor.rules
-    * snort_bad-traffic.rules
-    * snort_blacklist.rules
-    * snort_botnet-cnc.rules
-    * snort_ddos.rules
-    * snort_dos.rules
-    * snort_exploit-kit.rules
-    * snort_exploit.rules
-    * snort_malware-backdoor.rules
-    * snort_malware-cnc.rules
-    * snort_malware-other.rules
-    * snort_malware-tools.rules
-    * snort_phishing-spam.rules
-    * snort_policy-spam.rules
-    * snort_scan.rules
-    * snort_specific-threats.rules
-    * snort_spyware-put.rules
-    * snort_virus.rules
-    * snort_web-attacks.rules
-----
-===== Create Lists =====
-==== Created a Pass List ====
-Navigate to **Services -> Suricata -> Pass List**.
-<WRAP alert>
-**ALERT:**  DO NOT CREATE A PASS LIST!!!
-A pass list is just another term for "whitelist".
-Some suggest to create a list representing the home network, but this is very dangerous as could allows bad traffic.
-</WRAP>
-----
 ==== Created a suppress list ====
@@ Line 260: / Line 36: @@
 ----
-Here are some of the signatures that I suppressed:
+==== Rule categories ====
-pf-supp-list-config.png
+Choose what rule categories to enable:
-On top of the suppress list you can also choose what rule categories to enable under **Services -> Suricata -> Interfaces -> WAN Categories**:
+Navigate to **Services -> Suricata -> Interfaces -> WAN Categories**.
-ps-enable-rules-per
 ----
-===== Enable Barnyard2 =====
-Since I already had a snorby setup (and this one), I decided to send the events to the snorby database. This is accomplished under Services -> Suricata -> Interface -> WAN Barnyard2:
-pf-barnyard-setup
-Configure Logging And Other Parameters
-Now under the main config for the interface let's enable it and setup logging. Under **Servces -> Suricata -> Interface -> WAN** settings I had the following:
-pf-interface-sett-1.png
-And down below I enabled the lists that I had created before:
-pf-int-assign-supp-pass-list
-I also disabled the http extending logging along with tracked files since I was sending the logs over syslog and the JSON was getting truncated (this will help out later for the ELK setup):
-pf-suricat-log-options
-Enable Watchdog
-Another optional thing you can do is install Service Watchdog:
-pf-watchdog-installed
-And under **Services -> Service Watchdog** enable it to monitor the Suricata Service:
-pf-service-watchdog-suricata
-Check Out the Config
-You can ssh to the pfSense machine and check out all the settings. After it was initialized the machine was pretty idle:
-[2.3-RELEASE][root@pf.kar.int]/root: top -CPz -o cpu -n
-last pid: 69987;  load averages:  0.08,  0.06,  0.07  up 6+07:27:23    17:38:06
-processes:  1 running, 40 sleeping
-Mem: 299M Active, 484M Inact, 260M Wired, 383M Buf, 2870M Free
-Swap: 4096M Total, 4096M Free
-  PID USERNAME  THR PRI NICE   SIZE    RES STATE   C   TIME     CPU COMMAND
-root        7  20    0   696M   593M uwait   1   8:21   2.78% suricata
-root        1  20    0   134M 99440K nanslp  0  14:56   0.00% barnyard2
-root        1  20    0 16676K  2256K bpf     0   4:54   0.00% filterlog
-root        5  20    0 27300K  2448K accept  1   3:55   0.00% dpinger
-root        1  52   20 17000K  2564K wait    0   3:53   0.00% sh
-unbound     2  20    0 63304K 34280K kqread  1   3:06   0.00% unbound
-It looks like it starts a suricata instance per interface:
-[2.3-RELEASE][root@pf.kar.int]/root: ps auwwx | grep suricata
-root    35582   2.9 14.7 713016 607712  -  Ss    2:36PM     8:24.77 /usr/local/bin/suricata -i re0 -D -c /usr/local/etc/suricata/suricata_34499_re0/suricata.yaml --pidfile /var/run/suricata_re034499.pid
-root    35368   0.0  2.4 137684  99440  -  S     2:36PM    14:56.48 /usr/local/bin/barnyard2 -r 34499 -f unified2.alert --pid-path /var/run --nolock-pidfile -c /usr/local/etc/suricata/suricata_34499_re0/barnyard2.conf -d /var/log/suricata/suricata_re034499 -D -q
-root    90667   0.0  0.1  18740   2252  0  S+    5:39PM     0:00.00 grep suricata
-And you can check out all the logs under /var/log/suricata/INSTANCE:
-[2.3-RELEASE][root@pf.kar.int]/root: ls -1 /var/log/suricata/suricata_re034499/
-alerts.log
-alerts.log.2016_0501_1750
-barnyard2
-http.log
-suricata.log
-unified2.alert.1462653477
-And you will also notice that it creates a cronjob to monitor the services:
-[2.3-RELEASE][root@pf.kar.int]/root: grep watch /etc/crontab
-*/1	*	*	*	*	root	/usr/local/pkg/servicewatchdog_cron.php