pfsense:suricata:rules:custom_rules
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
pfsense:suricata:rules:custom_rules [2021/01/20 14:45] – peter | pfsense:suricata:rules:custom_rules [2021/01/21 10:28] (current) – peter | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PFSense - Suricata - Rules - Custom Rules ====== | ====== PFSense - Suricata - Rules - Custom Rules ====== | ||
+ | |||
+ | <WRAP warning> | ||
+ | **WARNING: | ||
+ | |||
+ | Make sure you pick a starting SID number that does not conflict with any existing SIDs from other enabled rules. | ||
SID Codes: | SID Codes: | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | Navigate to **Services -> Suricata -> Interfaces -> INTERFACE > INTERFACE Rules -> custom rules**. | ||
+ | |||
+ | In **Available Rule Categories**: | ||
+ | |||
+ | * Choose **custom.rules** in the Category drop-down. | ||
+ | * Type in the rules you need. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Custom Rules ====== | ||
+ | |||
+ | There are plenty of examples on the web. | ||
+ | |||
+ | You can add restrictions by protocol, port and source or destination IP address. | ||
+ | |||
+ | <WRAP important> | ||
+ | **WARNING: | ||
+ | </ | ||
+ | |||
+ | |||
+ | < | ||
+ | alert tcp [$EXTERNAL_NET, | ||
+ | |||
+ | alert icmp any any -> any any (msg:" | ||
+ | |||
+ | alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,8080] (msg:" | ||
+ | alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:" | ||
+ | |||
+ | pass ip 1.2.3.4 any <> any any (msg:" | ||
+ | |||
+ | pass ip 192.168.1.22/ | ||
+ | </ | ||
+ | |||
+ | <WRAP info> | ||
+ | **INFO: | ||
+ | |||
+ | So the rule using "<>" | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Protocol Anomalies Detection ===== | ||
+ | |||
+ | Suricata IDS/IPS/NSM is also capable of doing protocol anomaly detection. | ||
+ | |||
+ | Please find below a few self explanatory rule examples (look at the rule msg) of how to do this: | ||
+ | |||
+ | < | ||
+ | HTTP | ||
+ | |||
+ | alert tcp any any -> any ![80,8080] (msg:" | ||
+ | alert tcp any any -> any 80 (msg:" | ||
+ | |||
+ | HTTPS | ||
+ | |||
+ | alert http any any -> any 443 (msg:" | ||
+ | |||
+ | TLS | ||
+ | |||
+ | alert tcp any any -> any 443 (msg:" | ||
+ | |||
+ | FTP | ||
+ | |||
+ | alert tcp any any -> any ![20,21] (msg:" | ||
+ | alert tcp any any -> any [20,21] (msg:" | ||
+ | |||
+ | SMTP | ||
+ | |||
+ | alert tcp any any -> any ![25, | ||
+ | alert tcp any any -> any [25, | ||
+ | |||
+ | SSH | ||
+ | |||
+ | alert tcp any any -> any !22 (msg:" | ||
+ | alert tcp any any -> any 22 (msg:" | ||
+ | |||
+ | IMAP | ||
+ | |||
+ | alert tcp any any -> any !143 (msg:" | ||
+ | alert tcp any any -> any 143 (msg:" | ||
+ | |||
+ | SMB | ||
+ | |||
+ | alert tcp any any -> any 139 (msg:" | ||
+ | |||
+ | DCERPC | ||
+ | |||
+ | alert tcp any any -> any [80,8080] (msg:" | ||
+ | |||
+ | DNS | ||
+ | |||
+ | alert tcp any any -> any 53 (msg:" | ||
+ | alert udp any any -> any 53 (msg:" | ||
+ | |||
+ | MODBUS | ||
+ | |||
+ | alert tcp any any -> any 502 (msg:" | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ===== References ===== | ||
+ | |||
+ | https:// | ||
+ | |||
+ | http:// | ||
+ | |||
+ | https:// | ||
+ |
pfsense/suricata/rules/custom_rules.1611153938.txt.gz · Last modified: 2021/01/20 14:45 by peter