Wiki

User Tools

Site Tools

Trace:
pfsense:suricata:rules:custom_rules

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:suricata:rules:custom_rules [2021/01/20 14:45] peterpfsense:suricata:rules:custom_rules [2021/01/21 10:28] (current) peter
Line 1: Line 1:
 ====== PFSense - Suricata - Rules - Custom Rules ====== ====== PFSense - Suricata - Rules - Custom Rules ======
 +
 +<WRAP warning>
 +**WARNING:**  Every custom rules must have a unique SID!!!
 +
 +Make sure you pick a starting SID number that does not conflict with any existing SIDs from other enabled rules.
  
 SID Codes:  1000000-1999999 Reserved for Local Use -- Put your custom rules in this range to avoid conflicts. SID Codes:  1000000-1999999 Reserved for Local Use -- Put your custom rules in this range to avoid conflicts.
 +</WRAP>
 +
 +----
 +
 +Navigate to **Services -> Suricata -> Interfaces -> INTERFACE > INTERFACE Rules -> custom rules**.
 +
 +In **Available Rule Categories**:
 +
 +  * Choose **custom.rules** in the Category drop-down.
 +  * Type in the rules you need.
 +
 +{{:pfsense:suricata:pfsense_-_suricata_-_wan_-_custom_rules.png?800|}}
 +
 +----
 +
 +====== Custom Rules ======
 +
 +There are plenty of examples on the web.
 +
 +You can add restrictions by protocol, port and source or destination IP address.
 +
 +<WRAP important>
 +**WARNING:**  Just really think about what your rule is allowing when creating it.
 +</WRAP>
 +
 +
 +<code>
 +alert tcp [$EXTERNAL_NET,!8.8.8.8] any -> $HOME_NET [80,443]
 +
 +alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1;classtype:icmp-event)
 +
 +alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,8080] (msg:"HTTP Port Unauthorized"; appid: http; classtype:policy-violation; sid:12171008; rev:1;)
 +alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"HTTPS Port Unauthorized"; appid: https; classtype:policy-violation; sid:12171009; rev:1;)
 +
 +pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:100000;)
 +
 +pass ip 192.168.1.22/32 80 <- any any (msg: "Pass List Entry - allow all traffic to/from 192.168.1.22/32"; sid:1000006;
 +</code>
 +
 +<WRAP info>
 +**INFO:**  Notice the direction symbol is "<>" which stands for "any" as opposed to "->" which signifies a specific direction (from 1.2.3.4 to any other IP).
 +
 +So the rule using "<>" would mimic the old Legacy Mode Pass List operation whereby IP address 1.2.3.4 would never get blocked.
 +</WRAP>
 +
 +----
 +
 +===== Protocol Anomalies Detection =====
 +
 +Suricata IDS/IPS/NSM is also capable of doing protocol anomaly detection.
 +
 +Please find below a few self explanatory rule examples (look at the rule msg) of how to do this:
 +
 +<code>
 +HTTP
 +
 +alert tcp any any -> any ![80,8080] (msg:"SURICATA HTTP but not tcp port 80, 8080"; flow:to_server; app-layer-protocol:http; sid:2271001; rev:1;)
 +alert tcp any any -> any 80 (msg:"SURICATA Port 80 but not HTTP"; flow:to_server; app-layer-protocol:!http; sid:2271002; rev:1;)
 +
 +HTTPS
 +
 +alert http any any -> any 443 (msg:"SURICATA HTTP clear text on port 443"; flow:to_server; app-layer-protocol:http; sid:2271019; rev:1;)
 +
 +TLS
 +
 +alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not TLS"; flow:to_server; app-layer-protocol:!tls; sid:2271003; rev:1;)
 +
 +FTP
 +
 +alert tcp any any -> any ![20,21] (msg:"SURICATA FTP but not tcp port 20 or 21"; flow:to_server; app-layer-protocol:ftp; sid:2271004; rev:1;)
 +alert tcp any any -> any [20,21] (msg:"SURICATA TCP port 21 but not FTP"; flow:to_server; app-layer-protocol:!ftp; sid:2271005; rev:1;)
 +
 +SMTP
 +
 +alert tcp any any -> any ![25,587,465] (msg:"SURICATA SMTP but not tcp port 25,587,465"; flow:to_server; app-layer-protocol:smtp; sid:2271006; rev:1;)
 +alert tcp any any -> any [25,587,465] (msg:"SURICATA TCP port 25,587,465 but not SMTP"; flow:to_server; app-layer-protocol:!smtp; sid:2271007; rev:1;)
 +
 +SSH
 +
 +alert tcp any any -> any !22 (msg:"SURICATA SSH but not tcp port 22"; flow:to_server; app-layer-protocol:ssh; sid:2271008; rev:1;)
 +alert tcp any any -> any 22 (msg:"SURICATA TCP port 22 but not SSH"; flow:to_server; app-layer-protocol:!ssh; sid:2271009; rev:1;)
 +
 +IMAP
 +
 +alert tcp any any -> any !143 (msg:"SURICATA IMAP but not tcp port 143"; flow:to_server; app-layer-protocol:imap; sid:2271010; rev:1;)
 +alert tcp any any -> any 143 (msg:"SURICATA TCP port 143 but not IMAP"; flow:to_server; app-layer-protocol:!imap; sid:2271011; rev:1;)
 +
 +SMB
 +
 +alert tcp any any -> any 139 (msg:"SURICATA TCP port 139 but not SMB"; flow:to_server; app-layer-protocol:!smb; sid:2271012; rev:1;)
 +
 +DCERPC
 +
 +alert tcp any any -> any [80,8080] (msg:"SURICATA DCERPC detected over port tcp 80,8080"; flow:to_server; app-layer-protocol:dcerpc; sid:2271013; rev:1;)
 +
 +DNS
 +
 +alert tcp any any -> any 53 (msg:"SURICATA TCP port 53 but not DNS"; flow:to_server; app-layer-protocol:!dns; sid:2271014; rev:1;)
 +alert udp any any -> any 53 (msg:"SURICATA UDP port 53 but not DNS"; flow:to_server; app-layer-protocol:!dns; sid:2271015; rev:1;)
 +
 +MODBUS
 +
 +alert tcp any any -> any 502 (msg:"SURICATA TCP port 502 but not MODBUS"; flow:to_server; app-layer-protocol:!modbus; sid:2271018; rev:1;)
 +</code>
 +
 +
 +
 +===== References =====
 +
 +https://www.cnblogs.com/lsgxeva/p/11392627.html
 +
 +http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html
 +
 +https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Protocol_Anomalies_Detection
 +
pfsense/suricata/rules/custom_rules.1611153938.txt.gz · Last modified: 2021/01/20 14:45 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki