pfsense:suricata:rules
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| pfsense:suricata:rules [2021/01/20 11:34] – peter | pfsense:suricata:rules [2021/01/25 14:22] (current) – peter | ||
|---|---|---|---|
| Line 10: | Line 10: | ||
| ---- | ---- | ||
| + | |||
| + | [[PFSense: | ||
| [[PFSense: | [[PFSense: | ||
| - | ---- | + | [[PFSense: |
| - | ===== Example Rule ===== | + | [[PFSense: |
| - | <code snort> | ||
| - | alert ip any any -> any any (msg:" | ||
| - | |||
| - | |||
| - | alert tcp 1.2.3.4 1024 - > 5.6.7.8 80 | ||
| - | |||
| - | |||
| - | # Detect SSH protocol anomalies. | ||
| - | alert tcp any any -> any 22 (msg:" | ||
| - | |||
| - | |||
| - | # Non-TLS traffic on TLS ports. | ||
| - | alert tcp any any -> any [443,465] (msg:" | ||
| - | |||
| - | |||
| - | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: | ||
| - | </ | ||
| - | |||
| - | where: | ||
| - | |||
| - | * **Action**: | ||
| - | * **Header**: | ||
| - | * **Options**: | ||
| - | | ||
| ---- | ---- | ||
| - | Action: | + | ==== References ==== |
| - | * **pass**: If the packet matches this rule it’ll be accepted through. | + | https://redmine.openinfosecfoundation.org/ |
| - | * **drop**: | + | |
| - | * **reject**: | + | |
| - | * **alert**: | + | |
| + | https:// | ||
| - | Protocol | + | https:// |
| - | * **ip**: Any packets on the network involving the adapter. | + | https://forum.netgate.com/ |
| - | * **tcp**: | + | |
| - | * **udp**: | + | |
| - | * **icm** | + | |
| - | <WRAP info> | + | https://www.admin-magazine.com/Articles/Detecting-intruders-with-Suricata/(offset)/3 |
| - | **NOTE:** Suricata also allows you to specify layer 7 protocols as well, such as HTTP (http), SSL and TLS (tls for both), FTP (ftp) and SMB (smb). | + | |
| - | </WRAP> | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | Source and Destination IP and Port | + | |
| - | + | ||
| - | * An exclamation mark specifies “not”, so “! 10.0.1.0/8” means any IP not in the 10.0.1.0 subnet. | + | |
| - | * < | + | |
| - | * You can also mix-and-match with the ! as well. | + | |
| - | * For example, if you wanted the rule to match IP 192.168.0.5 but not 192.168.1.0/24, you would do “[! 192.168.1.0/24, 192.168.0.5]”. The value will be matched in the order you pass it. | + | |
| - | * You can also throw in variables as well, like so: [$EXTERNAL_NET, | + | |
| - | + | ||
| - | + | ||
| - | Ports act similarly but they have one additional sign that you can use: | + | |
| - | + | ||
| - | * < | + | |
| - | * If you want a non-specific range (i.e.: only a maximum or minimum port number), you can do this: [:1024] (matches everything from 0-1024) or [1024:] (matches from 1024 to the highest [typically 65535]). | + | |
| - | + | ||
| - | + | ||
| - | Direction Specification | + | |
| - | + | ||
| - | * Between the IP and ports is the direction of packet flow, in our case ->. There’s two options for this: | + | |
| - | + | ||
| - | * -> - This is the most common and means only check if the source IP and port are coming in to the destination IP and port. | + | |
| - | * <> - This will match packet flow in either direction. | + | |
| - | + | ||
| - | + | ||
| - | Rule Options | + | |
| - | + | ||
| - | * The 3 most basic options are: | + | |
| - | + | ||
| - | * **msg**: - What will be prompted in an alert (unless you’re using pass as the action, set this regardless). | + | |
| - | * **sid**: - This is a unique ID for the rule. | + | |
| - | * If multiple rules have the same sid Suricata | + | |
| - | * Typically you should pick a really high number | + | |
| - | * **rev**: - Revision number/ID. | + | |
| - | * Incremented by 1 every time the rule is changed. | + | |
| - | + | ||
| - | + | ||
| - | ---- | + | |
pfsense/suricata/rules.1611142494.txt.gz · Last modified: 2021/01/20 11:34 by peter