====== PFSense - Suricata - Rules - Custom Rules ======

<WRAP warning>
**WARNING:**  Every custom rules must have a unique SID!!!

Make sure you pick a starting SID number that does not conflict with any existing SIDs from other enabled rules.

SID Codes:  1000000-1999999 Reserved for Local Use -- Put your custom rules in this range to avoid conflicts.
</WRAP>

----

Navigate to **Services -> Suricata -> Interfaces -> INTERFACE > INTERFACE Rules -> custom rules**.

In **Available Rule Categories**:

  * Choose **custom.rules** in the Category drop-down.
  * Type in the rules you need.

{{:pfsense:suricata:pfsense_-_suricata_-_wan_-_custom_rules.png?800|}}

----

====== Custom Rules ======

There are plenty of examples on the web.

You can add restrictions by protocol, port and source or destination IP address.

<WRAP important>
**WARNING:**  Just really think about what your rule is allowing when creating it.
</WRAP>


<code>
alert tcp [$EXTERNAL_NET,!8.8.8.8] any -> $HOME_NET [80,443]

alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1;classtype:icmp-event)

alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,8080] (msg:"HTTP Port Unauthorized"; appid: http; classtype:policy-violation; sid:12171008; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"HTTPS Port Unauthorized"; appid: https; classtype:policy-violation; sid:12171009; rev:1;)

pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:100000;)

pass ip 192.168.1.22/32 80 <- any any (msg: "Pass List Entry - allow all traffic to/from 192.168.1.22/32"; sid:1000006;
</code>

<WRAP info>
**INFO:**  Notice the direction symbol is "<>" which stands for "any" as opposed to "->" which signifies a specific direction (from 1.2.3.4 to any other IP).

So the rule using "<>" would mimic the old Legacy Mode Pass List operation whereby IP address 1.2.3.4 would never get blocked.
</WRAP>

----

===== Protocol Anomalies Detection =====

Suricata IDS/IPS/NSM is also capable of doing protocol anomaly detection.

Please find below a few self explanatory rule examples (look at the rule msg) of how to do this:

<code>
HTTP

alert tcp any any -> any ![80,8080] (msg:"SURICATA HTTP but not tcp port 80, 8080"; flow:to_server; app-layer-protocol:http; sid:2271001; rev:1;)
alert tcp any any -> any 80 (msg:"SURICATA Port 80 but not HTTP"; flow:to_server; app-layer-protocol:!http; sid:2271002; rev:1;)

HTTPS

alert http any any -> any 443 (msg:"SURICATA HTTP clear text on port 443"; flow:to_server; app-layer-protocol:http; sid:2271019; rev:1;)

TLS

alert tcp any any -> any 443 (msg:"SURICATA Port 443 but not TLS"; flow:to_server; app-layer-protocol:!tls; sid:2271003; rev:1;)

FTP

alert tcp any any -> any ![20,21] (msg:"SURICATA FTP but not tcp port 20 or 21"; flow:to_server; app-layer-protocol:ftp; sid:2271004; rev:1;)
alert tcp any any -> any [20,21] (msg:"SURICATA TCP port 21 but not FTP"; flow:to_server; app-layer-protocol:!ftp; sid:2271005; rev:1;)

SMTP

alert tcp any any -> any ![25,587,465] (msg:"SURICATA SMTP but not tcp port 25,587,465"; flow:to_server; app-layer-protocol:smtp; sid:2271006; rev:1;)
alert tcp any any -> any [25,587,465] (msg:"SURICATA TCP port 25,587,465 but not SMTP"; flow:to_server; app-layer-protocol:!smtp; sid:2271007; rev:1;)

SSH

alert tcp any any -> any !22 (msg:"SURICATA SSH but not tcp port 22"; flow:to_server; app-layer-protocol:ssh; sid:2271008; rev:1;)
alert tcp any any -> any 22 (msg:"SURICATA TCP port 22 but not SSH"; flow:to_server; app-layer-protocol:!ssh; sid:2271009; rev:1;)

IMAP

alert tcp any any -> any !143 (msg:"SURICATA IMAP but not tcp port 143"; flow:to_server; app-layer-protocol:imap; sid:2271010; rev:1;)
alert tcp any any -> any 143 (msg:"SURICATA TCP port 143 but not IMAP"; flow:to_server; app-layer-protocol:!imap; sid:2271011; rev:1;)

SMB

alert tcp any any -> any 139 (msg:"SURICATA TCP port 139 but not SMB"; flow:to_server; app-layer-protocol:!smb; sid:2271012; rev:1;)

DCERPC

alert tcp any any -> any [80,8080] (msg:"SURICATA DCERPC detected over port tcp 80,8080"; flow:to_server; app-layer-protocol:dcerpc; sid:2271013; rev:1;)

DNS

alert tcp any any -> any 53 (msg:"SURICATA TCP port 53 but not DNS"; flow:to_server; app-layer-protocol:!dns; sid:2271014; rev:1;)
alert udp any any -> any 53 (msg:"SURICATA UDP port 53 but not DNS"; flow:to_server; app-layer-protocol:!dns; sid:2271015; rev:1;)

MODBUS

alert tcp any any -> any 502 (msg:"SURICATA TCP port 502 but not MODBUS"; flow:to_server; app-layer-protocol:!modbus; sid:2271018; rev:1;)
</code>



===== References =====

https://www.cnblogs.com/lsgxeva/p/11392627.html

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Protocol_Anomalies_Detection