OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • noob question on how to set suricata to drop mode
« previous next »
  • Print
Pages: [1]

Author Topic: noob question on how to set suricata to drop mode  (Read 4506 times)

adk20

  • Newbie
  • *
  • Posts: 46
  • Karma: 3
    • View Profile
noob question on how to set suricata to drop mode
« on: April 14, 2021, 10:52:13 pm »
Hi forum,

I have downloaded the et rulesets, enabled suricata and set it to "enable protection mode".

However, it is unclear to me whether this will actually make suricata drop traffic matching the et rules.

Do I need to define a policy? If so, how does this work? I couldn't find a helpful tutorial.
- Rulesets: I understand that I can select the rulesets for which traffic should be dropped.
- Action: drop
- Rules: What should I set here? Leave everything blank if I want all rules to trigger dropping?
- New action: No clue what that means.

What I would like to achieve is a policy that drops all traffic matching e.g. the exploit rules. What policy do I need for that to work?

Thanks a heap!
Logged

scot

  • Newbie
  • *
  • Posts: 8
  • Karma: 1
    • View Profile
Re: noob question on how to set suricata to drop mode
« Reply #1 on: April 14, 2021, 11:12:01 pm »
By default, with no policy, they should just alert.

My setup is fairly simple.

Setup a single policy.  ONLY set the following

Enabled: Checked
Priority: 0
Rulesets: Select any rulesets you want to drop
Action: Alert,Drop
New Action: Drop
Descriptions: whatever you want.


Rules section dont touch. Just leave it all defaults.

Save it/apply and it should reload suricata.


Note: for me, the best configuration in settings is also simple.

Enabled: checked
IPS mode: Checked
Promiscuous mode: Checked (Note: Im running VLANS)
Syslog options: unchecked..dont need em
Pattern Matcher: Your call, Aho and Hyperscan have worked about the same for me
Interfaces: LAN ONLY

(note the help section: Select interface(s) to use. When enabling IPS, only use physical interfaces here (no vlans etc).)

Tick Advanced Mode: Home Networks: Add in my VLAN CIDR's i want to monitor

Defaults the rest of the way.


Selecting multiple interfaces was an issue for me with no benefit..

1. It spun up multiple threads inspecting the same traffic multiple times since the interface is already promiscuoud, so it increased load with no real help, if anything i saw multiple alerts.
2. Home net defines what you are alerting on. So even with VLAN's i get the same hits with promiscuous turned on.

Finally. I see no point in monitoring WAN. I dont use Sensei, so promisicous mode isnt a contention point and why inspect traffic before it hits the firewall. I really only want to protect against stuff that gets through or is egressing.

This was a change from how I adminstered Snort, so i felt it was worth noting.
« Last Edit: April 14, 2021, 11:14:18 pm by scot »
Logged

adk20

  • Newbie
  • *
  • Posts: 46
  • Karma: 3
    • View Profile
Re: noob question on how to set suricata to drop mode
« Reply #2 on: April 15, 2021, 12:06:39 am »
Thanks a heap, that certainly did the trick.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • noob question on how to set suricata to drop mode
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2