Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
Suricata IDS modifications
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata IDS modifications (Read 6929 times)
werner
Newbie
Posts: 10
Karma: 0
Suricata IDS modifications
«
on:
December 13, 2016, 04:48:44 pm »
Hi,
I'm in the middle of a kind of pilot project for implementing IDS in front of our SAAS network. I selected OPNsense as it is a firewall solution that's capable of HA and integrates Suricata.
Testing went well so far but I need to do some changes to the Suricata configuration.
I'd like to implement some more rulesets for example, I already found this issue:
https://github.com/opnsense/core/issues/1219
Perfect for home made rules but not for fetching latest versions of ruleset files externally. I guess the url list of standard rulesets to update is configured somewhere, any chance it can be modified to add some extra urls ?
Apart from that I'd like to be able to make changes to suricata.yaml, is that possible without my config changes being overwritten during the next update ? I've seen the package lockdown functionality, that seems nice but I do want the software to be updated, without changing my specific config. Is there any mechanism for custom configuration ?
Everything else is impressive, very nice clean webinterface, however I do feel a bit of an alien coming from Vyatta/VyOS, some concepts really differ coming from there. Keep up the good work !
«
Last Edit: December 13, 2016, 04:51:46 pm by werner
»
Logged
werner
Newbie
Posts: 10
Karma: 0
Re: Suricata IDS modifications
«
Reply #1 on:
December 15, 2016, 08:53:02 am »
Nobody knows if the suricata.yaml file is being overwritten during an update ??
Logged
franco
Administrator
Hero Member
Posts: 17657
Karma: 1611
Re: Suricata IDS modifications
«
Reply #2 on:
December 15, 2016, 09:07:35 am »
Hi Werner,
Sorry, this slipped through.
suricata.yaml is regenerated from the template:
/usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml
The template is overwritten during firmware upgrades. If changes are required we should evaluate which ones and see if we can provide them via the GUI or via an optional include.
If you need other rules, you should look at how rules are defined as drop-in XML files which are not overwritten:
https://github.com/opnsense/plugins/blob/master/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml
Cheers,
Franco
Logged
werner
Newbie
Posts: 10
Karma: 0
Re: Suricata IDS modifications
«
Reply #3 on:
December 15, 2016, 04:53:57 pm »
Hi Franco,
No problem, everyone's busy
I'm not sure if Suricata allows for already in the template defined items to be overridden, else just a simple optional include to a file containing custom config would be sufficient.
What would be a usefull option is more filtering options in the rules tab and especially a filter to select enabled/disabled rules in a category. It's a lot of work now to find all enabled or all disabled rules. I was going through them to enable them all, just temporary for generating as much logging as possible for testing purposes.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
Suricata IDS modifications