Using Rulesets in Suricata IPS

[networkguy]

Thanks. I was trying to think of a scenario where you may want the rule to be active as alert for that particular host but still deny as a whole. Thinking about it more I guess if a rule comes up on legitimate traffic that may just be configured poorly you probably would want to allow that traffic for other destinations anyways but just know about it.

Last question I have. I hope :) When I change from IDS to IPS do I have to go to every individual rule and change them from alert to deny or is there a way to do this globally?

[elektroinside]

You could try creating custom rules targeting individual hosts, however some rule orders need to be set for it to work, and i don't think that's possible... anyway, dcol has a very nice tutorial here about custom rules: https://forum.opnsense.org/index.php?topic=7209.0

To drop entire rulesets, go to Services: Intrusion Detection: Administration: Download tab, edit each ruleset (click on the pencil) and set it to 'Change all alerts to drop action' next to the 'Input filter'. Then 'Rules' tab and click 'Apply'.

More info here about this: https://forum.opnsense.org/index.php?topic=6893.0

[jodumont]

an interesting source of information is compiled by firehol
http://iplists.firehol.org/

you could compare different list and also see which one overlaps..

[Julien]

Thank you guys for the explaination.
We are using Opnsense in front of our production where we have some servers running including exchange server.
we have enabled those rules ( emerging-netbios.rules/emerging-web_client.rules )as advies in the first post using hyperscan and IPS Mode on however the speed drops -60%

is this a IPS issue or IDS/IPS issue ?
Thank you

[jschellevis]

To determine the cause of the performance drop (probably a large ruleset containing patterns) I would suggest disabling all that contain patterns and then re-enable one by one.

Also ssl fingerprint rules are very consuming, this will likely be fixed with  Suricata 4.1 in the upcoming OPNsense 19.1 release.

So experimenting with enabling/disabling rulesets may be the best way to figure this out.

In general you need a performant multi core CPU for high throughput when a lot of pattern matching and/or ssl fingerprint rules are enabled.

[Julien]

To determine the cause of the performance drop (probably a large ruleset containing patterns) I would suggest disabling all that contain patterns and then re-enable one by one.

Also ssl fingerprint rules are very consuming, this will likely be fixed with  Suricata 4.1 in the upcoming OPNsense 19.1 release.

So experimenting with enabling/disabling rulesets may be the best way to figure this out.

In general you need a performant multi core CPU for high throughput when a lot of pattern matching and/or ssl fingerprint rules are enabled.

When i disable the IPS and keeps those rules enabled the speed drops to 100%. i beleive the issue is IPS and not rules.
i have just 3 rules enabled now and speed is 500/500 without IPS, when IPS is on speed drops to 180/180 and sometimes 200/200.
Do we really need the IPS in the productions ?
CPU we are using is Intel(R) Core(TM) i5-3317U CPU @ 1.70GHz (4 cores) and 8GB memory.

Thank you

[peter008]

Same here.

With IPS disabled we get our full 200/50 speed, with IPS enabled (no matter how many rules activated) speed drops to about 80/30 MBit.

Any news on this?

[xmichielx]

I have the same bandwidth and use a PCengines APU2C4, the rulesets that you choose, the scan engine (Hyperscan preferably) and the networks that you have enabled in the HOME_NETWORK/LAN entry do have impact on the IPS performance and how much bandwidth is dropped.

[PSimoes]

I already have the rules on my computer but i don't no where to put them.... anyone knows?

[theennesh]

I followed all the instructions in the article https://medium.com/@parkerbenitez/opnsense-next-gen-firewall-a-deep-dive-into-suricata-integration-e5b71cb9b3b3 completely. However, in the download section, after selecting "enable selected" and then clicking on "Download & Update Rules," the rule file appeared empty, and I'm unsure why. Can anyone please help me with this issue?

[mimugmail]

Can you post a screenshot of download section?

[Deathmage85]

I strongly advise if your firewall has the memory to enable all MITRE rulesets at the bare minimum.

[Deathmage85]

So these are the rulesets and alerts I've typically been blocking. Curious if others have found some unique ones that should be changed from alert to drop and can share.

ET INFO Observed DNS over HTTPS Domain
ETPRO MALWARE
ETPRO PHISHING
ETPRO INFO Dynamic DNS Domain
ETPRO INFO Observed DNS Query for DDNS domain
ETPRO INFO DYNAMIC_DNS Query
ETPRO INFO DYNAMIC_DNS
ET CINS Active Threat Intelligence Poor Reputation IP group
ET SCAN Sipvicious User-Agent Detected
ET Scan
NMAP
MITRE Recon
MITRE Discovery
MITRE Lateral Movement
MITRE Initial Access
MITRE Persistence
MITRE Collection
MITRE Command and Control
MITRE Defense Evasion
MITRE Exfiltration
MITRE Impact
MITRE Resource Development
Exploit Kit
Windows
Kerberos
Powershell
Remote Code Execution
Security Feature Bypass
Windows Firewall
Print Spooler
DLL Hijack Command
Metasploit
Ransomware
Active Directory
Netgear
Cisco
Nexus
QNAP
VMware
OSSIM
Proofpoint
Defender
ET Policy
ET EXPLOIT
ET INFO
ET MALWARE
ET USER_AGENTS
ET WEB_SPECIFIC_APPS
INDICATOR-COMPROMISE
OS-WINDOWS
NETBIOS
SERVER-WEBAPP
SERVER-OTHER
SERVER-IIS
BROWSER-CHROME
BROWSER-IE
BROWSER-EDGE
BROWSER-TOR
EXPLOIT-KIT
ET ATTACK_RESPONSE
ET WEB_CLIENT
ET HUNTING
OS-Windows
OS-Linux