[Tutorial] Adding custom rules to Intrusion Detection

[dcol]

There may be some who cringe at this post, but I find that adding custom IDS rules is a much needed addition to OPNsense and here is a tutorial on how to accomplish it. I am assuming you already know how to write snort/suricata rules, so I won't get into that aspect of this tutorial. But if you are not sure what a rule is there are many tutorials out there that can teach you how to write them.

As an example, here is a basic simple rule

Code: [Select]

# This rule drops all tcp traffic on User Ports from the internet to your local network
drop tcp $EXTERNAL_NET any -> $HOME_NET [1024:65535] (msg:"Block User Ports"; classtype:bad-unknown; sid:9900001; rev:1;)

In order to use the methods described below, you must have access to a web server, either locally or remotely.
We are simulating the way OPNsense downloads and updates its rulesets from a URL.
Also these instructions are for Windows IIS users. Linux users will mostly be able to follow the technique to accomplish the same thing.

Lets get started
First you have to create a custom rule file (like in the code above). Lets call that custom.rules
Then find a location within a website that you can easily get to and edit. For this example, I used <domain root>\suricata\custom.rules. You have to allow .rules extensions in request filtering rules in your web server configuration and add mime type as text/plain.

If you are using a local web server (one that is inside the OPNsense network) then the task is a little trickier.
For this example I have used a local web server with a local IP 192.168.10.24 which is also the port forwarded address for the email and web server from the internet.
I used the Default Web Site in IIS for this example. You can create a new one if you like. Set the binding with no host name and the IP as 192.168.10.24. I created a new folder called suricata in C:\inetpub\wwwroot and placed my custom.rules file in that folder.

The website you used for the custom.rules should be accessible from the OPNsense network and display your file in text form. Then we need a way to use it from the Services>Intrusion Detection>Download page.
For that we need to create an XML file and place it in OPNsense. Lets call that Custom.xml
This file goes in /usr/local/opnsense/scripts/suricata/metadata/rules/custom.xml
In Windows, I use WinSCP to get to the files.
Here is the code for the Custom.xml file

Code: [Select]

<?xml version="1.0"?>
<ruleset documentation_url="http://docs.opnsense.org/">
    <location url="https://www.mydomain.com/suricata/" prefix="Custom"/>
    <files>
        <file description="custom rules">Custom.rules</file>
        <file description="Custom" url="inline::rules/Custom.rules">Custom.rules</file>
    </files>
</ruleset>
For a remote web server replace 'mydomain.com' with your site name.
For a local web server use <location url="http://192.168.10.24/suricata/" prefix="Custom"/> as per the example setup above.

Once all this is done, then the ruleset should appear in the download list as Custom/Custom after a refresh.
Then enable the ruleset and 'Download & Update. Do not change the input filter. Leave it as 'None'. The rules you created should now be installed. If all is good then you will see the 'Last Updated' display the new date and time. Also check the Suricata log to insure there are no errors in your custom rules after you update. Bad rules will be ignored.

You should now be able to modify the file on your server and then just update with the Download & Update button. This will also update the custom rules you created every time the cron job updates the IDS/IPS rules.

I actually use the custom rules to add pass rules. Pass rules can increase IDS engine performance because the pass rules are done first and that ends the pattern match. Imagine that a packet that enters IDS must be matched against every rule. Now the engine is very efficient based on the algorithm you selected (ie.Hyperscan) but still needs to be inspected, and if nothing matches it has basically wasted time. Pass rules are done first and will end the pattern match then the packet proceeds to the firewall. I run servers behind OPNsense and know what ports and IPs should always pass.

We want to weed out bad traffic before it enters our firewall. That's what IDS/IPS is for. And with IPS you get that extra protection because it stops traffic at the first layer of your network.

Enjoy!

[UPDATE]
Recheck that all the custom rules are enabled in the IDS>Rules GUI. Any rule that Suricata doesn't like will be disabled. I had to change the SID of one rule because Suricata refused to enable it.

[dcol]

thread tick

[mimugmail]

Oh, seems I missed this one, nice guide, thanks!

[dvmade]

There may be some who cringe at this post, but I find that adding custom IDS rules is a much needed addition to OPNsense and here is a tutorial on how to accomplish it.

You are right. This is exactly what I'm searching for.
I setup a transparent filtering bridge and with this option I can alert/drop traffic on my special needs.
Thanks a lot for this tutorial.

Greets
dvmade

[dcol]

My pleasure

[abysscong]

My pleasure

Hello dcol! Thank you for your tutorial and I successfully created some my rules.
But I met a problem that it didn't work well in IPv6, have you ever encountered it?
Thanks a lot!

https://forum.opnsense.org/index.php?topic=19375.0

[akanarya]

Thanks fou your tuturial, i applied and succesfully worked.
I add an "alert" rule to my custom.rule.
When i change its action to "drop" from "alert" via Opnsense GUI, it doesnt drop the related packets.
it continues passing.
What am i missing?

EDIT:
Ok I got it, custom rule should be enabled in policy, after that drop worked