Suricata su Devuan 5 —
Avendo aggiornato i Bastion host a Devuan 5 Chimaera è arrivato il momento di riscrivere il suricata.yaml
La precedente versione su chimaera funzionava bene ma qui visto che le forze del male sono sempre di più all’opera ho deciso di aumentare un po il lavoro che suricata compie aggiungendo un po di liste di verifica e confronto.
La prima cosa che ho per il momento modificato è stata il far girare suricata con uno user e un gruppo specifici (suri/suri), ripeto la soluzione è temporanea non amo far girare troppa roba come root anche se ai bastion host e’ molto difficile collegarsi dall’esterno, ma l’upgrade delle regole falliva per via dei permessi sulla dir /tmp e questo non e’ un momento in cui abbia molto tempo per fare magheggi vari e assortiti per far si che suri possa scrivere in quel posto.
L’installazione è la solita con apt-get install suricata che si tira dietro le dipendenze necessarie, tenendo valida il più possibile la precedente configurazione i cambiamenti sullo .yaml sono questi:
suricata.yaml
I tre cambiamenti più importanti nella configurazione sono:
community-id: true
detect-engine: - rule-reload: true
default-rule-path: /var/lib/suricata/rules
in questo momento suricata non ha liste abilitate per il controllo, quindi con suricata-update aggiorniamo e quindi aggiorniamo le sorgenti delle signatures con: suricata-update update-sources
21/2/2025 — 10:49:55 – <Info> — Using data-directory /var/lib/suricata.
21/2/2025 — 10:49:55 – <Info> — Using Suricata configuration /etc/suricata/suricata.yaml
21/2/2025 — 10:49:55 – <Info> — Using /etc/suricata/rules for Suricata provided rules.
21/2/2025 — 10:49:55 – <Info> — Found Suricata version 6.0.10 at /usr/bin/suricata.
21/2/2025 — 10:49:55 – <Info> — Downloading https://www.openinfosecfoundation.org/rules/index.yaml
21/2/2025 — 10:49:56 – <Info> — Adding all sources
21/2/2025 — 10:49:56 – <Info> — Saved /var/lib/suricata/update/cache/index.yaml
Verifico con suricata-update list-sources quali liste ho a disposizione per lavorare
21/2/2025 — 10:56:05 – <Info> — Using data-directory /var/lib/suricata.
21/2/2025 — 10:56:05 – <Info> — Using Suricata configuration /etc/suricata/suricata.yaml
21/2/2025 — 10:56:05 – <Info> — Using /etc/suricata/rules for Suricata provided rules.
21/2/2025 — 10:56:05 – <Info> — Found Suricata version 6.0.10 at /usr/bin/suricata.
Name: et/open
Vendor: Proofpoint
Summary: Emerging Threats Open Ruleset
License: MIT
Name: et/pro
Vendor: Proofpoint
Summary: Emerging Threats Pro Ruleset
License: Commercial
Replaces: et/open
Parameters: secret-code
Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: oisf/trafficid
Vendor: OISF
Summary: Suricata Traffic ID ruleset
License: MIT
Name: scwx/enhanced
Vendor: Secureworks
Summary: Secureworks suricata-enhanced ruleset
License: Commercial
Parameters: secret-code
Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
Vendor: Secureworks
Summary: Secureworks suricata-malware ruleset
License: Commercial
Parameters: secret-code
Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
Vendor: Secureworks
Summary: Secureworks suricata-security ruleset
License: Commercial
Parameters: secret-code
Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: abuse.ch/sslbl-blacklist
Vendor: Abuse.ch
Summary: Abuse.ch SSL Blacklist
License: CC0-1.0
Replaces: sslbl/ssl-fp-blacklist
Name: abuse.ch/sslbl-ja3
Vendor: Abuse.ch
Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
License: CC0-1.0
Replaces: sslbl/ja3-fingerprints
Name: abuse.ch/sslbl-c2
Vendor: Abuse.ch
Summary: Abuse.ch Suricata Botnet C2 IP Ruleset
License: CC0-1.0
Name: abuse.ch/feodotracker
Vendor: Abuse.ch
Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset
License: CC0-1.0
Name: abuse.ch/urlhaus
Vendor: abuse.ch
Summary: Abuse.ch URLhaus Suricata Rules
License: CC0-1.0
Name: etnetera/aggressive
Vendor: Etnetera a.s.
Summary: Etnetera aggressive IP blacklist
License: MIT
Name: tgreen/hunting
Vendor: tgreen
Summary: Threat hunting rules
License: GPLv3
Name: stamus/lateral
Vendor: Stamus Networks
Summary: Lateral movement rules
License: GPL-3.0-only
Name: stamus/nrd-30-open
Vendor: Stamus Networks
Summary: Newly Registered Domains Open only – 30 day list, complete
License: Commercial
Parameters: secret-code
Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-14-open
Vendor: Stamus Networks
Summary: Newly Registered Domains Open only – 14 day list, complete
License: Commercial
Parameters: secret-code
Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-30-open
Vendor: Stamus Networks
Summary: Newly Registered Domains Open only – 30 day list, high entropy
License: Commercial
Parameters: secret-code
Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-14-open
Vendor: Stamus Networks
Summary: Newly Registered Domains Open only – 14 day list, high entropy
License: Commercial
Parameters: secret-code
Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-30-open
Vendor: Stamus Networks
Summary: Newly Registered Domains Open only – 30 day list, phishing
License: Commercial
Parameters: secret-code
Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-14-open
Vendor: Stamus Networks
Summary: Newly Registered Domains Open only – 14 day list, phishing
License: Commercial
Parameters: secret-code
Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: pawpatrules
Vendor: pawpatrules
Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine
License: CC-BY-SA-4.0
Name: ptrules/open
Vendor: Positive Technologies
Summary: Positive Technologies Open Ruleset
License: Custom
Name: aleksibovellan/nmap
Vendor: aleksibovellan
Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans
License: MIT
Escludo a priori quelle con licenza commerciale o che non conosco e resto con quelle MIT e GPLv3 che abilito con
suricata-update enable-source et/open
21/2/2025 — 10:59:37 – <Info> — Using data-directory /var/lib/suricata.
21/2/2025 — 10:59:37 – <Info> — Using Suricata configuration /etc/suricata/suricata.yaml
21/2/2025 — 10:59:37 – <Info> — Using /etc/suricata/rules for Suricata provided rules.
21/2/2025 — 10:59:37 – <Info> — Found Suricata version 6.0.10 at /usr/bin/suricata.
21/2/2025 — 10:59:37 – <Info> — Creating directory /var/lib/suricata/update/sources
21/2/2025 — 10:59:37 – <Info> — Source et/open enabled
e a seguire stesso comando per le altre liste che ho deciso di usare
per verificare che le liste siano abilitate:
suricata-update list-sources –enabled
suricata-update list-sources –enabled
21/2/2025 — 11:05:12 – <Info> — Using data-directory /var/lib/suricata.
21/2/2025 — 11:05:12 – <Info> — Using Suricata configuration /etc/suricata/suricata.yaml
21/2/2025 — 11:05:12 – <Info> — Using /etc/suricata/rules for Suricata provided rules.
21/2/2025 — 11:05:12 – <Info> — Found Suricata version 6.0.10 at /usr/bin/suricata.
Enabled sources:
– aleksibovellan/nmap
– oisf/trafficid
– stamus/lateral
– etnetera/aggressive
– et/open
– tgreen/hunting
a questo punto aggiorno suricata con le nuove firme dalle liste che ho aggiunto con:
suricata-update
21/2/2025 — 11:06:45 – <Info> — Using data-directory /var/lib/suricata.
21/2/2025 — 11:06:45 – <Info> — Using Suricata configuration /etc/suricata/suricata.yaml
21/2/2025 — 11:06:45 – <Info> — Using /etc/suricata/rules for Suricata provided rules.
21/2/2025 — 11:06:45 – <Info> — Found Suricata version 6.0.10 at /usr/bin/suricata.
21/2/2025 — 11:06:45 – <Info> — Loading /etc/suricata/drop.conf.
21/2/2025 — 11:06:45 – <Info> — Loading /etc/suricata/suricata.yaml
21/2/2025 — 11:06:45 – <Info> — Disabling rules for protocol http2
21/2/2025 — 11:06:45 – <Info> — Disabling rules for protocol modbus
21/2/2025 — 11:06:45 – <Info> — Disabling rules for protocol dnp3
21/2/2025 — 11:06:45 – <Info> — Disabling rules for protocol enip
21/2/2025 — 11:06:45 – <Info> — Checking https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz.md5.
21/2/2025 — 11:06:46 – <Info> — Remote checksum has not changed. Not fetching.
21/2/2025 — 11:06:46 – <Info> — Fetching https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.
100% – 9855/9855
21/2/2025 — 11:06:48 – <Info> — Done.
21/2/2025 — 11:06:48 – <Info> — Fetching https://security.etnetera.cz/feeds/etn_aggressive.rules.
100% – 45479/45479
21/2/2025 — 11:06:48 – <Info> — Done.
21/2/2025 — 11:06:48 – <Info> — Fetching https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz.
100% – 31900/31900
21/2/2025 — 11:06:49 – <Info> — Done.
21/2/2025 — 11:06:49 – <Info> — Fetching https://github.com/travisbgreen/hunting-rules/raw/master/hunting.rules.tar.gz.
100% – 12269/12269
21/2/2025 — 11:06:49 – <Info> — Done.
21/2/2025 — 11:06:49 – <Info> — Fetching https://raw.githubusercontent.com/aleksibovellan/opnsense-suricata-nmaps/main/local.rules.
100% – 3528/3528
21/2/2025 — 11:06:49 – <Info> — Done.
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/decoder-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/dns-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/files.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/http-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/modbus-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/nfs-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/ntp-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/smb-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/smtp-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/stream-events.rules
21/2/2025 — 11:06:49 – <Info> — Loading distribution rule file /etc/suricata/rules/tls-events.rules
21/2/2025 — 11:06:50 – <Info> — Ignoring file rules/emerging-deleted.rules
21/2/2025 — 11:06:51 – <Info> — Loaded 57762 rules.
21/2/2025 — 11:06:52 – <Info> — Disabled 14 rules.
21/2/2025 — 11:06:52 – <Info> — Enabled 0 rules.
21/2/2025 — 11:06:52 – <Info> — Modified 0 rules.
21/2/2025 — 11:06:52 – <Info> — Dropped 64 rules.
21/2/2025 — 11:06:52 – <Info> — Enabled 136 rules for flowbit dependencies.
21/2/2025 — 11:06:52 – <Info> — Backing up current rules.
21/2/2025 — 11:06:54 – <Info> — Writing rules to /var/lib/suricata/rules/suricata.rules: total: 57762; enabled: 43394; added: 944; removed 0; modified: 0
21/2/2025 — 11:06:55 – <Info> — Writing /var/lib/suricata/rules/classification.config
21/2/2025 — 11:06:55 – <Info> — Testing with suricata -T.
21/2/2025 — 11:07:11 – <Info> — Done.
Dovrebbe essere tutto pronto quindo con un /etc/init.d/suricata restart rilancio il demone che comincerà a lavorare con i nuovi parametri
/etc/init.d/suricata restart
Stopping suricata: done.
Starting suricata in IPS (nfqueue) mode… done.
Ricordo che suricata è legato anftables mettendo sostanzialmente in coda sulla coda 0 tutti i pacchetti che entrano da eth0
Categorised as: IPS
Comments are disabled on this post