{"id":2567,"date":"2025-02-21T11:10:49","date_gmt":"2025-02-21T10:10:49","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=2567"},"modified":"2025-02-21T11:14:18","modified_gmt":"2025-02-21T10:14:18","slug":"suricata-su-devuan-5","status":"publish","type":"post","link":"https:\/\/clark.tipistrani.it\/?p=2567","title":{"rendered":"Suricata su Devuan 5"},"content":{"rendered":"

Avendo aggiornato i Bastion host a Devuan 5 Chimaera \u00e8 arrivato il momento di riscrivere il suricata.yaml<\/p>\n

La precedente versione<\/a> su chimaera funzionava bene ma qui visto che le forze del male sono sempre di pi\u00f9 all’opera ho deciso di aumentare un po il lavoro che suricata compie aggiungendo un po di liste di verifica e confronto.<\/p>\n

La prima cosa che ho per il momento modificato \u00e8 stata il far girare suricata con uno user e un gruppo\u00a0 specifici (suri\/suri), ripeto la soluzione \u00e8 temporanea non amo far girare troppa roba come root anche se ai bastion host e’ molto difficile collegarsi dall’esterno, ma l’upgrade delle regole falliva per via dei permessi sulla dir \/tmp e questo non e’ un momento in cui abbia molto tempo per fare magheggi vari e assortiti per far si che suri possa scrivere in quel posto.
\nL’installazione \u00e8 la solita con apt-get install suricata che si tira dietro le dipendenze necessarie, tenendo valida il pi\u00f9 possibile la precedente configurazione i cambiamenti sullo .yaml sono questi:
\nsuricata.yaml<\/a><\/p>\n

I tre cambiamenti pi\u00f9 importanti nella configurazione sono:<\/p>\n

community-id: true<\/pre>\n
detect-engine:\r\n\u00a0 - rule-reload: true<\/pre>\n
default-rule-path: \/var\/lib\/suricata\/rules<\/pre>\n
in questo momento suricata non ha liste abilitate per il controllo, quindi con suricata-update aggiorniamo e quindi aggiorniamo le sorgenti delle signatures con: suricata-update update-sources<\/p>\n
21\/2\/2025 — 10:49:55 – <Info> — Using data-directory \/var\/lib\/suricata.
\n21\/2\/2025 — 10:49:55 – <Info> — Using Suricata configuration \/etc\/suricata\/suricata.yaml
\n21\/2\/2025 — 10:49:55 – <Info> — Using \/etc\/suricata\/rules for Suricata provided rules.
\n21\/2\/2025 — 10:49:55 – <Info> — Found Suricata version 6.0.10 at \/usr\/bin\/suricata.
\n21\/2\/2025 — 10:49:55 – <Info> — Downloading https:\/\/www.openinfosecfoundation.org\/rules\/index.yaml
\n21\/2\/2025 — 10:49:56 – <Info> — Adding all sources
\n21\/2\/2025 — 10:49:56 – <Info> — Saved \/var\/lib\/suricata\/update\/cache\/index.yaml
\nVerifico con\u00a0suricata-update list-sources quali liste ho a disposizione per lavorare
\n21\/2\/2025 — 10:56:05 – <Info> — Using data-directory \/var\/lib\/suricata.
\n21\/2\/2025 — 10:56:05 – <Info> — Using Suricata configuration \/etc\/suricata\/suricata.yaml
\n21\/2\/2025 — 10:56:05 – <Info> — Using \/etc\/suricata\/rules for Suricata provided rules.
\n21\/2\/2025 — 10:56:05 – <Info> — Found Suricata version 6.0.10 at \/usr\/bin\/suricata.
\nName: et\/open
\nVendor: Proofpoint
\nSummary: Emerging Threats Open Ruleset
\nLicense: MIT
\nName: et\/pro
\nVendor: Proofpoint
\nSummary: Emerging Threats Pro Ruleset
\nLicense: Commercial
\nReplaces: et\/open
\nParameters: secret-code
\nSubscription: https:\/\/www.proofpoint.com\/us\/threat-insight\/et-pro-ruleset
\nName: oisf\/trafficid
\nVendor: OISF
\nSummary: Suricata Traffic ID ruleset
\nLicense: MIT
\nName: scwx\/enhanced
\nVendor: Secureworks
\nSummary: Secureworks suricata-enhanced ruleset
\nLicense: Commercial
\nParameters: secret-code
\nSubscription: https:\/\/www.secureworks.com\/contact\/ (Please reference CTU Countermeasures)
\nName: scwx\/malware
\nVendor: Secureworks
\nSummary: Secureworks suricata-malware ruleset
\nLicense: Commercial
\nParameters: secret-code
\nSubscription: https:\/\/www.secureworks.com\/contact\/ (Please reference CTU Countermeasures)
\nName: scwx\/security
\nVendor: Secureworks
\nSummary: Secureworks suricata-security ruleset
\nLicense: Commercial
\nParameters: secret-code
\nSubscription: https:\/\/www.secureworks.com\/contact\/ (Please reference CTU Countermeasures)
\nName: abuse.ch\/sslbl-blacklist
\nVendor: Abuse.ch
\nSummary: Abuse.ch SSL Blacklist
\nLicense: CC0-1.0
\nReplaces: sslbl\/ssl-fp-blacklist
\nName: abuse.ch\/sslbl-ja3
\nVendor: Abuse.ch
\nSummary: Abuse.ch Suricata JA3 Fingerprint Ruleset
\nLicense: CC0-1.0
\nReplaces: sslbl\/ja3-fingerprints
\nName: abuse.ch\/sslbl-c2
\nVendor: Abuse.ch
\nSummary: Abuse.ch Suricata Botnet C2 IP Ruleset
\nLicense: CC0-1.0
\nName: abuse.ch\/feodotracker
\nVendor: Abuse.ch
\nSummary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset
\nLicense: CC0-1.0
\nName: abuse.ch\/urlhaus
\nVendor: abuse.ch
\nSummary: Abuse.ch URLhaus Suricata Rules
\nLicense: CC0-1.0
\nName: etnetera\/aggressive
\nVendor: Etnetera a.s.
\nSummary: Etnetera aggressive IP blacklist
\nLicense: MIT
\nName: tgreen\/hunting
\nVendor: tgreen
\nSummary: Threat hunting rules
\nLicense: GPLv3
\nName: stamus\/lateral
\nVendor: Stamus Networks
\nSummary: Lateral movement rules
\nLicense: GPL-3.0-only
\nName: stamus\/nrd-30-open
\nVendor: Stamus Networks
\nSummary: Newly Registered Domains Open only – 30 day list, complete
\nLicense: Commercial
\nParameters: secret-code
\nSubscription: https:\/\/www.stamus-networks.com\/stamus-labs\/subscribe-to-threat-intel-feed
\nName: stamus\/nrd-14-open
\nVendor: Stamus Networks
\nSummary: Newly Registered Domains Open only – 14 day list, complete
\nLicense: Commercial
\nParameters: secret-code
\nSubscription: https:\/\/www.stamus-networks.com\/stamus-labs\/subscribe-to-threat-intel-feed
\nName: stamus\/nrd-entropy-30-open
\nVendor: Stamus Networks
\nSummary: Newly Registered Domains Open only – 30 day list, high entropy
\nLicense: Commercial
\nParameters: secret-code
\nSubscription: https:\/\/www.stamus-networks.com\/stamus-labs\/subscribe-to-threat-intel-feed
\nName: stamus\/nrd-entropy-14-open
\nVendor: Stamus Networks
\nSummary: Newly Registered Domains Open only – 14 day list, high entropy
\nLicense: Commercial
\nParameters: secret-code
\nSubscription: https:\/\/www.stamus-networks.com\/stamus-labs\/subscribe-to-threat-intel-feed
\nName: stamus\/nrd-phishing-30-open
\nVendor: Stamus Networks
\nSummary: Newly Registered Domains Open only – 30 day list, phishing
\nLicense: Commercial
\nParameters: secret-code
\nSubscription: https:\/\/www.stamus-networks.com\/stamus-labs\/subscribe-to-threat-intel-feed
\nName: stamus\/nrd-phishing-14-open
\nVendor: Stamus Networks
\nSummary: Newly Registered Domains Open only – 14 day list, phishing
\nLicense: Commercial
\nParameters: secret-code
\nSubscription: https:\/\/www.stamus-networks.com\/stamus-labs\/subscribe-to-threat-intel-feed
\nName: pawpatrules
\nVendor: pawpatrules
\nSummary: PAW Patrules is a collection of rules for IDPS \/ NSM Suricata engine
\nLicense: CC-BY-SA-4.0
\nName: ptrules\/open
\nVendor: Positive Technologies
\nSummary: Positive Technologies Open Ruleset
\nLicense: Custom
\nName: aleksibovellan\/nmap
\nVendor: aleksibovellan
\nSummary: Suricata IDS\/IPS Detection Rules Against NMAP Scans
\nLicense: MIT
\nEscludo a priori quelle con licenza commerciale o che non conosco e resto con quelle MIT e GPLv3 che abilito con
\nsuricata-update enable-source et\/open
\n21\/2\/2025 — 10:59:37 – <Info> — Using data-directory \/var\/lib\/suricata.
\n21\/2\/2025 — 10:59:37 – <Info> — Using Suricata configuration \/etc\/suricata\/suricata.yaml
\n21\/2\/2025 — 10:59:37 – <Info> — Using \/etc\/suricata\/rules for Suricata provided rules.
\n21\/2\/2025 — 10:59:37 – <Info> — Found Suricata version 6.0.10 at \/usr\/bin\/suricata.
\n21\/2\/2025 — 10:59:37 – <Info> — Creating directory \/var\/lib\/suricata\/update\/sources
\n21\/2\/2025 — 10:59:37 – <Info> — Source et\/open enabled
\ne a seguire stesso comando per le altre liste che ho deciso di usare
\nper verificare che le liste siano abilitate:
\nsuricata-update list-sources –enabled
\nsuricata-update list-sources –enabled
\n21\/2\/2025 — 11:05:12 – <Info> — Using data-directory \/var\/lib\/suricata.
\n21\/2\/2025 — 11:05:12 – <Info> — Using Suricata configuration \/etc\/suricata\/suricata.yaml
\n21\/2\/2025 — 11:05:12 – <Info> — Using \/etc\/suricata\/rules for Suricata provided rules.
\n21\/2\/2025 — 11:05:12 – <Info> — Found Suricata version 6.0.10 at \/usr\/bin\/suricata.
\nEnabled sources:
\n– aleksibovellan\/nmap
\n– oisf\/trafficid
\n– stamus\/lateral
\n– etnetera\/aggressive
\n– et\/open
\n– tgreen\/hunting
\na questo punto aggiorno suricata con le nuove firme dalle liste che ho aggiunto con:
\nsuricata-update
\n21\/2\/2025 — 11:06:45 – <Info> — Using data-directory \/var\/lib\/suricata.
\n21\/2\/2025 — 11:06:45 – <Info> — Using Suricata configuration \/etc\/suricata\/suricata.yaml
\n21\/2\/2025 — 11:06:45 – <Info> — Using \/etc\/suricata\/rules for Suricata provided rules.
\n21\/2\/2025 — 11:06:45 – <Info> — Found Suricata version 6.0.10 at \/usr\/bin\/suricata.
\n21\/2\/2025 — 11:06:45 – <Info> — Loading \/etc\/suricata\/drop.conf.
\n21\/2\/2025 — 11:06:45 – <Info> — Loading \/etc\/suricata\/suricata.yaml
\n21\/2\/2025 — 11:06:45 – <Info> — Disabling rules for protocol http2
\n21\/2\/2025 — 11:06:45 – <Info> — Disabling rules for protocol modbus
\n21\/2\/2025 — 11:06:45 – <Info> — Disabling rules for protocol dnp3
\n21\/2\/2025 — 11:06:45 – <Info> — Disabling rules for protocol enip
\n21\/2\/2025 — 11:06:45 – <Info> — Checking https:\/\/rules.emergingthreats.net\/open\/suricata-6.0.10\/emerging.rules.tar.gz.md5.
\n21\/2\/2025 — 11:06:46 – <Info> — Remote checksum has not changed. Not fetching.
\n21\/2\/2025 — 11:06:46 – <Info> — Fetching https:\/\/openinfosecfoundation.org\/rules\/trafficid\/trafficid.rules.
\n100% – 9855\/9855
\n21\/2\/2025 — 11:06:48 – <Info> — Done.
\n21\/2\/2025 — 11:06:48 – <Info> — Fetching https:\/\/security.etnetera.cz\/feeds\/etn_aggressive.rules.
\n100% – 45479\/45479
\n21\/2\/2025 — 11:06:48 – <Info> — Done.
\n21\/2\/2025 — 11:06:48 – <Info> — Fetching https:\/\/ti.stamus-networks.io\/open\/stamus-lateral-rules.tar.gz.
\n100% – 31900\/31900
\n21\/2\/2025 — 11:06:49 – <Info> — Done.
\n21\/2\/2025 — 11:06:49 – <Info> — Fetching https:\/\/github.com\/travisbgreen\/hunting-rules\/raw\/master\/hunting.rules.tar.gz.
\n100% – 12269\/12269
\n21\/2\/2025 — 11:06:49 – <Info> — Done.
\n21\/2\/2025 — 11:06:49 – <Info> — Fetching https:\/\/raw.githubusercontent.com\/aleksibovellan\/opnsense-suricata-nmaps\/main\/local.rules.
\n100% – 3528\/3528
\n21\/2\/2025 — 11:06:49 – <Info> — Done.
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/app-layer-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/decoder-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/dhcp-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/dnp3-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/dns-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/files.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/http-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/ipsec-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/kerberos-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/modbus-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/nfs-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/ntp-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/smb-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/smtp-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/stream-events.rules
\n21\/2\/2025 — 11:06:49 – <Info> — Loading distribution rule file \/etc\/suricata\/rules\/tls-events.rules
\n21\/2\/2025 — 11:06:50 – <Info> — Ignoring file rules\/emerging-deleted.rules
\n21\/2\/2025 — 11:06:51 – <Info> — Loaded 57762 rules.
\n21\/2\/2025 — 11:06:52 – <Info> — Disabled 14 rules.
\n21\/2\/2025 — 11:06:52 – <Info> — Enabled 0 rules.
\n21\/2\/2025 — 11:06:52 – <Info> — Modified 0 rules.
\n21\/2\/2025 — 11:06:52 – <Info> — Dropped 64 rules.
\n21\/2\/2025 — 11:06:52 – <Info> — Enabled 136 rules for flowbit dependencies.
\n21\/2\/2025 — 11:06:52 – <Info> — Backing up current rules.
\n21\/2\/2025 — 11:06:54 – <Info> — Writing rules to \/var\/lib\/suricata\/rules\/suricata.rules: total: 57762; enabled: 43394; added: 944; removed 0; modified: 0
\n21\/2\/2025 — 11:06:55 – <Info> — Writing \/var\/lib\/suricata\/rules\/classification.config
\n21\/2\/2025 — 11:06:55 – <Info> — Testing with suricata -T.
\n21\/2\/2025 — 11:07:11 – <Info> — Done.
\nDovrebbe essere tutto pronto quindo con un \/etc\/init.d\/suricata restart rilancio il demone che comincer\u00e0 a lavorare con i nuovi parametri
\n\/etc\/init.d\/suricata restart
\nStopping suricata: \u00a0done.
\nStarting suricata in IPS (nfqueue) mode… done.
\nRicordo che suricata \u00e8 legato anftables mettendo sostanzialmente in coda sulla coda 0 tutti i pacchetti che entrano da eth0<\/p>\n
 <\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Avendo aggiornato i Bastion host a Devuan 5 Chimaera \u00e8 arrivato il momento di riscrivere il suricata.yaml La precedente versione su chimaera funzionava bene ma qui visto che le forze del male sono sempre di pi\u00f9 all’opera ho deciso di aumentare un po il lavoro che suricata compie aggiungendo un po di liste di verifica […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[222],"tags":[294,135,134],"class_list":["post-2567","post","type-post","status-publish","format-standard","hentry","category-ips","tag-devuan-5","tag-ips","tag-suricata"],"_links":{"self":[{"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2567"}],"version-history":[{"count":2,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2567\/revisions"}],"predecessor-version":[{"id":2571,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2567\/revisions\/2571"}],"wp:attachment":[{"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}