CU188 silencing Suricata

bloater99 · 17 September 2024 11:00

Hi,

In the release notes for CU188 it says:

Intrusion Prevention System
The verbose builtin Suricata rules are no longer enabled by default which will create less noise in the logs

This is a welcome feature. But I am curious if there is a toggle somewhere to turn Suricata rules back on? Either as a whole, or individually? If not, is this planned in a future update?

edit: after about 20 minutes since upgrading to 188, I see a Suricata log:

SURICATA STREAM Packet with invalid timestamp

Can someone elaborate on what was changed? I did not expect to see any entries in the IPS logs that were from Suricata.

FYI, this is the only log entry after 20 minutes.

porkyle · 17 September 2024 20:21

Maybe it’s not functioning correctly? My IPS logs are filled with this when i disable my firewall rule that blocks QUIC protocol ports.

SURICATA QUIC failed decrypt

Maybe it works for some rules but not all verbose rules yet?

bonnietwin · 17 September 2024 21:00

I just did a search in the CU188 git repo for suricata

https://git.ipfire.org/?p=ipfire-2.x.git&a=search&h=refs%2Fheads%2Fcore188&st=commit&s=suricata

Looking down the list I found one called
Disable logging of App Layer events by default

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=1674ec72052f7d32b3583737c0c6673fd3571c72
and the changes apply to the ids-functions.pl code.

Then you can select the diff and see the changes in the code.

https://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff;f=config/cfgroot/ids-functions.pl;h=399f5cbf8bfac4c5737f14e2e6dc861b58c35153;hp=3eb883aa94f558b0f9dba83c52adce21ca181f2f;hb=1674ec72052f7d32b3583737c0c6673fd3571c72;hpb=33a2aff4168db7554ce26b574443bcb2dc58434d

bonnietwin · 17 September 2024 21:15

Reading through the code if I understand it correctly if a variable is set it prints the rules into the appropriate suricata file. The default in the code is for the variable to be =0 which means it is not set so as standard will not have the rules in the file.

This can be easily checked by looking in the appropriate file to see if the rules have been written or not.

I cannot check this as currently I don’t have access to a Core Update 188 system.

bloater99 · 18 September 2024 10:18

Apparently it is not working. Yesterday I ended up with over 6000 IPS hits and so far this morning (5:05am) it’s already at over 13000 hits.

Can you tell me where this file is and what I am looking for when you get a CU188 system up and running?

Thank you.

bonnietwin · 18 September 2024 17:41

I have vm CU188 systems available but they are on a system that I can’t run remotely.

However I can tell you the location and file.

/var/ipfire/suricata/suricata-used-rulesfiles.yaml

If the files have been included you would see

%YAML 1.1
---

#Autogenerated file. Any custom changes will be overwritten!
 - /var/lib/suricata/whitelist.rules

#Default rules for used application layer protocols.
 - /usr/share/suricata/rules/app-layer-events.rules
 - /usr/share/suricata/rules/decoder-events.rules
 - /usr/share/suricata/rules/dhcp-events.rules
 - /usr/share/suricata/rules/dns-events.rules
 - /usr/share/suricata/rules/files.rules
 - /usr/share/suricata/rules/ftp-events.rules
 - /usr/share/suricata/rules/http-events.rules
 - /usr/share/suricata/rules/http2-events.rules
 - /usr/share/suricata/rules/kerberos-events.rules
 - /usr/share/suricata/rules/mqtt-events.rules
 - /usr/share/suricata/rules/nfs-events.rules
 - /usr/share/suricata/rules/ntp-events.rules
 - /usr/share/suricata/rules/quic-events.rules
 - /usr/share/suricata/rules/rfb-events.rules
 - /usr/share/suricata/rules/smb-events.rules
 - /usr/share/suricata/rules/smtp-events.rules
 - /usr/share/suricata/rules/ssh-events.rules
 - /usr/share/suricata/rules/stream-events.rules
 - /usr/share/suricata/rules/tls-events.rules

which would be followed by any ruleset provider rules that you have selected.

If the code change worked then none of these lines should be present.

bloater99 · 18 September 2024 22:37

They are all still present. No wonder the suricata rules are all still spamming my logs.

bbitsch · 18 September 2024 23:24

Looking at my installation of CU188 shows that ids-functions.pl is not changed.

This explains the discrepancy between the patch ( which is functional, IMO ) and the reality of a running CU188.

bonnietwin · 19 September 2024 07:12

looking into the git repo commit list, the change was listed in there but it was not added to the shipped list

ipfire-2.x/config/rootfiles/core/188/filelists/files

I will discuss this with @ms later today to see what can be done about it.

ms · 20 September 2024 10:24

Adolf and I, we are currently at our annual IPFire Meetup and just after breakfast we fixed this. It is not a missed file, it is just that the file is autogenerated which is not happening on the updated systems.

If you want to change this manually, just hit the Save button on the IPS page and that should regenerate the file and reload Suricata.

bloater99 · 20 September 2024 10:26

Thank you, sir. I hope the Meetup is productive and enjoyable!

bbitsch · 20 September 2024 11:06

@ms, you are right (partly). /var/ipfire/suricata/suricata-used-rulesfiles.yaml is autogenerated. But the generating function in ids-functions.pl doesn’t contain the modifications cited by @bonnietwin.
So a save in the WUI doesn’t change anything.

ms · 20 September 2024 11:08

Thank you, we have just started.

bonnietwin · 20 September 2024 11:10

Hi @bbitsch

Could you try running the command that has been put into the update.sh file. This will run for new CU188 and later CU189 updates.

https://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff;f=config/rootfiles/core/189/update.sh;h=3bcbcb3bbb96496fe5ae8de7346c2774c5d8d385;hp=149f8f6774463b0afbba49c77cf41ec3fd96f24f;hb=4913a44798caa0a190aef6cfced766e713ea260a;hpb=3cd62a7c4cacd3e2821658f9e36667e81b17cf11

bbitsch · 20 September 2024 11:44

Adolf, it is true that the commands of update.sh delete the lines in suricata-used-rulesfiles.yaml. But each modification to the rules ( ‘customize ruleset’ in the WUI ) restores the lines. write_used_rulesfile_file() is called as write_used_rulesfiles_file(@enabled_providers) which generates the lines.
Section ‘Default rules for used application layer protocols.’ is generated in both cases. The modification you cited suppresses that part.

bonnietwin · 20 September 2024 12:53

Thanks @bbitsch for the testing and feedback.

Working on the fix currently.

I have now set up a local vm ipfire and vm green client on my laptop so I will be able to test it out here once the builds are completed so I can do a repeat CU188 update.

cbrown · 21 September 2024 18:43

It seems that all the Suricata default rules are set to alert other than this one set to drop.

stream-events.rules:drop tcp any any → any any (msg:“SURICATA STREAM 3way handshake toclient data injection suspected”; flow:to_client; stream-event:3whs_ack_data_inject; classtype:protocol-command-decode; sid:2210057; rev:1;)

Is there a mechanism to enable this one drop rule while leaving the others disabled?

bloater99 · 24 October 2024 18:22

@bonnietwin @ms

Now that I’ve had about a week of testing the IPS on CU189, I am even more grateful for the removal of the default Suricata rules. It’s so nice to actually see meaningful rules without exporting thousands of rules into a spreadsheet and sorting them to separate the wheat from the chaff. Another cool thing is I can also more easily tune the used rulesets because other noisy false rules are more visible and can be selectively disabled.

Thanks so much, IPFire team.