[IPS (suricata)] “What Every IDS User Should Do"?

df-h · 16 March 2021 12:07

Hello,
I was starting to try out the IPS on IPFire.

The wiki provides some good info and several useful links for this, and one let me to “What Every IDS User Should Do”.

Among other things it made the apparently pretty good recommended to configure all “Unused Ports”.

As IPFire knows all forwarded ports, this makes me ask if IPFire already configures suricata with the proper unused ports derived from that.

Does IPFire already run suricata with such “every IDS user” improvements to the default configuration?

bonnietwin · 16 March 2021 12:49

The IPFire IPS uses the rulesets defined in the table on the webpage.

There are no additional rules added related to unused ports or anything else.

As the link writes:-

You should consider and adjust these port ranges to suit your own need.

The port ranges to provide rules for can not be done on a generic basis.

You can however create those rules yourself and add them to the selected ruleset you have chosen. You can create a local.rules file where you can add your own developed rules. See the following thread for details.

https://community.ipfire.org/t/custom-suricata-rules/4656/6

df-h · 16 March 2021 13:58

The port ranges to provide rules for can not be done on a generic basis.

Granted, not statically, but on IPFire I’d thought the unused ports would be known as all ports minus those with a port forwarding or IPFire service running. Thus fully determined by the existing IPFire config.

Thanks for the info about custom rules, that will be helpful.