For some reason, the last IPS log entries I see are from September 30. Ever since October 1, I have no entries. The IPS graph is definitely showing scanning activity, and I’ve always had log entries on a day-to-day basis prior to October. I’m on update 189. Thoughts?
They disabled Suricata logs on CU189 which are very noisy. It could be that that’s all you were seeing (entries beginning with SURICATA) prior, and now that they are disabled, it rarely has a hit.
This was the case for me. Especially when I disabled IP-based rules. For behavior-based rules, they are much more rare to activate.
2 Likes
Ah, I must have missed that in the release notes. I’ll have to go back and re-read. I did have two rulesets I was using in monitoring mode, though, so I’m not sure how to assess those now.
Check release notes for CU188. That’s where the change was made, but due to some other issue, it wasn’t working right til it was fixed in CU189.
Monitoring mode shouldn’t have an affect on rules showing in the logs. It will just log and let the traffic through, rather than logging and blocking.
I definitely understand that, but given I am seeing nothing even being logged (and these rulesets I would definitely expect to be firing), I’m scratching my head on how to see what I think I should be seeing.
Those rulesets are no longer enabled by default and are therefore not being used for scanning.
If there are two rulesets that you want to use for monitoring then you will need to add those in manually so that they are used for scanning and give entries in the logs.
Both additional rulesets I am testing are and have been active – hence, my confusion in not seeing anything in the logs.
How have you made those two rulesets active?
Can you specify what those rulesets are and also show the contents of the file
/var/ipfire/suricata/suricata-used-rulesfiles.yaml
For them to be getting used they need to be specified in that file.
1 Like
Looking through the change you can either have all the suricata default rules applied or none. There is no option to specify certain rules from the default ruleset.
You could manually add them to that file I mentioned in my earlier post but at the top of that file it has the words
#Autogenerated file. Any custom changes will be overwritten!
So changing anything on the IPS page, such as adding a new ruleset provider or specifying certain rules to be enabled and others disabled within a ruleset will cause that autogenerated file to be re-written.
Those default rules are specified in the directory
/usr/share/suricata/rules/
1 Like
If you want a quick check, I have found the most active rules for me are the Etnetera Aggressive Blacklist rules. Make sure after adding the ruleset to then click the Customize ruleset button, find the ruleset and check the box to the left of it to enable it.
1 Like
Here’s my suricata-used-rulesfiles.yaml for the two I want to monitor:
%YAML 1.1
---
#Autogenerated file. Any custom changes will be overwritten!
- /var/lib/suricata/whitelist.rules
#Used Rulesfiles for provider tgreen.
- /var/lib/suricata/tgreen-ruleset.rules
#Used Rulesfiles for provider threatfox.
- /var/lib/suricata/threatfox-ruleset.rules
A bit off topic here but related… Regarding the default rules in /usr/share/suricata/rules/ – is there a reason why there isn’t a provider that can be selected and then customized as all the other providers? How are these default rules even enabled?
Those two rulesets are not from the Default Ruleset. They are from the Travis-Green Hunting and the Threatfox indicators of compromise ruleset providers. Nothing has changed with those so there will be no difference to your monitoring.
Historically they were enabled by default in the coding. Lots of users complained that these rules provided no benefit but just cluttered up the logs.
The CU188 change made those rules no longer enabled unless doing development work, when you can change the value of a variable in the ids.cgi code so that those rules are included into the ruleset list.
It was not made modifiable originally as they were designed to be used as standard in all setups.
To now make it able to be selected then someone would have to change the code to be able to select those rules. However, it can’t just be added to the sources files as it is not a downloaded provider list but a list defined by the suricata source code. So the code for handling providers would need altering to be able to work with both downloaded providers and the list from a directory structure.
The dev team doesn’t have the time to do this, and all the historical complaints were about stopping all the default rules. Anyone wanting to make those rules able to be selected on a rule by rule basis can modify the code to enable that and submit a patch set into the IPFire dev mailing list. Details of submitting patches are in the wiki.
1 Like
I understand, and the rationale makes sense given user complaints.
Going back through documentation for IPS, there was/is a general recommendation for home users to use the emergingthreats.net ruleset. Did anyone ever go down the road of recommending the specific rules within that ruleset that home users should consider enabling? I could not find any recommendations to that effect which is why I started down the path of looking at these other rulesets as I would like to be able to make recommendations to other people just getting starting out with ipfire. The lack of an obvious default set makes this counter-intuitive.
No because what would make sense for me as a home user (single person on the network, most network connections done by cabling, very strong password protection, never clicking links in emails, using minimal social apps etc) might not make sense for another home user (family with teenagers, using many social apps, doing gaming, video downloads etc).
That is why the wiki documentation has a section on ruleset selection
https://www.ipfire.org/docs/configuration/firewall/ips/rulesets
and another on rule selection
https://www.ipfire.org/docs/configuration/firewall/ips/rule-selection
These are what I went through and then I went through looking at what I had on my network and what potential risks I would be concerned about.
There is no default ruleset that can just be applied, without having to think about its affect on your network.
3 Likes
I appreciate the information and the perspective. Yes, the two Wiki articles you mentioned were my primary reference when I configured suricata with a subset of the ET ruleset several revisions ago that works well for me with no discernable loss in throughput given my 1Gb internet connection.
Again, thank you very much for the advice and assistance.