Suricata loves EveBox

testing
suricata
v7

(Giacomo Sanchietti) #1

Thanks to @filippo_carletti work, we now have a fully revised Suricata implementation.

Features:

  • use Emerging Threats rules
  • allow configuration of rule categories from Server Manager: each category can be disabled, enabled only for alerting, enabled for blocking bad traffic
  • EveBox ( https://evebox.org/ ) is now part of the stack and can be used to see a report of blocked/alerted rules

This a screenshot of EveBox on our production firewall:

Enjoy the testing and let us know what do you think!


IPS Categories to enable
#2

Just to verify my memory, Nethserver’s suricata implementation only works inline, not as a standalone using promisc off a tap?


(Filippo Carletti) #3

Yes, inline only, using nfqueue.


(Michael Kicks) #4

It’s in testing repository?


(Marc) #5

Yes. You can find test cases on the issue linked above


(Joel Clendineng) #6

I <3 you guys, been messing with eve box myself, this looks amazing


(Joel Clendineng) #7

Test and working great! Enabled the testing repo but the software center would not allow me to install because of a conflict with ntop but I ssh in and manually installed the packages and its working great. I need to do some reading up on what the different categories mean, but its fantastic. Im sure I can add rules from other sources such as snort/other suricata rules? This is great.

Edit: So I can add .rules files with “ET-****.rule” in the suricata rules folder and it looks like it accepts it, naming is off but its fantastic.


(Giacomo Sanchietti) #8

Packages from testing should always be installed from command line.
EveBox and Suricata don’t conflicts with ntopng, but the new ntopng-pcap package does.

As you fount, actually, the web interface displays all files named “ET-*” from /etc/suricata/rules.
We could add also other file names, what rules do you use? Can you find a pattern name also for them?


(Joel Clendineng) #9

I was just playing with the rules :smile: Whatever pattern you come up with I think is good, this is an amazing addition.


(Joel Clendineng) #10

Hoiw would I go about updating when ntop errors out? ntopng was uninstalled before I installed evebox, not sure why its back.

Edit: as a workaround I did a yum remove of ntopng and ntopng-data so I could update, Ill reinstall if needed for evebox later.


(Kevin Farmer) #11

I have installed from testing repo from CLI:

nethserver-suricata-1.0.1-1.12.g186868d.ns7.noarch.rpm
nethserver-pulledpork-2.0.1-1.11.gf70729e.ns7.noarch.rpm
nethserver-evebox-0.0.1-1.ns7.noarch.rpm

Rules are downloaded and setup alerts. It’s been 2 days and still no alerts. I even created a local.rules to do some testing and still nothing. My local rule is simply

drop tcp any any -> any any (msg:"facebook is blocked"; content:"facebook.com"; http_header; nocase; classtype:policy-violation; sid:10000001;)

I still get Facebook. What am I missing? I see Drops and Rejects in firewall.log, but noting in Suricata drop.log


(Filippo Carletti) #12

Let’s start looking at suricata logs:

/var/log/suricata/suricata.log
/var/log/suricata/fast.log