Suricata loves EveBox

Thanks to @filippo_carletti work, we now have a fully revised Suricata implementation.

Features:

  • use Emerging Threats rules
  • allow configuration of rule categories from Server Manager: each category can be disabled, enabled only for alerting, enabled for blocking bad traffic
  • EveBox ( https://evebox.org/ ) is now part of the stack and can be used to see a report of blocked/alerted rules

This a screenshot of EveBox on our production firewall:

Enjoy the testing and let us know what do you think!

7 Likes

Just to verify my memory, Nethserver’s suricata implementation only works inline, not as a standalone using promisc off a tap?

Yes, inline only, using nfqueue.

It’s in testing repository?

Yes. You can find test cases on the issue linked above

I <3 you guys, been messing with eve box myself, this looks amazing

1 Like

Test and working great! Enabled the testing repo but the software center would not allow me to install because of a conflict with ntop but I ssh in and manually installed the packages and its working great. I need to do some reading up on what the different categories mean, but its fantastic. Im sure I can add rules from other sources such as snort/other suricata rules? This is great.

Edit: So I can add .rules files with “ET-****.rule” in the suricata rules folder and it looks like it accepts it, naming is off but its fantastic.

Packages from testing should always be installed from command line.
EveBox and Suricata don’t conflicts with ntopng, but the new ntopng-pcap package does.

As you fount, actually, the web interface displays all files named “ET-*” from /etc/suricata/rules.
We could add also other file names, what rules do you use? Can you find a pattern name also for them?

1 Like

I was just playing with the rules :smile: Whatever pattern you come up with I think is good, this is an amazing addition.

Hoiw would I go about updating when ntop errors out? ntopng was uninstalled before I installed evebox, not sure why its back.

Edit: as a workaround I did a yum remove of ntopng and ntopng-data so I could update, Ill reinstall if needed for evebox later.

I have installed from testing repo from CLI:

nethserver-suricata-1.0.1-1.12.g186868d.ns7.noarch.rpm
nethserver-pulledpork-2.0.1-1.11.gf70729e.ns7.noarch.rpm
nethserver-evebox-0.0.1-1.ns7.noarch.rpm

Rules are downloaded and setup alerts. It’s been 2 days and still no alerts. I even created a local.rules to do some testing and still nothing. My local rule is simply

drop tcp any any -> any any (msg:"facebook is blocked"; content:"facebook.com"; http_header; nocase; classtype:policy-violation; sid:10000001;)

I still get Facebook. What am I missing? I see Drops and Rejects in firewall.log, but noting in Suricata drop.log

Let’s start looking at suricata logs:

/var/log/suricata/suricata.log
/var/log/suricata/fast.log