@jackyes will add that to the list of things to try
To test if work create a custom rules.
put a file named customrules.rules in /etc/suricata/rules
and add in it:
drop tcp any any ā any any (msg:āfacebook Block =)ā; content:āfacebook.comā; http_header; nocase; classtype:policy-violation; sid:1;)
in /etc/suricata/suricata.yaml
add customrules.rules to the enabled rules
example:
rule-files:
- customrules.rules
- botcc.rules
- ciarmy.rules
- compromised.rules
- drop.rules
this will trigger when trying to reach facebook.com
UPDATE
to use suricata in IPS mode (for the machine itself):
#start suricata with -q o option
suricata -q 0 &
#add this iptables rules
iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE
To use suricata in IPS mode (as gateway): Not tested
#start suricata with -q o option
suricata -q 0 &
#add this iptables rules
iptables -I FORWARD -j NFQUEUE
hope this help
@jackyes to use suricata in IPS mode put the following line in /etc/sysconfig/suricata:
OPTIONS="-q 0 --user suricata "
I tested it for some minutes on a slow hw (AMD G-T40N @ 800MHz) and even suricata cuts the bandwidth.
Also, thereās no need to use oinkmaster, since pulledpork is already working.
To use it:
ln -sf /etc/snort/rules/snort.rules /etc/suricata/rules/
And put snort.rules in suricata.yaml.
Can you give numbers? compared to snort?
Unfortunately not easily. Iām using that hw to test a custom snort config with app detection. Iād need to bring it back to factory default, but only after I end my tests.
Sorry but i canāt make test because my connection is too slow to be cutted
I canāt install suricata because it needs Python 2.7 which is not installable.
Are you on NS6 or NS7?
Iām on NS6. I gave NS7 a try but the (KVM) virtual machine hung on boot.
Does that mean suricata has to be started twice? Once as IDS and once as IPS?
Okay, I reinstalled NS7 and could then install suricata following the Howto of jackyes and Filippoās hints. The result is amazing:
With Snort the bandwith goes down from 400 mbs to about 150.
With Suricata the full bandwith is preserved! But Suricata consumes more memory.
There must be something wrong the implementation of Snort in Nethserver. I used Snort with pfSense before, there it behaved just like Suricata.
snort in NS is used in nfq mode.
How did you setup suricata?
As I said, I followed the instructions of jackyes and yours for the IPS mode.
What is nfq mode?
The way NethServer sends traffic to snort (or suricata).
In my instructions above:
Iām testing suricata on NethServer 7 in production: it behaves really well.
Details: Iām using an Atom C2518 CPU that is slow enough to cut bandwidth with snort. With a similar ruleset (16541 rules) suricata doesnāt cut bandwidth and reaches 70% cpu at max.
Iāll try to fine tune suricata.
After some weeks of test Iād like to propose to switch to Suricata as default IPS on NethServer 7 and drop snort.
Some reasons:
- snort doesnāt start when it encounters errors in rules
- snort cuts bandwidth on slow cpu
- snort init script says itās running while itās not
- snort never accepted our improvements to init script
- we have to build and maintain our snort package
Suricata has a good package maintained from competent people at epel.
Itās fast and doesnāt cut bandwidth
What do you think? Do we need to run a poll?
Any more reasons to justify the switch? Or something I forgot that will force us to keep snort?
I donāt think that a poll is needed. We have encountered many issues related to snort here in community so it looks like a win-win choice to me.
Also using a well-tested epel rpm is definitely a good plus.
That sounds quite awesome actually.
Itās true that Suricata does not cut bandwith but unfortunately it has a memory leak. No matter how much memory I allocate to NS, Suricata takes it all and after about 30 hours it starts to eat up the swap memory until nothing is left. Thatās why I switched back to pfSense for now. Iām missing the postfix forwarder there but at least Snort works correctly and can be finetuned via the web gui.