Suricata policies

pagaille (Matthieu Gaillet) 2017-11-01 10:19:16 UTC #1

Hi,

I’m discovering IPS and I wonder how to set Suricata policies.

The doc states that

Suricata can be configured accordingly to following policies. Each policy consists of several rules:

Connectivity: check a large number of vulnerabilities, do not impact on non-realtime applications (eg VoIP)
Balanced: suitable for most scenarios, it is a good compromise between security and usability (recommended)
Security: safe mode but very invasive, may impact on chat and peer-to-peer applications
Expert: the administrator must manually select the rules from the command line

But how do we set those policies ?

Thanks

Matthieu

mrmarkuz (Markus Neuberger) 2017-11-01 11:08:49 UTC #2

Hi @pagaille,

there is a “Download rules” button at bottom of IPS settings. After downloading the rule categories are available. They replace the simple settings I think…

giacomo (Giacomo Sanchietti) 2017-11-01 20:22:50 UTC #3

That part of the manual should be deprecated. AFAIK it should already have been removed by @filippo_carletti.

filippo_carletti (Filippo Carletti) 2017-11-01 20:32:03 UTC #4

Only “latest” has the new text. v7 still has the old text.
http://docs.nethserver.org/en/latest/suricata.html

pagaille (Matthieu Gaillet) 2017-11-02 07:16:38 UTC #5

Thanks All,

I stumbled on that page via google and didnt noticed I wasn’t on the latest version.

Regarding the categories, since they are particularly technically complex, I wish that a button with conservative selection of settings would exist.

Or at least an explanation of possible side effects next to the most sensitive categories ?

Given the orientation of nethserver I guess that others will want to protect their network from intrusion but, like me, aren’t security specialist and don’t fully understand what each category does.

filippo_carletti (Filippo Carletti) 2017-11-02 08:03:23 UTC #6

We tried the “simple” approach (3 presets) until the previous version but we never succeeded in protecting the network. The IPS is complex and must be adapted manually and gradually in every environment.
We could share our experiences and try to write some guidelines.

giacomo (Giacomo Sanchietti) 2017-11-02 08:09:21 UTC #7

v7 branch is now up to date.