Name

ips — intrusion detection/prevention system and the related aspects

Description

suricata(1) IDS/IPS is integrated in Kernun UTM where it known as ids-agent.

Configuration

ids-agent is configured in the adaptive-firewall.ids-agent section on the system level of the Kernun UTM configuration. See system(5) and adaptive-firewall(5).

ids-agent can run in two modes, selected by the presence of item system.adaptive-firewall.ips:

IDS mode

The suspicious traffic is logged but no other action is taken.

IPS mode

The suspicious traffic is logged and reported to pf-control(8) which blocks it.

The traffic from the interfaces named by items iface are analyzed by the ids-agent.

Rule refreshments aspects can be configured using the rules-download section.

Providing the rules

Section rules can be used to define the rules directly in CML.

Use item include-rules to reference an external file with the rules in suricata syntax. The file will be copied, and the copy-filename will be referenced in ids-agent configuration.

Use item add-rule to define the rule directly in CML syntax. The rules will be flushed into a text file in suricata syntax, and referenced in ids-agent configuration.

Item change-rules-to-block can be used to change the action of rules specified by ID to block.

Item disable-rules disables rules that were published as enabled, effectively removing them from existence for ids-agent.

Item enable-rules enables rules that were published as enabled.

Items global-rate-filter and rule-rate-filter can be used to conditionally change the action of either all rules or only of given rules. It specifies how many times a given rule needs to be detected before its action is changed to a different given action. This is useful for example to make the rule alert 10 times within a minute before the communication is blocked.

Items global-suppress and rule-suppress are similar to *-rate-filter, the difference being that the condition is not number of occurences but rather the IP addresses. These items are useful for making certain rules not apply for a given IP address.

Items global-threshold and rule-threshold make given rules take action only when they are detected certain times within given time interval.

Items global-suppress and rule-suppress make given rules not apply for given IP address and direction. It is similar to adding IP address to a whitelist, only more specific, because it is possible to specify the rule and the direction of communication.

Item modify-rules changes given rules by replacing a regular expression matching with a given string. This is designed to be used only when none of the options above are applicable because there is no validation of the replacement. If ids-agent gets invalid rules, it ignores them, parsing only valid rules.

Downloading the rules from the Internet

The rules can be automatically, periodically downloaded from Kernun download server using program pulledpork. Section system.update.adaptive-firewall specifies the parameters for it.

Item source defines the source of the rules. There are predefined values for downloading the emerging-threats rules. The custom URL can be given — see pulledpork documentation on the format of the rule_url it expects.

Item schedule defines the rules update policy. The rules can be manually (re)downloaded by command kat ids-agent-update-rules. The corresponding command can also be performed from the GUI. When the rules are downloaded and processed, the signal is sent to ids-agent, so it reloads the new rules automatically.

The rules can be altered by pulledpork by items in section rules. The following types of modifications are possible:

  • A rule that is distributed as disabled can be enabled by item enable-rules. A disabled rule is commented out in the downloaded rule file so the IPS engine would otherwise ignore it.

  • When disabling a rule, the administrator has more options. A rule can be disabled unconditionally by item disable-rule or only for certain IP addresses by item rule-suppress. It is also possible to disable all rules for certain IP addresses by item global-suppress.

  • In IPS mode, it is sometimes desired to change the rule action from alert to drop or reject. This can be done by items change-rules-to-drop and change-rules-to-reject.

  • Items rule-rate-filter and global-rate-filter can be used to change the rule action after the rule matched a certain number of times within a specified time frame. Similarly, items rule-threshold and global-threshold alter the rule so it is applied only after it matches a certain number of times within a specified time frame.

  • When the above methods are not sufficient, it is also possible to modify a certain rule by providing a regular expression and a replacement string in item modify-rules.

The flags used as the command-line arguments when starting pulledpork can be redefined by item downloader-extra-flags.

The pulledpork configuration is generated in /usr/local/kernun/etc/pulledpork.conf. The rules are downloaded to /usr/local/share/suricata/rules/downloaded-pulledpork.rules. This file is automatically included in the ids-agent configuration.

Fine-tuning the ids-agent configuration

The configuration of ids-agent is stored in /usr/local/kernun/etc/suricata.yaml. Its contents is merged from two sources:

  • the configuration provided by the system administrator in item ADAPTIVE-FIREWALL.IDS.AGENT.ENGINE.CFG-FILE. It is a recommended practise to use a file based on /usr/local/kernun/conf/samples/shared/ids-agent.yaml which is the file that is used if the item is not specified. Be aware when using a custom CFG-FILE, the configuration can become obsolete and even unusable after a system upgrade, in which case it is necessary to consult /usr/local/kernun/conf/samples/shared/ids-agent.yaml for changes.

  • configuration generated by Kernun UTM (/usr/local/kernun/etc/kernun-suricata.yaml). Namely, this file specifies the rules (section ADAPTIVE-FIREWALL.IDS.AGENT.RULES) and the logging/output definition.

Network scanning of ids-agent

The traffic from the interface(s) selected by item(s) iface is scanned by ids-agent via PCAP.

See Also

Kernun: system(5), kat(8), pf-control(8)

FreeBSD: suricata(1), pulledpork (/usr/local/share/doc/pulledpork/README.*, /usr/local/etc/pulledpork/*)

Authors

This man page is a part of Kernun Firewall.
Copyright © 2000–2023 Trusted Network Solutions, a. s.
All rights reserved.