ips — intrusion detection/prevention system and the related aspects
suricata(1) IDS/IPS
is integrated in Kernun UTM where it known as ids-agent.
ids-agent is configured in the
adaptive-firewall.ids-agent section on the
system level of the Kernun UTM configuration. See
system(5) and
adaptive-firewall(5).
ids-agent can run in two modes, selected by the
presence of item system.adaptive-firewall.ips:
The suspicious traffic is logged but no other action is taken.
The suspicious traffic is logged and reported to pf-control(8) which blocks it.
The traffic from the interfaces named by items iface
are analyzed by the ids-agent.
Rule refreshments aspects can be configured
using the rules-download section.
Section rules can be used to define the
rules directly in CML.
Use item include-rules to reference an external file
with the rules in suricata syntax. The file will be copied, and the
copy-filename will be referenced in ids-agent configuration.
Use item add-rule to define the rule directly in CML
syntax. The rules will be flushed into a text file in suricata
syntax, and referenced in ids-agent configuration.
Item change-rules-to-block can be used to change the
action of rules specified by ID to block.
Item disable-rules disables rules that were
published as enabled, effectively removing them from existence for
ids-agent.
Item enable-rules enables rules that were
published as enabled.
Items global-rate-filter and
rule-rate-filter can be used to conditionally change the
action of either all rules or only of given rules. It specifies how many
times a given rule needs to be detected before its action is changed to a
different given action. This is useful for example to make the rule alert 10
times within a minute before the communication is blocked.
Items global-suppress and
rule-suppress are similar to
*-rate-filter, the difference being that the condition is
not number of occurences but rather the IP addresses. These items are useful
for making certain rules not apply for a given IP address.
Items global-threshold and
rule-threshold make given rules take action only when they
are detected certain times within given time interval.
Items global-suppress and
rule-suppress make given rules not apply for given IP
address and direction. It is similar to adding IP address to a whitelist,
only more specific, because it is possible to specify the rule and the
direction of communication.
Item modify-rules changes given rules by replacing
a regular expression matching with a given string. This is designed to be
used only when none of the options above are applicable because there is no
validation of the replacement. If ids-agent gets invalid rules, it ignores
them, parsing only valid rules.
The rules can be automatically, periodically downloaded from Kernun
download server using program pulledpork. Section
system.update.adaptive-firewall specifies the parameters
for it.
Item source defines the source of the rules.
There are predefined values for downloading the emerging-threats rules.
The custom URL can be given — see
pulledpork documentation on the format of the
rule_url it expects.
Item schedule defines the rules update policy.
The rules can be manually (re)downloaded by command kat
ids-agent-update-rules. The corresponding command can also be
performed from the GUI. When the rules are downloaded and processed,
the signal is sent to ids-agent, so it reloads the new rules
automatically.
The rules can be altered by pulledpork by items in
section rules. The following types of modifications are
possible:
A rule that is distributed as disabled can be enabled by item
enable-rules. A disabled rule is commented out in
the downloaded rule file so the IPS engine would otherwise ignore
it.
When disabling a rule, the administrator has more options. A rule
can be disabled unconditionally by item
disable-rule or only for certain IP addresses by
item rule-suppress. It is also possible to disable
all rules for certain IP addresses by item
global-suppress.
In IPS mode, it is sometimes desired to change the rule action from
alert to drop or
reject. This can be done by items
change-rules-to-drop and
change-rules-to-reject.
Items rule-rate-filter and
global-rate-filter can be used to change the rule
action after the rule matched a certain number of times within a
specified time frame. Similarly, items
rule-threshold and
global-threshold alter the rule so it is applied
only after it matches a certain number of times within a specified
time frame.
When the above methods are not sufficient, it is also possible to
modify a certain rule by providing a regular expression and a
replacement string in item modify-rules.
The flags used as the command-line arguments when starting
pulledpork can be redefined by item
downloader-extra-flags.
The pulledpork configuration is generated in
/usr/local/kernun/etc/pulledpork.conf. The rules are
downloaded to
/usr/local/share/suricata/rules/downloaded-pulledpork.rules.
This file is automatically
included in the ids-agent configuration.
The configuration of ids-agent is stored in
/usr/local/kernun/etc/suricata.yaml. Its contents is
merged from two sources:
the configuration provided by the system administrator in
item ADAPTIVE-FIREWALL.IDS.AGENT.ENGINE.CFG-FILE. It is a
recommended practise to use a file based on
/usr/local/kernun/conf/samples/shared/ids-agent.yaml which
is the file that is used if the item is not specified. Be aware when using a
custom CFG-FILE, the configuration can become obsolete and even
unusable after a system upgrade, in which case it is necessary to consult
/usr/local/kernun/conf/samples/shared/ids-agent.yaml for
changes.
configuration generated by Kernun UTM
(/usr/local/kernun/etc/kernun-suricata.yaml).
Namely, this file specifies the rules (section
ADAPTIVE-FIREWALL.IDS.AGENT.RULES) and the logging/output
definition.
Kernun: system(5), kat(8), pf-control(8)
FreeBSD:
suricata(1),
pulledpork
(/usr/local/share/doc/pulledpork/README.*,
/usr/local/etc/pulledpork/*)