Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from orange systems we're going to talk about running seracota on pf sense now sierra cotta is an intrusion detection and intrusion prevention system it is not the end-all to all of your security woes it is not a security blanket you should just wrap around you because it's a little bit more complicated than that and it's also not a set it and forget it so i'm going to talk about what is effective about cerakata what is ineffective about cerakata and i'm not going to have the debate on here but i will leave you some forum links where you can go and debate about the ciracada versus snort i've preferred cerakota i found it worked very well for all the use cases i haven't very familiar with it if you would prefer to run snort feel free to run snort this video doesn't completely apply to snort we're going to do everything in sarakata and as i said look in the description below for some links where you can carry on the debate of which one you think is better with several other people who want to debate that for now i'm sticking with erica before we dive into this tutorial let's first if you'd like to learn more about me or my company head over to lawrences.com if you'd like to hire a share project there's a hires button right at the top if you'd like to help keep this channel sponsor free and thank you to everyone who already has there is a join button here for youtube and a patreon page your support is greatly appreciated if you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below they're in the description of all of our videos including a link to our shirt store we have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel now back to our content and we'll begin right here ceracata is a free and open source mature fast robust network threat detection engine that means it can look at the traffic coming in and detect threats and a lot of people start assuming oh this is what i need to help secure my network well it can only detect threats and ids versus ips is intrusion detection system versus intrusion prevention system and then really the difference is a checkbox whether or not you want to block the threats it determines and before you're wondering why you shouldn't just block everything that it detects well false positives false positives are what we're going to talk about we're going to talk about how to tune the rules on this and how to set it up but beware that this is not a one and done type of process occasionally you have to go back and find the things that got blocked accidentally this is just part of doing intrusion detection and a lot of the reason for this is because the tools are becoming more and more blind to the traffic as traffic becomes more encrypted there's less information for it to use to figure out exactly what that traffic is so this is where false positives come in quite a bit so an encrypted piece of traffic happens to match the pattern of something and they do their best not to have false pauses but we've run into this ourselves we've had things that are custom like some of the remote support tools we use that are running on a non-standard port and ceracata will flag it and block it going i think that is this attack and right away i can rule those out going well i'm not even running that software on here and we also figure out ways we can repeat it by going well looks like every time we open up this remote support tool into a file transfer inside of it sara kata flags it and says hey i think this is a this type of attack which then you have to tune the rules and that's we're going to cover how to set it up and how to get these rules tuned but i just want to preface all this before you go any further this is not a check the box and it just works and makes your network more secure now the other side of sierra cotta where it's much more effective and what versus less effective is going to be if you have services you're running and you have ports open so i'm running a web server for example or i'm running a wordpress site and i want to put my firewall with some sarah counter rules in front of it sarakata is quite good at detecting some of the inbound potential problems that are coming in and pattern matching those because you have parts open if you're just a home user the limited amount of success you're going to have is because a lot of these devices on your network like your iot network they reach out through whichever protocols to get their data they need from whatever cloud servers they want to talk to that's not something provided unless it was not encrypted it's not something seracota is going to have an easy time deciphering what it is and you'll probably just get a bunch of false positives and spend a lot of time doing it either way i think it's fun and it's a great learning process to do that but like i said i just want to pre-face this video with those caveats because that's something i did not do very well in my last video and it is probably the number one question that people contact us about is can i just set these and it fixes all these problems and makes my iot safer no not really but i do have an active network and we're going to show what false positives show up on a default install so let's get started on that we're going to go over here to my lab and install the plugin first so we go over here to package manager available packages seracotta install confirm so after this is installed we're going to go through how to set up the rules this is the important part for the rule setup is getting the downloads proper because the defaults right now and i don't know if this was true back when i did the other video but right now the default downloads don't work so we'll go in here and we're going to go over to updates and right here we have nothing in here yet and what these are is the rules and signatures and you can get a snort key if you want i'm not going to do that for this particular video we're just going to use the et open rules so we have the et open rules this is the start free register if you want to store those we're going to do these ones here and i guess we can hide the deprecated rules if we're not using any of those but we do need a custom url now here is the emerging threat free rule set that you can get and the good news is as of right now here in august of 2020 this rule set works fine because it's the 5.0 rules seracota inside of pfsense is running version five so we're going to copy this link go over to our lab paste in the custom download url now in the future if you're using a different version you want to match the version of seracota with the version that you're doing here so because we're using the 5 series i put the 5.0 in here if you're running some old version uh you kind of get the idea from here that you can switch versions that's important that you put that in there because the default one it tries to download doesn't work so we'll throw in that custom url go down here and hit save now down here at the bottom i'll mention this is the blocking it is up to you when it blocks something if you choose to turn on the blocking not just monitoring how long before those expire one hour is not a bad idea if you say never you'll end up with things in the block list and you may have sites that get blocked you may end up having them blocked permanently we'll cover how things get blocked and how you can eliminate things in the block list but it's uh at least let them expire if you don't let them expire sometimes i find at least trouble so that's kind of just some housekeeping cleanup if you wanted to say four days that way if someone scans you trips the trigger that would cause a block that person then for some amount of time would not be able to do it again it's usually a bot anyways but you'll end up with a lot of these and it'll fill that up pretty quickly of all the blocks it starts putting in there just depending on how involved you get with the rule sets so we're going to go ahead and just set it to one hour all right now let's go over here to update let's update the rules and this is pretty quick task goes down grabs those rules that we put on there if you had those snort subscriber rules which it's something you can sign up for you'll get those so now we have the signature to hash and cool here's the rules updated and in there now when you're doing these rule updates as well it's got a timer so you can set how frequently you want these rules to update i would say once a day is probably fine on here that's under the rule settings so we have that the rules things for one day and maybe set this to one hour so we'll just leave it like that all right next we have to set up the interfaces so we'll go over here interfaces and we're going to add our first interface defaults to wan if you want to put this on the wan you're going to get a lot of noise and by default pf sense out of the box is going to block all incoming ports so if you put this on wan all the ports are blocked but it's still going to sense all the noise of all the things that hit those block ports so it's up to you if you want to put it on there it's going to definitely take up some cpu cycles it's definitely going to create some false positives because it's just well not really relevant because someone scanning a port that's not even open makes for a lot of logs but doesn't necessarily make for much actionable intelligence other than some people panic and go wow there's this much going on on the internet yes there is so we're going to put it on the lan side now for each interface you want to create a different rule category or maybe you don't this is up to you and my example here lan would be just normal land traffic and maybe we want all the rules applied to that but let's say our guest network we don't necessarily need blocking turned on for our guest network but we're maybe curious about what things are going on in that network so a guest network maybe turn all the rules on but don't turn on any blocking now these are different things you may want to do on a per interface basis but once you configure an interface you can also clone those rules on there we're going to cover both how that works so it's kind of up to you on how you want to do that if you want to disable all the rules for every interface or maybe have a less restrictive policy on your lan and a more restrictive policy on maybe a specific secure network for your servers like i said there's a couple different options for this demo we're just going to enable all the rules uh to make it quick and easy so lan lan send alerts to system log not necessary but you can do that enable stats collection you don't get any pretty graphs for the stats collection it just logs some of the statistics and puts them into a log file in case those are interesting to you you can have those enable tls log now remember intrusion detection systems like cerakata are blind to the majority of the traffic that's encrypted but it can at least log that a tls connection was made maybe you need that maybe you don't it is also blind to files that were transported via encrypted tls connections but if they are not transported that way you can enable file store make sure you have a pfsn system with enough space if this is something you decide to do and the same thing with packet logging you can do full pcaps on these but you have to have somewhere to put them so make sure there's plenty of space if you choose to do that eve json log zero cattle output selected logs and json format and actually this opens up quite a few options including sending them to a syslog server a redis server this is a methodology so you can export all the logs to something else for log parsing and further analysis maybe a different sim stack that you have like a security system that does some analysis and all the generated data that's what that options for we're not going to be using otoscope of this this i do not recommend checking when you are first setting this up because when this box does it starts blocking the things it finds you first set this up i recommend leaving this off and going back and turning it on and when we show you how you tune the rules you go through the tuning for at least maybe a week of usage tune the rules if not you'll end up being blocked constantly and then forcing yourself to two new rules a less pleasant experience but it's up to you the method you want to follow for me leaving this off for the first week you set up sara cotta while you enhance all the rules probably makes the most sense we'll leave all these at default there's some edge cases and i believe i've talked about on my cerakata transparent firewall video i you can find it on here for cerakota transparent pf sense it's really cool it works there are some special tuning parameters from those but for the rest of it no we're just going to leave everything else at default and hit save so we create the interface on here categories we're going to do select all now based on the global settings and what rules you pulled in there which we did the emerging threat rules and the snort gpl rules you can go further and get the paid start rules if you want and it will make more rules that show up here and i checked the box on all of them but warning by doing this i now have the most potential for false positives so what happens is the more rules that you check you have to think about the rules that really matter to you and this is when you're thinking back like i said about which rules apply to which interfaces selecting all on all interfaces creates the most amount of work for you to do the rule tuning but doing it on a per interface basis for like i said if you had a server network you go this is when i want really watched further and better versus my guest network which i don't need that many rules but like i said these are some of the fine tunings you can get in there so we're going to hit save on this then we have our lan rules over here and these are just the details of those rules so let me find one like uh that's got probably a lot maybe the dns rules bot rules activex rules a lot quite a few activex ones it tries to look for here and what these are is the individuals so you have the categories on the other page these are a breakdown of all the details in those categories so this is going to be what's enabled and what's disabled and they have some notes inside of here possible black ice printer device resource toolkit but some of the reasons these are disabled by default even though we checked them you see those red x's that's because of the number of false positives they have so they know that rule exists but they also don't enable it by default it is up to you if you want to decide which rules to or not to uh tune on there so that's pretty much it and we go back over here to interfaces and if we wanted to duplicate this same rule set to another interface once you have it set up and ready to go you can just go to this little clone button here or add so i can add another interface and go through the setup again but once you have maybe you spent some time tuning one of those interfaces you can also just clone and choose land2 and rd is selected for me all the same rules so that's the way you can easily especially if you have like five diff interfaces spend time tuning one of them get it all set up how you want then go ahead and clone that once it's all tuned now once that part's done we're not going to save the second interface you just click on the little start and it starts cerakata on this interface now we're going to get over to the fun part the rule tuning now one thing of note and i just loaded cerakotta's i don't usually run it at home and i just loaded it up on my system this morning in lieu of this demo and so i turned it on about uh this looks like about 8 30 in the morning so these little marks right here are when it started you can see how little firewall uses there was and how much more now this is sg 3100 neck eight device this is kind of the minimum i'd recommend um that you have in order to run seracota now it's working fine at my house and it's able to handle this without much of a problem but i just have a handful of devices and the kids are probably watching netflix right now and playing some video games it's something that you have to think about when it comes to scaling in here is yes it can handle it on like an sg3100 device but if you really start turning a lot of rules on and use it over time and there's a lot of connections on your network you may want to think of upping that a little bit but you can see it does come at a cost of cpu cycles right away now i'm going to be redacting a lot of this because there's going to be so many ip addresses in here so that's why those are blurred out so what we have here is the wan network and this is why i said where you get a whole lot of things on here now i happen to be uh doing some torrenting uh you know seeding some isos for open source downloads and things like that so we definitely see a lot of that inside of here so e you know you get the stun protocol that is actually not for torrenting that is from let me look sync thing server that i have running behind there it actually uses the uh nat traversal with stun to contact out so once again we have an info session and do i care about this do i know it's a false positive yeah because i looked up what it was so how do we get rid of that rule and how do we get rid of the annoyance of it being on there now by the way i'm going to switch over real quick to the lan side we're going to see those same coming up again so from and i know i'm blurring the ip addresses so you can't see this when you do it from the lan side i get the internal ip address when i did it from the wan side all i get is the wan ip address and where its destination to its other public ip making it a little bit less useful when i look at this rule though from the lan side it's easy for me to identify because i know what that particular ip address internally runs so i can go oh i know that's running sync thing i know that server it's reaching out to is the sync thing stun server for nat traversal so i know it's good and i know internally but by having that on there on the lan on the lan side like i said much more effective if you have it on the wan side all i know is the public i p address which i already knew it's my wan address and the other public ip address where it's going to but that's not telling me what server behind my firewall did it that's one of the other reasons that's important to have this on the land that the land but now we can talk about getting rid of this rule and we've done no tuning in the rules i just turned them all on select all said yes so we're going to go over here and we'll get rid of this rule right here we just click it it spins for a second all right the state of rule has been modified cerakata live reloading with new rules please wait 15 seconds for the process to complete before toggling additional rules this is important and how long it takes really depends on how fast the system is but for each rule you disable you need to give the system time to reload the rule set before you start doing more of them or you can have the system well i think i've seen sierra caught a crash if you try to do it real fast or just get stuck and not properly reload rule sets so give it a second for each one you disable depending on the speed of the machine not a big deal so now you see all these are yellow what that means is they're not going to show up again but they're now in the log history that they were there so this is on the lan side let's switch over to wan they're not yellow and the reason they're not yellow here is because all the rule tuning is on a per interface this is why one of the advantages if you take the time to tune one interface and then clone it all those rule changes you made and all those suppressions you did will follow that interface clone if not if i wanna if i have the same problem repeating on multiple interfaces well i'm going to need to go through here and tune it on each into an interface and keep going through and keep going through also this is one of the reasons i mentioned blocking can be really bad because if i had blocking turned on and these things have a method by which they want to say block and it's part of the rule set so some rules are just notices but some rules are like all right this is something bad and we're going to block this ip address well when you start blocking everything now you have the problem of sorting out what broke why certain things don't work and especially if they're in a shared hosting provider where something else may reside that's where those false positives and uh can really create a headache and blocking so tune the rules first now other things that are maybe less obvious let's go back over to the lan side again and by the way this auto refreshes um while you're watching this so the default is auto refresh on i usually change it to like 500 to show me 500 of the logs here when it goes so it's always got plenty of information in here so let's see what else do we have gpl p2b bittorrent transfer well i know that is definitely what's going on there so we're gonna ahead and clear that one all right now that rule's cleared what other rules do we need to clear so cerakota stream invalid timestamp now these can be tricky it's more of an annoyance and right click copy or paste into google or if you're using um so you can do it like this in chrome search google for cerakotta packet timestamp and look we land right here on the netgate forum where apparently and i've already seen this one enough that i know what it is there's a problem with certain stream errors based on certain interfaces having this issue now this is where you're going to spend a lot of time and you're going to get an idea what they actually do with these network operations centers and why when you buy a commercial firewall this is a paid service to have intrusion detection intrusion prevention properly working and set up there is a team of engineers that spend a lot of time looking at all these errors figuring out whether or not they're false positives and sending that data back and forth down the pipe this is essentially what they do with a network engineering center security operations center you're going to find them going through looking at all these determining whether it's a real threat or just another piece of noise in the system and deciding whether or not that needs to be stopped and you know flag does get rid of that rule this is why it's not a set it and forget it type system it is very important to understand that's what these engineers do that's what you're paying for when you buy a firewall with a subscription service to an intrusion prevention system on it and you're getting a more honed feed that they're looking at these and going through it and going all right we see this rule we see this many people doing it we realize they will dive deeper maybe doing a pcap on it and go all right that is definitely not bad traffic so um just some notes on when you're looking at these you do have to spend some time going back and forth to do this and going through figuring out which ones are real which ones are not so there's actually quite a few of them in here for this invalid ack so let's go ahead and suppress that one i don't need it all right so here we're going to jump over to another system i have running ceracata which is our system here and because we host some web servers we get some interesting things because well people like to bang away at them and try to figure out how they can get in which does get a lot of these people blocked all the time so this is specifically a network dedicated to where my servers are that run things like host my web services that we have public facing and it's interesting to see just how many scans um and we do block the people who scan us so you scan us a few times you're done you're blocked for a long period of time then we have the poor intelligence poor ip reputations those are in here as well uh specific attempts someone tried to attempt and these are all those essentially false positives in some way they tried something that doesn't exist so this is web specific apps attempted symantec secure web gateway rce this is which gets really interesting is the this is a remote code execution against the symantec secure web gateway and this is what you'll end up seeing a lot of if you have ports open where ciracata has an incoming piece of noise that it detects going all right someone tried we recognized this attack pattern this is a symantec gateway endpoint exploit you know remote code execution they tried against this but failed because one i don't have one but sarah kind of blocked them anyways because if they're going to try that they're going to try other things so these are botnets just hammering away so this is where circado to me is a little bit well i should say a lot more effective because it's blocking these constantly and looking for these type of threats now even though these don't apply to me what if something did what if there was some flaw an apache server and i'm running an apache server or an nginx server and i'm running an nginx server and it detects that attack this is where seracotta can be very effective and to me much more valuable than trying to monitor iot devices at my house or you know dealing with false information that it gave about the sinking tool that i have running going oh look we found this or found that because so one eventually there wasn't too many in there since running it this morning at my house it wasn't too many false positives on there but um they do happen from time to time but when it comes to running it on my server side network that's where we have the most luck with it i should say or the most effective use of it because it goes through it sees things that are potential attacks and if a bot or an ip address is attacking you you know once then it's probably attacking you in other ways if it finds it even though there's no response as in the rce against the semantic gateway because i don't have one it goes what else is on there it answered so let me try again well by sara cotta blocking it it blocks any further answers because that ip address just ends up in a block list on here and keeps them from scanning further so this is where i think it's a lot better but like i said it's only limited because it still can't see into encrypted traffic it just has to match these and we're still dealing with false positives on tools we use so it's something we have to kind of be you know actively monitoring now the last thing i'll show you is the block list themselves so that checkbox i mentioned where it turns on blocking you can turn on blocking and you can go through and get rid of blocks if you want because if they're false just get rid of them here if not uh maybe you want to leave them here and then as i stated earlier in a setup for the default amount of time you want to have those blocks on there that's kind of up to you so maybe you want those blocks to last essentially forever not forever that is a up to you tuning portion of this to figure out how long you want to keep those things blocked for but fair warning sometimes due to shared hosting services you may find something that gets blocked even by false but then all of a sudden everything can't get to it now the way it blocks inside of pfsense if this ip address gets blocked even though it was blocked on a separate network such as my server network it is blocked universally across all of them so blocks will not just block the network that was attacked it'll block all the networks on the wan because it adds a block rule in the system for that so hopefully this is helpful for getting this set up and configuring cerakata i just wanted to be clear as i was in the beginning it's not a set and forget it it does offer quite a bit benefit for uh things incoming and if you have ports open and services running to examining those and maybe not guaranteed anything is uh well especially in security not guaranteed at all it if there's a rule that does match a known attack by the way known attack is very important these rule sets are always being updated depending on your update interval uh you know if you update it daily i'm not sure just how often but you know as these rules come out they're adding and adding cumulatively adding more rules over time and they're always reactive they have to know security researchers have to know about the threat create a rule set for it that matches the pattern push that rule out hopefully it doesn't match when it first comes out a bunch of false positives so this is the tediousness of doing it but this is also what network operation engineers and security operation centers this is what they do is go through this and this is what those descriptions are for when you have a page description a firewall which can be tedious but hey it's also a lot of fun and it's a great way to dive into network security engineering and learn about tuning cerakata all right thanks

Info

Channel: Lawrence Systems

Views: 82,006

Rating: undefined out of 5

Keywords: lawrencesystems, suricata pfsense tutorial, pfsense, firewall, pfsense router, network, pfsense setup, suricata pfsense install, suricata pfsense, suricata pfsense configuration, suricata pfsense setup guide, snort vs suricata pfsense, suricata, intrusion detection system, router, ids, tutorial, intrusion detection, snort

Id: S0-vsjhPDN0

Channel Id: undefined

Length: 27min 29sec (1649 seconds)

Published: Sun Aug 02 2020