Suricata Intrusion Detection System: Part Three


Interface settings in Suricata.

In the previous article, we covered some additional Suricata configuration details, including downloading rules and setting up your first Suricata interface. In this article, we will continue to configure that interface.

Since we already covered the “WAN Settings” tab, we’ll move on to the “WAN Categories” tab. The first heading covers automatic flowbit resolution. Flowbits are a powerful tool that were first implemented in Snort. Many times, you need to look at more than just one packet to know whether an event is occurring. Flowbits give you the ability to do this. With flowbits, you can set a flag that another rule can check and take into consideration. In other words, if condition 1 is met, we can set a flag. If the flag is set and condition 2 is met, then we can take further action (for example, generate an alert).

The first option is the “Resolve Flowbits” check box. If this is checked, Suricata will examine the enabled rules in your chosen rule categories for checked flowbits. Any other rules that set these dependent flowbits will be automatically enabled (even if they were not otherwise enabled) and added to the list of the files in the interface rules directory. By pressing the “View” button, you can view the auto-enabled rules required to satisfy the flowbit dependencies.

The next heading is “Selecting the rulesets Suricata will load at startup”. Here you can select individual rulesets from the rules you have already downloaded. For example, the ET Open Rules have individual rulesets for ActiveX, protecting against DNS hacks, protecting against denial of service (DoS) attacks, and other threats. There are check boxes next to each individual ruleset, and at the top there are buttons to “Select All”, “Unselect All” and “Save” (to save changes and auto-resolve flowbit rules). There is also a “Save” button at the bottom of the page.

Enabling and Disabling Rules

The next tab is “WAN Rules”. Here you can see things on a more granular level, as you can actually view, enable and disable individual rules, as well as enable and disable all rules in an individual category. At the top of the page, there is an “Available Rule Categories” dropdown box that allows you to select rule categories to view. Next to each individual rule, there is a red check mark on the left side of the row; you can click on this to enable/disable the rule. At the top of the list, there are buttons to disable and enable all rules in the current category, as well as buttons to remove all enable/disable changes in the current category or all categories. There is also an option to view the full file contents for the current category. Finally, above the list of rules is an “Apply” button to apply any changes made.

The next tab is “WAN Flow/Stream”. The first heading is “Host-Specific Defrag and Stream Settings”. Here, you can set different defrag and stream settings for different hosts. By pressing the “plus” button on the right side, you can add new settings; you can also press the “edit” button (the lowercase e) to edit existing settings. The “Policy Name” and “Bind-To IP Address” alias can be edited for everything except the default engine (the “Bind-To IP Address” defines the IP list for this configuration). The “Target Policy” dropdown box allows you to choose an OS target policy appropriate for the protected hosts. The default is BSD, but there are many choices, including IRIX, Linux, MacOS, and variants of Windows. The “Save” button at the bottom allows you to save a configuration, while the “Cancel” button discards the changes.

The next section deals with IP fragmentation. The Internet Protocol (IP) implements datagram fragmentation, breaking it into smaller pieces, so that packet may be formed that can pass through a link with a smaller maximum transmission unit (MTU) than the original datagram size. These settings allow you to control such fragmentation, with settings such as the maximum memory to be used for fragmentation and the maximum number of fragments. Below this is “Flow Manager” settings, which allows you to control parameters for the flow engine. “Flow Timeout Settings” covers timeouts for TCP connections, UDP connections, and ICMP connections. Finally, “Stream Engine Settings” covers parameters for the stream engine, such as the maximum memory to be used be the stream engine and the maximum concurrent stream engine sessions.

In the next article, we will continue our look at Suricata interface settings.

External Links:

The official Suricata web site

IPv6 Integration: A Look at pfSense 2.1

On September 15, 2013, pfSense 2.1 was released. This release brings many new features; the biggest change is IPv6 support in almost every portion of the system. There are also a number of bug fixes. Recently, I burned a live CD of 2.1 to see what interesting features the new version has.

Configuring an Interface for IPv6


Configuring an interface for IPv6 in pfSense 2.1

The integration of IPv6 support is obvious to anyone who even takes a casual look at the pfSense web GUI. Under “Interfaces“, if you select an interface, under “General Configuration“, there is a new dropdown box called “IPv6 Configuration Type“. The options are: Static, DHCP, Stateless Address Auto Configuration (SLAAC), 6rd Tunnel, 6to4 Tunnel, and Track Interface. Stateless Address Auto Configuration is a mechanism that allows a host to generate its own IPv6 address even if the routable addresses are assigned or pre-configured and is required on all IPv6 configurations. 6rd is an IPv6 transitioning mechanism to allow for stateless tunneling of IPv6 over IPv4, and is intended as a mechanism to tunnel across an ISP’s IPv4-only access network. 6to4 Tunnel is yet another transition mechanism for migrating from IPv4 to IPv6, and allows IPv6 packets to be transmitted over an IPv4 network without the need to configure explicit tunnels. Choosing “None” disables IPv6 on this interface.

If you choose an IPv6 configuration type, the “Static IPv6 configuration” subsection appears. Here you must enter an IPv6 address and an optional gateway. Once you have entered this information, you can press the “Save” button and the “Apply Changes” button on the next page.

DHCPv6 Relay and DHCPv6 Server

Once you have configured at least one IPv6 interface, it will be possible to configure other IPv6-related services. For example, by navigating to Services -> DHCPv6 Relay, you can add an IPv6 DHCP relay. This enables you to relay DHCPv6 requests to a server or several servers. In order to use this service, click on the “Enable” check box to enable the DHCP relay. In the “Interfaces” list box, select the interface(s) from which DHCP requests will be relayed (hold down the CTRL key while clicking to select more than one interface. Next is the “Append circuit ID and agent ID to requests“. pfSense can append its interface number (circuit ID) and agent ID to DHCP requests, just as it can with IPv4 DHCP requests. Finally, at the “Destination server” edit box, you type in the IPv6 address of the server to which DHCPv6 requests are relayed. You can enter multiple server IPv6 addresses, separated by commas. Then press the “Save” button to save the settings.


Configuring Router Advertisements in pfSense 2.1.

Another new option under “Services” is “DHCPv6 Server/RA“. If you select this option there are two levels of tabs. On the top level, there is a tab for each IPv6 interface. You can enable a DHCPv6 server on each of these interfaces. The configuration options for the DHCPv6 server look identical to the configuration for DHCP for IPv6. There is a second tab, however, for “Router Advertisements“. There are five choices: “Disabled”, which disables router advertisements, “Router Only”, which causes pfSense to advertise only the current router; “Unmanaged”, which allows the radvd router advertisement daemon to handle advertising with stateless autoconfig; “Managed”, which causes assignment through the DHCP server, and “Assisted”, which combines the two. “Router Priority” allows you to select the priority for the Router Advertisement Daemon (low, normal, or high). You can add a Router Advertisement subnet on this page as well by clicking on the “plus” button and adding a subnet. You can also specify an alternate DNS server or domain serch list or use the same settings as the DHCPv6 server.

I have really only scratched the surface regarding IPv6 integration in pfSense 2.1, and there are many other features I have not touched upon here. As a result, it looks like there will be many more postings concerning the new features of the latest pfSense. Stay tuned.

External Links:

IPv6 at Wikipedia

Static DHCP Mapping in pfSense

In the previous posting, I covered how to configure basic settings for the DHCP server. In this part, I cover static DHCP mappings. A static DHCP mapping ensures a client is always given the same IP address.

Static DHCP Mapping: First Method

Static DHCP Mapping

Edit static mapping page in the pfSense web GUI.

In order to add static DHCP mappings, browse to Status -> DHCP Leases to view the list of clients who have been issued DHCP requests. Click the “plus” button to add a new static DHCP mapping. The MAC address field will be pre-filled; enter an IP address, which must be outside of the range of dynamically assigned DHCP addresses. Finally, enter a “Hostname” and “Description” if desired. Now press “Save” to save the changes, and “Apply” to apply changes if necessary.

Static DHCP Mapping: Second Method

If no DHCP leases have been issued yet, you may not be able to add static DHCP mappings from Status -> DHCP Leases. Fortunately, there is a second method for adding static DHCP mappings. Browse to Services -> DHCP Server -> Interface (if you followed along with my previous DHCP setup scenario, the interface will be “LAN“). Scroll to the bottom of the page, and you will find “DHCP Static Mappings for this interface.” Click on the Add button to the right. From the Services ->¬† DHCP -> Edit static mapping¬†page, you can type in “IP Address“, “Hostname” and “Description“, as described above.

Now, when a client connects to your DHCP server, the firewall will first check for a mapping in the “DHCP Static Mappings” table. If the client’s MAC address matches a mapping you specified, then the DHCP server uses the IP address specified in the mapping. If no mappings exists for your client’s MAC address, your DHCP server uses an IP address from its available range. Alternatively, you could have selected “Deny Unknown Clients” under Services -> DHCP Server -> Interface, in which case the client will not get a DHCP lease unless the client is defined in the static mappings table.

Static mappings can always be viewed at the bottom of the DHCP Server configuration page for each interface. All static mappings for a given interface can be managed here. Existing mappings can be modified or removed, and new static mappings can be created (but you will have to enter the MAC addresses manually).

External Links:

Configuring DHCP Server and Dynamic DNS Services


© 2013 David Zientara. All rights reserved. Privacy Policy