Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snort3 basic setup #885

Merged
merged 23 commits into from
Dec 3, 2024
Merged

Snort3 basic setup #885

merged 23 commits into from
Dec 3, 2024

Conversation

gsanchietti
Copy link
Member

@gsanchietti gsanchietti commented Nov 4, 2024
edited
Loading

NethSecurity configuration for Snort3:

  • new rules download script
  • improved init

Features:

  • rules: Snort community and Snort subscriber
  • bypass: source and destination for IPv4 and IPv6
  • automatic configuration in NFQ mode
  • automatic configuration for HOME_NET variable including VPN networks
  • suppression rules by source and destination
  • log alert to syslog

Possible improvements:

  • add a description for IPS bypass rules
  • add a description for disabled rules
  • add an API to add/edit/delete the bypass rules
  • add an API to add/edit/delete the suppression rules

Documentation:

  • README for more info and how to use and configure
  • API README for more info on the API calls

Quick benchmarks on APU hardware in mbit/s:

  • no ips: ~ 750
  • ids (tap): ~ 410
  • ips (nfq): ~200
  • ips with 4000 rules: ~150

This PR replaces #870 with a rebase on latest commit on main branch.

References:

@gsanchietti gsanchietti force-pushed the snort3_giacomo branch 2 times, most recently from 21e0def to 3a52186 Compare November 4, 2024 15:42
@gsanchietti gsanchietti changed the base branch from snort3 to main November 4, 2024 15:43
@gsanchietti gsanchietti self-assigned this Nov 7, 2024
@gsanchietti gsanchietti marked this pull request as ready for review November 7, 2024 14:42
@gsanchietti gsanchietti mentioned this pull request Nov 7, 2024
Closed
@gsanchietti gsanchietti mentioned this pull request Nov 15, 2024
Merged
gsanchietti added a commit to NethServer/python3-nethsec that referenced this pull request Dec 2, 2024
@gsanchietti
Add snort parser library (#72)
3e6e958 
Imported from: https://github.com/jasonish/py-idstools/

Related PR: NethServer/nethsecurity#885
@gsanchietti gsanchietti force-pushed the snort3_giacomo branch 2 times, most recently from 33ee9b1 to 4bdce2f Compare December 3, 2024 16:24
filippocarletti and others added 15 commits December 3, 2024 17:27
@filippocarletti @gsanchietti
feat: add snort3
3675e04
@gsanchietti
feat(snort3): add ns-snort-rules
fbd9cbe
@gsanchietti
feat(snort3): Nethesis custom config
7533bfc 
Nethesis custom config is under /var/ns-snort.
The directory contains both temporary data and configuration.

- Make sure there is always at least one rule so snort can correctly
  start
- Setup all basic lua scripts
- Move configuration and download data to a custom directory
@gsanchietti
fix(snort3): add README
2fb5a56
@gsanchietti
fix(snort3): limit blocking ET rules
a076a66 
Exclude blocking rules without relevant metadata.
At time of writing, the number of blocked changes from 3075 to 2107.
@gsanchietti
fix(snort3): ns-snort-rules, add license header
0850c53
@gsanchietti
fix(snort3): init, remove default rule
942fa49 
The default rule is not required: snort can start without rules.
Also the default rule was marking all traffic as pass.
@gsanchietti
fix(snort3): improve README
2930ae0
@gsanchietti
feat(ns-api): add ns.snort
89e5732 
API to configure Snort 3
@gsanchietti
fix(snort3): document API usage
853980f
@gsanchietti
fix(snort3): document how to disable
7ee1936
@gsanchietti
feat(snort3): support source and destination bypass
c6fd4cc
@gsanchietti
fix(snort3): log start and stop to messages
b0617dc
@gsanchietti
fix(ns-api): improve snort setup
56b4b80 
Changes:
- always setup queue_count and thread_count
- add ns_policy option
- add ns_disabled_rules option

New options are directly used from ns-snort-rules
@gsanchietti
fix(snort3): ns-snort-rules, refactor
8272279 
Changes:
- remove ET rules: these rules do not work correctly on Snort 3
- read configuration from UCI
- add --download option to force rules download
@gsanchietti
feat(ns-api): snort, restart cron when needed
4c195dc
@gsanchietti
fix(snort3): download rules on startup
2a9426d 
When a machine is rebooted or updated using an image, Snort rules are
not present because stored in RAM.

During the service start, if rules are not present,
the init script now tries to load the rules multiple times.
Maximum wait time is 1 minute.

Snort will not fail the start: a nightly cron job
can update the rules and restart the service.
@gsanchietti
fix(snort): restart service after rules download
d959c6e 
The restart is required to load the new rules.
@gsanchietti
feat(snort3): add suppression rules
43ac1c7
@gsanchietti
fix(snort3): improve README
0894779
@gsanchietti
feat(snort3): add option to alert excluded rules
d2a1990 
Official rules with a policy are rarerly triggered.
Add the ns_alert_excluded option to alert all rules not
belonging to a policy: this will give the user some
insight about the network traffic without blocking
rules with low confidence.
@gsanchietti
feat(snort3): logs alerts to syslog
d79dbe4 
Make sure that all logs are stored to /var/log/messages to ease
debugging.
Also, such log can be sent remotely and stored safefly on the
controller.
@gsanchietti
fix(snort): improve readme
7f08002
@gsanchietti gsanchietti merged commit 623e529 into main Dec 3, 2024
1 check passed
@gsanchietti gsanchietti deleted the snort3_giacomo branch December 3, 2024 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@filippocarletti filippocarletti filippocarletti approved these changes

Assignees

@gsanchietti gsanchietti

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gsanchietti @filippocarletti