A question about host-os-policy and port-groups sections

Hello,
I have two questions:
1- Is the host-os-policy section mandatory and must be filled?

host-os-policy:
  windows: [0.0.0.0/0]
  bsd: []
  bsd_right: []
  old_linux: []
  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
  old_solaris: []
  solaris: ["::1"]
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

2- What is the port-groups?

port-groups:
  HTTP_PORTS: "80"
  SHELLCODE_PORTS: "!80"
  ORACLE_PORTS: 1521
  SSH_PORTS: 22

Are these the ports Suricata-IDS should watch out for?

Thank you.

  1. The defaults are fine for many, or if you do not know what they are for, stick to the defaults.

See: 12.1. Suricata.yaml — Suricata 7.0.2-dev documentation
and https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/032/original/target_based_frag.pdf for more background information.

  1. These are used by rules. A rule may look something like alert http any any -> any $HTTP_PORTS ... This is the basic starting point of tuning the rules to your environment. If you run HTTP servers on other ports, you should add them, likewise for other services.
1 Like

Hello,
Thank you so much for your reply.
1- I read it. If I like, I can enter the IP address of the operating system on which Suricata-IDS is installed in the appropriate place. For example, If Suricata-IDS is installed on a Linux host, then:

host-os-policy:
  linux: [My_Suricata-IDS_Host_IP]

Am I right?

2- Are things like HTTP_PORTS, SHELLCODE_PORTS and etc. the same as variable? I mean, I can rename HTTP_PORTS to APACHE_PORTS, then write the rule like this:

alert http any any -> any $APACHE_PORTS ...
  1. This is about hosts you are protecting. Not the host running Suricata. If you are monitoring Linux and Windows hosts, you could break them out here so different re-assembly policies are applied. AFAIK, most users do not change this from the defaults.

  2. You could change them, but rules from rule providers are going to depend on some of these variables to be set. If you change their names, you’re likely to break rules.

1 Like

Hello,
Thanks again.
1- So, If the host that Suricata-IDS is supposed to protect uses a Linux OS, then:

host-os-policy:
  linux: [My_Host_IP]

And if the host that Suricata-IDS is supposed to protect uses a Windows OS, then:

host-os-policy:
  windows: [My_Host_IP]

Am I right?

How to break them out? Can you show me an example?

2- Sure. I just wanted to know if they are like variable or not?