Hi, i am currently using suricata on FreeBSD 11.4 and trying to run suricata IPS mode but
in IPS mode suricata only uses FreeBSD’s IPFW which is i can’t use for performance concerns and action modes only drop and reject
I want to use IPS mode with alert action and FreeBSD’s Packet Filter (PF) both
for example:
İf an intrusion detected suricata will send src_ip, src_port, dst_ip dst_port to PF and i will decide pass or block is it possible .
i am beginner at suricata any help at this point would be appreciated…
This feature using pf is not available natively in Suricata. However, the FreeBSD netmap kernel device is enabled by default now in FreeBSD kernels, and Suricata does support IPS mode with netmap. So you can configure IPS mode using netmap in Suricata on FreeBSD.
What you want to do requires creating a custom output plugin in Suricata. That way you can intercept alerts and take action by making system calls to the pf (packet filter) firewall engine. But taking this route requires you to configure Suricata to run in PCAP mode. And in that mode, the initial burst of traffic will proceed on through the firewall while Suricata receives a copy of the initial packets via PCAP. Your custom plugin would be responsible for intercepting the Suricata alerts, pulling out the IP addresses, and then sending them to pf via a system ioctl() call. You would also need a pre-existing pf table to put the offending IP address into so they could be blocked. And you would also want to clear any existing firewall states created by that original initial traffic burst that made it through to the firewall while Suricata was analyzing the packet copies it received via PCAP.
There is already a Suricata package for the pfSense firewall distro that does pretty much what you want. It has the custom output plugin I describe (I wrote it), but in order to use that functionality, you would need to run the pfSense firewall system. It is free and open source, if you are interested.
A much better solution in my view is to implement true inline IPS mode using netmap with FreeBSD.