Suricata 7.0.8 drop.conf

1

Hi all!

I am fairly new to Suricata, i was using it on pfSense for a short while but i’ve decided to challenge myself and build a firewall with Almalinux, nftables, unbound, kea-dhcp, openvpn, … and offcourse suricata 7.0.8.

I must note to this I first was using Suricata 7.0.7 provided with by the system repository but changed this to the repository in the manual, the version upgraded without any problems, i mention this because there might be slight differences but i’m not sure.

All goes well for now, the only question/problem that I am having is that i want to configure a drop.conf, i know for sure that single rules based on SID are working because i can see the drop in the fast.log.

However, i want to disable whole groups but this does not seem to work;
My drop.conf list is as follow:

group:emerging-3coresec
group:emerging-ciarmy
group:emerging-compromised
group:emerging-current_events
group:emerging-drop
group:emerging-dshield
group:emerging-dns
group:emerging-botcc
group:emerging-malware
group:emerging-tor
group:emerging-trojan
group:emerging-scan
group:feodotracker
group:sslblacklist_tls_cert

# ET INFO Request to Hidden Environment File - Inbound
# 1:2031502

# ET WEB_SERVER WebShell Generic - wget http - POST
# 1:2016683

# ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2
# 1:2034125

# ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt
# 1:2011465

all the rules with “group:” as a prefix are not working or not “dropping/blocking”, the single ones with the SID are working or at least that’s what I think if i see the fast.log:

EDIT: while posting this I also notice that rules with # in front are executed?

example single SID above:

Line 1217: 12/23/2024-01:26:09.845835 [wDrop] [] [1:2031502:3] ET INFO Request to Hidden Environment File - Inbound [] [Classification: Misc activity] [Priority: 3] {TCP} 69.16.200.181:65153 → 172.16.1.248:80

However; this one is part of the emerging-scan group and is dropped.

12/23/2024-20:22:42.071227 [wDrop] [] [1:2029054:3] ET SCAN Zmap User-Agent (Inbound) [] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 172.169.191.217:51478 → 172.16.1.248:443

This one is from the 3CORESec group and is not dropped ?

12/23/2024-19:05:47.197592 [] [1:2525006:1153] ET 3CORESec Poor Reputation IP group 7 [] [Classification: Misc Attack] [Priority: 2] {TCP} 46.19.138.234:42745 → 172.16.1.248:80

I have already run suricata-update and restarted it couple of times without any result, i do see that rules are taking in account to be dropped.

output suricata-update:

23/12/2024 – 20:57:10 - – Loading /etc/suricata/update.yaml
23/12/2024 – 20:57:10 - – Using data-directory /var/lib/suricata.
23/12/2024 – 20:57:10 - – Using Suricata configuration /etc/suricata/suricata.yaml
23/12/2024 – 20:57:10 - – Using /usr/share/suricata/rules for Suricata provided rules.
23/12/2024 – 20:57:10 - – Found Suricata version 7.0.8 at /usr/sbin/suricata.
23/12/2024 – 20:57:10 - – Loading /etc/suricata/disable.conf.
23/12/2024 – 20:57:10 - – Loading /etc/suricata/drop.conf.
23/12/2024 – 20:57:10 - – Loading /etc/suricata/suricata.yaml
23/12/2024 – 20:57:10 - – Disabling rules for protocol pgsql
23/12/2024 – 20:57:10 - – Disabling rules for protocol modbus
23/12/2024 – 20:57:10 - – Disabling rules for protocol dnp3
23/12/2024 – 20:57:10 - – Disabling rules for protocol enip
23/12/2024 – 20:57:10 - – Fetching https://sslbl.abuse.ch/blacklist/ja3_fingerprints.tar.gz.
100% - 3508/3508
23/12/2024 – 20:57:10 - – Done.
23/12/2024 – 20:57:10 - – Fetching https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz.
100% - 1713078/1713078
23/12/2024 – 20:57:11 - – Done.
23/12/2024 – 20:57:11 - – Fetching https://github.com/travisbgreen/hunting-rules/raw/master/hunting.rule s.tar.gz.
100% - 12007/12007
23/12/2024 – 20:57:11 - – Done.
23/12/2024 – 20:57:11 - – Fetching https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.
100% - 9855/9855
23/12/2024 – 20:57:11 - – Done.
23/12/2024 – 20:57:11 - – Checking https://rules.emergingthreats.net/open/suricata-7.0.8/emerging.rules. tar.gz.md5.
23/12/2024 – 20:57:12 - – Remote checksum has not changed. Not fetching.
23/12/2024 – 20:57:12 - – Fetching https://sslbl.abuse.ch/blacklist/sslipblacklist.tar.gz.
100% - 1442/1442
23/12/2024 – 20:57:12 - – Done.
23/12/2024 – 20:57:12 - – Fetching https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz.
100% - 397155/397155
23/12/2024 – 20:57:12 - – Done.
23/12/2024 – 20:57:12 - – Fetching https://feodotracker.abuse.ch/downloads/feodotracker.tar.gz.
100% - 305/305
23/12/2024 – 20:57:13 - – Done.
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/files.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/http2-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/http-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/mqtt-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/quic-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/rfb-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
23/12/2024 – 20:57:13 - – Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
23/12/2024 – 20:57:13 - – Ignoring file 029f98278a177b2c54e8d37841dc5528/rules/emerging-deleted.rules
23/12/2024 – 20:57:20 - – Loaded 139946 rules.
23/12/2024 – 20:57:51 - – Disabled 378 rules.
23/12/2024 – 20:57:51 - – Enabled 0 rules.
23/12/2024 – 20:57:51 - – Modified 0 rules.
23/12/2024 – 20:57:51 - – Dropped 26983 rules.
23/12/2024 – 20:57:52 - – Enabled 136 rules for flowbit dependencies.
23/12/2024 – 20:57:52 - – Backing up current rules.
23/12/2024 – 20:58:01 - – Writing rules to /var/lib/suricata/rules/suricata.rules: total: 139946; enabled: 125631; added: 465; removed 291; modified: 0
23/12/2024 – 20:58:01 - – Writing /var/lib/suricata/rules/classification.config
23/12/2024 – 20:58:02 - – Testing with suricata -T.

I am a bit lost here searching for a solution, hope anyone could point me at my mistake.

Regards,
Steven

2

I think these are simply 3coresec and ciarmy.

You can verify that rules are being converted to drop with a grep like:

grep ^drop /var/lib/suricata/rules/suricata.rules
3

You are right, i have noticed this and adjusted it!
Thank you for your fast response!

my drop.conf file now looks like:

group:3coresec.rules
group:ciarmy.rules
group:compromised.rules
group:emerging-current_events.rules
group:drop.rules
group:dshield.rules
group:emerging-dns.rules
group:botcc.rules
group:emerging-malware.rules
group:tor.rules
group:emerging-scan.rules
group:feodotracker.rules
group:sslblacklist_tls_cert.rules
group:urlhaus_suricata.rules

however, i noticed in the fast.log wDrop, which suggest it would drop this rule but it’s not doing anything so i guess i am running in detection mode but i want IPS.

I was looking at AF_PACKET, but this requires 2 interfaces if i am correct so i think i am going with the nfqueue configuration, any suggestions on this one?

4

After a quick search, my only option here is to use nfqueue since i am running everything on one system with a WAN / LAN interface.

I would be able to use AF_PACKET only if i would seperate the configuration meaning suricata as a standalone system with 2 interfaces.

5

If you need to route/nat your packets then yes, NFQ is the way. AF_PACKET IPS is if you can do a bridge scenario where no routing or translation is required.

Personally I run Suricata on my Linux firewall (AlmaLinux as well) which does NAT. I just run it passively on my LAN network but I’m only a few iptables rules away from running it as an IPS… Guide: Getting Started on RHEL, CentOS and rebuild Linux Distributions

6

Will have a look into that, thank you!
I am running it now and it seems to work but I will verify for sure later.

I do understand the difference now :sweat_smile: