From 30f411694c8100086ff836a6d13140acdc68d9dd Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 19 Nov 2021 17:44:52 +0000 Subject: [PATCH] suricata: Include all default rules These rules do not drop anything, but only alert when internal parts of the engine trigger an event. This will allow us more insight on what is happening. Signed-off-by: Michael Tremer --- config/rootfiles/common/suricata | 22 ++++++++++++++++++++++ config/suricata/suricata.yaml | 24 ++++++++++++++++++++++-- lfs/suricata | 3 --- 3 files changed, 44 insertions(+), 5 deletions(-) diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 32358483a..21dbeae64 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -19,6 +19,28 @@ usr/bin/suricata #usr/share/man/man1/suricatactl-filestore.1 #usr/share/man/man1/suricatactl.1 #usr/share/man/man1/suricatasc.1 +usr/share/suricata/ +#usr/share/suricata/classification.config +#usr/share/suricata/reference.config +#usr/share/suricata/rules +#usr/share/suricata/rules/app-layer-events.rules +#usr/share/suricata/rules/decoder-events.rules +#usr/share/suricata/rules/dhcp-events.rules +#usr/share/suricata/rules/dnp3-events.rules +#usr/share/suricata/rules/dns-events.rules +#usr/share/suricata/rules/files.rules +#usr/share/suricata/rules/http2-events.rules +#usr/share/suricata/rules/http-events.rules +#usr/share/suricata/rules/ipsec-events.rules +#usr/share/suricata/rules/kerberos-events.rules +#usr/share/suricata/rules/modbus-events.rules +#usr/share/suricata/rules/mqtt-events.rules +#usr/share/suricata/rules/nfs-events.rules +#usr/share/suricata/rules/ntp-events.rules +#usr/share/suricata/rules/smb-events.rules +#usr/share/suricata/rules/smtp-events.rules +#usr/share/suricata/rules/stream-events.rules +#usr/share/suricata/rules/tls-events.rules var/lib/suricata var/lib/suricata/classification.config var/lib/suricata/reference.config diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 6f37671c8..0ad36e705 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -46,8 +46,28 @@ vars: ## default-rule-path: /var/lib/suricata rule-files: - # Include enabled ruleset files from external file. - include: /var/ipfire/suricata/suricata-used-rulefiles.yaml + # Default rules + - /usr/share/suricata/rules/app-layer-events.rules + - /usr/share/suricata/rules/decoder-events.rules + - /usr/share/suricata/rules/dhcp-events.rules + - /usr/share/suricata/rules/dnp3-events.rules + - /usr/share/suricata/rules/dns-events.rules + - /usr/share/suricata/rules/files.rules + - /usr/share/suricata/rules/http2-events.rules + - /usr/share/suricata/rules/http-events.rules + - /usr/share/suricata/rules/ipsec-events.rules + - /usr/share/suricata/rules/kerberos-events.rules + - /usr/share/suricata/rules/modbus-events.rules + - /usr/share/suricata/rules/mqtt-events.rules + - /usr/share/suricata/rules/nfs-events.rules + - /usr/share/suricata/rules/ntp-events.rules + - /usr/share/suricata/rules/smb-events.rules + - /usr/share/suricata/rules/smtp-events.rules + - /usr/share/suricata/rules/stream-events.rules + - /usr/share/suricata/rules/tls-events.rules + + # Include enabled ruleset files from external file + - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml classification-file: /var/lib/suricata/classification.config reference-config-file: /var/lib/suricata/reference.config diff --git a/lfs/suricata b/lfs/suricata index 700556dd2..d06fef776 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -96,9 +96,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install IPFire related config file. install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata - # Remove shipped rules. - rm -rvf /usr/share/suricata - # Create emtpy rules directory. -mkdir -p /var/lib/suricata