suricata: Track whitelisted traffic and add it to the IPS graph

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2024-09-13 10:12:30 +02:00
parent 4721fac3c8
commit 5da15c5d3b
14 changed files with 46 additions and 5 deletions
--- a/config/cfgroot/graphs.pl
+++ b/config/cfgroot/graphs.pl
@@ -1219,9 +1219,17 @@ sub updateipsthroughputgraph {
 		"VDEF:scanned_bytes_min=scanned_bytes,MINIMUM",
 		"VDEF:scanned_bytes_max=scanned_bytes,MAXIMUM",

+		# Read whitelisted packets
+		"DEF:whitelisted_bytes=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_bytes-WHITELISTED.rrd:value:AVERAGE",
+		#"DEF:whitelisted_packets=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_packets-WHITELISTED.rrd:value:AVERAGE",
+
+		"VDEF:whitelisted_bytes_avg=whitelisted_bytes,AVERAGE",
+		"VDEF:whitelisted_bytes_min=whitelisted_bytes,MINIMUM",
+		"VDEF:whitelisted_bytes_max=whitelisted_bytes,MAXIMUM",
+
 		# Total
-		"CDEF:total_bytes=bypassed_bytes,scanned_bytes,+",
-		#"CDEF:total_packets=bypassed_packets,scanned_packets,+",
+		"CDEF:total_bytes=bypassed_bytes,scanned_bytes,ADDNAN,whitelisted_bytes,ADDNAN",
+		#"CDEF:total_packets=bypassed_packets,scanned_packets,ADDNAN,whitelisted_packets,ADDNAN",

 		"VDEF:total_bytes_avg=total_bytes,AVERAGE",
 		"VDEF:total_bytes_min=total_bytes,MINIMUM",
@@ -1236,8 +1244,14 @@ sub updateipsthroughputgraph {
 		"COMMENT:" . sprintf("%16s", $Lang::tr{'minimum'}),
 		"COMMENT:" . sprintf("%16s", $Lang::tr{'maximum'}) . "\\j",

+		# Whitelisted Packets
+		"AREA:whitelisted_bytes$color{'color12'}A0:" . sprintf("%-30s", $Lang::tr{'whitelisted'}),
+		"GPRINT:whitelisted_bytes_avg:%9.2lf %sbps",
+		"GPRINT:whitelisted_bytes_min:%9.2lf %sbps",
+		"GPRINT:whitelisted_bytes_max:%9.2lf %sbps\\j",
+
 		# Bypassed Packets
-		"AREA:bypassed_bytes$color{'color12'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}),
+		"STACK:bypassed_bytes$color{'color11'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}),
 		"GPRINT:bypassed_bytes_avg:%9.2lf %sbps",
 		"GPRINT:bypassed_bytes_min:%9.2lf %sbps",
 		"GPRINT:bypassed_bytes_max:%9.2lf %sbps\\j",
--- a/config/collectd/collectd.conf
+++ b/config/collectd/collectd.conf
@@ -56,6 +56,7 @@ include "/etc/collectd.precache"
 	# IPS
 	Chain mangle IPS BYPASSED
 	Chain mangle IPS SCANNED
+	Chain mangle IPS WHITELISTED
 </Plugin>

 #<Plugin logfile>
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -2161,6 +2161,7 @@ WARNING: untranslated string: webradio playlist = Webradio Playlist
 WARNING: untranslated string: website = Website
 WARNING: untranslated string: wednesday = Wednesday
 WARNING: untranslated string: weeks = Weeks
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1061,6 +1061,7 @@ WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z
 WARNING: untranslated string: total = Total
 WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: wio = unknown string
 WARNING: untranslated string: wio checked = unknown string
 WARNING: untranslated string: wio cron = unknown string
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -999,6 +999,7 @@ WARNING: untranslated string: system time = System Time (as of last page load)
 WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z
 WARNING: untranslated string: total = Total
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: wio = unknown string
 WARNING: untranslated string: wio checked = unknown string
 WARNING: untranslated string: wio cron = unknown string
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1347,6 +1347,7 @@ WARNING: untranslated string: vpn weak = Weak
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1370,6 +1370,7 @@ WARNING: untranslated string: vpn weak = Weak
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1611,6 +1611,7 @@ WARNING: untranslated string: vpn weak = Weak
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1604,6 +1604,7 @@ WARNING: untranslated string: vpn weak = Weak
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1231,6 +1231,7 @@ WARNING: untranslated string: vpn wait = WAITING
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -164,6 +164,7 @@
 < transport mode does not support vti
 < warning
 < wg
+< whitelisted
 < wireguard
 < wlanap
 < wlanap psk
@@ -200,6 +201,7 @@
 < upload fcdsl.o
 < warning
 < wg
+< whitelisted
 < wireguard
 < wlanap psk
 < wlanap wireless mode
@@ -690,6 +692,7 @@
 < warning
 < Weekly
 < wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
@@ -1258,6 +1261,7 @@
 < warning
 < Weekly
 < wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
@@ -2241,6 +2245,7 @@
 < warning
 < Weekly
 < wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
@@ -3261,6 +3266,7 @@
 < week-graph
 < Weekly
 < wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
@@ -3658,6 +3664,7 @@
 < warning
 < Weekly
 < wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -2942,6 +2942,7 @@
 'week-graph' => 'Woche',
 'weekly firewallhits' => 'wöchentliche Firewalltreffer',
 'weeks' => 'Wochen',
+'whitelisted' => 'Ausgenommen',
 'whois results from' => 'WHOIS-Ergebnisse von',
 'wildcards' => 'Wildcards',
 'wins server' => 'WINS-Server',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -3027,6 +3027,7 @@
 'weekly firewallhits' => 'weekly firewallhits',
 'weeks' => 'Weeks',
 'wg' => 'WireGuard',
+'whitelisted' => 'Whitelisted',
 'whois results from' => 'WHOIS results from',
 'wildcards' => 'Wildcards',
 'winbind daemon' => 'Winbind Daemon',
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -40,6 +40,10 @@ IPS_BYPASS_MASK="0x20000000"
 IPS_SCAN_MARK="0x10000000"
 IPS_SCAN_MASK="0x10000000"

+# Set if a packet has been whitelisted
+IPS_WHITELISTED_MARK="0x08000000"
+IPS_WHITELISTED_MASK="0x08000000"
+
 # Supported network zones
 NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" )

@@ -122,9 +126,14 @@ generate_fw_rules() {
 			# Skip disabled entries
 			[ "${enabled}" = "enabled" ] || continue

-			iptables -w -t mangle -A IPS -s "${network}" -j RETURN
-			iptables -w -t mangle -A IPS -d "${network}" -j RETURN
+			iptables -w -t mangle -A IPS -s "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))"
+			iptables -w -t mangle -A IPS -d "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))"
 		done < "/var/ipfire/suricata/ignored"
+
+		# Count and skip the whitelisted packets
+		iptables -w -t mangle -A IPS \
+			-m comment --comment "WHITELISTED" \
+			-m mark --mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" -j RETURN
 	fi

 	# Send packets to suricata