├── .gitignore ├── README.md ├── conf ├── .gitignore └── default │ ├── suriGUI.rules │ ├── suriGUI.yaml │ ├── suricata.rules │ └── suricata.yaml ├── qubes-salt ├── config │ ├── sys-ips-config.sls │ ├── sys-ips-template-config.sls │ ├── sys-ips-template.sls │ └── sys-ips.sls └── sys-ips.top ├── res ├── history │ └── sys-ips.jpg ├── icons │ ├── active.png │ ├── alert.png │ ├── inactive.png │ └── menu │ │ ├── exit.png │ │ ├── settings.png │ │ ├── start.png │ │ ├── stop.png │ │ └── update.png ├── preview │ ├── settings-1.png │ ├── settings-2.png │ ├── settings-3.png │ ├── settings-4.png │ └── status.png └── suriGUI.png └── suriGUI /.gitignore: -------------------------------------------------------------------------------- 1 | test 2 | /.idea/ 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![](https://github.com/control-owl/suriGUI/blob/main/res/suriGUI.png) 2 | 3 | ### Still in development 4 | 5 | This is still a Beta. 6 | 7 | ------------- 8 | 9 | ### Intro 10 | 11 | - Basic concept is to create GUI Interface for Suricata IPS 12 | - Made for Qubes 4.1 13 | - Show desktop notifications on every suspicious packet 14 | - TODO Option to edit Suricata rules with GUI 15 | 16 | ------------- 17 | 18 | ### QUBES draw.io 19 | 20 | 21 | 22 | ------------- 23 | 24 | 25 | #### System Tray statuses: Active and Inactive icon 26 | ![](https://github.com/control-owl/suriGUI/blob/main/res/preview/status.png) 27 | 28 | ------------- 29 | 30 | #### Settings 31 | 35 | 36 | ------------- 37 | 38 | ### Installation for Qubes 4.1 39 | 40 | ##### sys-firewall qube 41 | ```sh 42 | git clone https://github.com/control-owl/suriGUI/ 43 | ``` 44 | ##### dom0 45 | ```sh 46 | sudo mkdir /srv/salt/config 47 | 48 | sudo qvm-run --pass-io sys-firewall ’cat /home/user/suriGUI/qubes-salt/sys-ips.top’ | sudo tee /srv/salt/sys-ips.top 49 | sudo qvm-run --pass-io sys-firewall ’cat /home/user/suriGUI/qubes-salt/config/sys-ips.sls’ | sudo tee /srv/salt/config/sys-ips.sls 50 | sudo qvm-run --pass-io sys-firewall ’cat /home/user/suriGUI/qubes-salt/config/sys-ips-template.sls’ | sudo tee /srv/salt/config/sys-ips-template.sls 51 | sudo qvm-run --pass-io sys-firewall ’cat /home/user/suriGUI/qubes-salt/config/sys-ips-template-config.sls’ | sudo tee /srv/salt/config/sys-ips-template-config.sls 52 | sudo qvm-run --pass-io sys-firewall ’cat /home/user/suriGUI/qubes-salt/config/sys-ips-config.sls’ | sudo tee /srv/salt/config/sys-ips-config.sls 53 | 54 | sudo qubesctl top.enable sys-ips 55 | sudo qubesctl --show-output --all state.highstate 56 | ``` 57 | 58 | ------------- 59 | 60 | ### Process for Qubes 4 explained 61 | 62 | 1. dom0: Install debian-11-minimal 63 | 2. dom0: Clone debian-11-minimal as sys-ips-template 64 | 3. sys-ips-template: Install required apps 65 | 4. sys-ips-template: Install suriGUI in /usr/share/suriGUI 66 | 5. sys-ips-template: create autostart script for suriGUI 67 | 6. dom0: Create qube sys-ips based on sys-ips-template 68 | 7. sys-ips: bind-dir /usr/share/suriGUI 69 | 8. sys-ips: start suriGUI 70 | 9. (dom0: Make sys-ips as Network provider) 71 | 72 | ------------- 73 | 74 | Project is free. 75 | 76 | Donation are welcome. 77 | 78 | Motivation even more. 79 | 80 | BTC 1JDYtxVvisQxFX1KrZ8yhYYQiqnfS4sFaa 81 | -------------------------------------------------------------------------------- /conf/.gitignore: -------------------------------------------------------------------------------- 1 | /suricata/* 2 | /suriGUI.rules 3 | /suriGUI.yaml 4 | /ignore.list 5 | -------------------------------------------------------------------------------- /conf/default/suriGUI.rules: -------------------------------------------------------------------------------- 1 | %YAML 1.1 2 | --- 3 | 4 | # suriGUI custom rules 5 | # still not implemented 6 | # 2022-08-03 7 | 8 | # SID: 9 | # status: active|inactive 10 | # whitelist: "!x.x.x.x[,!x.x.x.x]" 11 | # notify: TRUE|FALSE 12 | -------------------------------------------------------------------------------- /conf/default/suriGUI.yaml: -------------------------------------------------------------------------------- 1 | %YAML 1.1 2 | --- 3 | 4 | # suriGUI default config file 5 | # still not implemented 6 | # 2022-08-06 7 | 8 | global: 9 | home: "/opt/suriGUI" 10 | notifications: 11 | enable: TRUE 12 | duration: 30 13 | position: "Center" 14 | update: 15 | enable: FALSE 16 | interval: 7 17 | log: 18 | enable: TRUE 19 | verbosity: normal 20 | erroronly: FALSE 21 | file: TRUE 22 | 23 | suricata: 24 | mode: ips 25 | action: rejectboth 26 | config: "/opt/suriGUI/conf/suricata/suricata.yaml" 27 | rules: "/opt/suriGUI/conf/suricata/suricata.rules" 28 | update: 29 | enable: TRUE 30 | interval: 7 31 | log: 32 | enable: TRUE 33 | location: "/opt/suriGUI/log" 34 | keep: TRUE 35 | interval: 30 36 | 37 | -------------------------------------------------------------------------------- /conf/default/suricata.yaml: -------------------------------------------------------------------------------- 1 | %YAML 1.1 2 | --- 3 | # 2022-08-04 4 | # Suricata configuration file. In addition to the comments describing all 5 | # options in this file, full documentation can be found at: 6 | # https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html 7 | 8 | ## 9 | ## Step 1: Inform Suricata about your network 10 | ## 11 | 12 | vars: 13 | # more specific is better for alert accuracy and performance 14 | address-groups: 15 | HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" 16 | #HOME_NET: "[192.168.0.0/16]" 17 | #HOME_NET: "[10.0.0.0/8]" 18 | #HOME_NET: "[172.16.0.0/12]" 19 | #HOME_NET: "any" 20 | 21 | EXTERNAL_NET: "!$HOME_NET" 22 | #EXTERNAL_NET: "any" 23 | 24 | HTTP_SERVERS: "$HOME_NET" 25 | SMTP_SERVERS: "$HOME_NET" 26 | SQL_SERVERS: "$HOME_NET" 27 | DNS_SERVERS: "$HOME_NET" 28 | TELNET_SERVERS: "$HOME_NET" 29 | AIM_SERVERS: "$EXTERNAL_NET" 30 | DC_SERVERS: "$HOME_NET" 31 | DNP3_SERVER: "$HOME_NET" 32 | DNP3_CLIENT: "$HOME_NET" 33 | MODBUS_CLIENT: "$HOME_NET" 34 | MODBUS_SERVER: "$HOME_NET" 35 | ENIP_CLIENT: "$HOME_NET" 36 | ENIP_SERVER: "$HOME_NET" 37 | 38 | port-groups: 39 | HTTP_PORTS: "80" 40 | SHELLCODE_PORTS: "!80" 41 | ORACLE_PORTS: 1521 42 | SSH_PORTS: 22 43 | DNP3_PORTS: 20000 44 | MODBUS_PORTS: 502 45 | FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" 46 | FTP_PORTS: 21 47 | GENEVE_PORTS: 6081 48 | VXLAN_PORTS: 4789 49 | TEREDO_PORTS: 3544 50 | 51 | ## 52 | ## Step 2: Select outputs to enable 53 | ## 54 | 55 | # The default logging directory. Any log or output file will be 56 | # placed here if it's not specified with a full path name. This can be 57 | # overridden with the -l command line parameter. 58 | # default-log-dir: /var/log/suricata/ 59 | 60 | # Global stats configuration 61 | stats: 62 | enabled: yes 63 | # The interval field (in seconds) controls the interval at 64 | # which stats are updated in the log. 65 | interval: 8 66 | # Add decode events to stats. 67 | #decoder-events: true 68 | # Decoder event prefix in stats. Has been 'decoder' before, but that leads 69 | # to missing events in the eve.stats records. See issue #2225. 70 | #decoder-events-prefix: "decoder.event" 71 | # Add stream events as stats. 72 | #stream-events: false 73 | 74 | # Configure the type of alert (and other) logging you would like. 75 | outputs: 76 | # a line based alerts log similar to Snort's fast.log 77 | - fast: 78 | enabled: yes 79 | filename: fast.log 80 | append: yes 81 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 82 | 83 | # Extensible Event Format (nicknamed EVE) event log in JSON format 84 | - eve-log: 85 | enabled: yes 86 | filetype: regular #regular|syslog|unix_dgram|unix_stream|redis 87 | filename: eve.json 88 | # Enable for multi-threaded eve.json output; output files are amended with 89 | # with an identifier, e.g., eve.9.json 90 | #threaded: false 91 | #prefix: "@cee: " # prefix to prepend to each log entry 92 | # the following are valid when type: syslog above 93 | #identity: "suricata" 94 | #facility: local5 95 | #level: Info ## possible levels: Emergency, Alert, Critical, 96 | ## Error, Warning, Notice, Info, Debug 97 | #ethernet: no # log ethernet header in events when available 98 | #redis: 99 | # server: 127.0.0.1 100 | # port: 6379 101 | # async: true ## if redis replies are read asynchronously 102 | # mode: list ## possible values: list|lpush (default), rpush, channel|publish 103 | # ## lpush and rpush are using a Redis list. "list" is an alias for lpush 104 | # ## publish is using a Redis channel. "channel" is an alias for publish 105 | # key: suricata ## key or channel to use (default to suricata) 106 | # Redis pipelining set up. This will enable to only do a query every 107 | # 'batch-size' events. This should lower the latency induced by network 108 | # connection at the cost of some memory. There is no flushing implemented 109 | # so this setting should be reserved to high traffic Suricata deployments. 110 | # pipelining: 111 | # enabled: yes ## set enable to yes to enable query pipelining 112 | # batch-size: 10 ## number of entries to keep in buffer 113 | 114 | # Include top level metadata. Default yes. 115 | #metadata: no 116 | 117 | # include the name of the input pcap file in pcap file processing mode 118 | pcap-file: false 119 | 120 | # Community Flow ID 121 | # Adds a 'community_id' field to EVE records. These are meant to give 122 | # records a predictable flow ID that can be used to match records to 123 | # output of other tools such as Zeek (Bro). 124 | # 125 | # Takes a 'seed' that needs to be same across sensors and tools 126 | # to make the id less predictable. 127 | 128 | # enable/disable the community id feature. 129 | community-id: false 130 | # Seed value for the ID output. Valid values are 0-65535. 131 | community-id-seed: 0 132 | 133 | # HTTP X-Forwarded-For support by adding an extra field or overwriting 134 | # the source or destination IP address (depending on flow direction) 135 | # with the one reported in the X-Forwarded-For HTTP header. This is 136 | # helpful when reviewing alerts for traffic that is being reverse 137 | # or forward proxied. 138 | xff: 139 | enabled: no 140 | # Two operation modes are available: "extra-data" and "overwrite". 141 | mode: extra-data 142 | # Two proxy deployments are supported: "reverse" and "forward". In 143 | # a "reverse" deployment the IP address used is the last one, in a 144 | # "forward" deployment the first IP address is used. 145 | deployment: reverse 146 | # Header name where the actual IP address will be reported. If more 147 | # than one IP address is present, the last IP address will be the 148 | # one taken into consideration. 149 | header: X-Forwarded-For 150 | 151 | types: 152 | - alert: 153 | # payload: yes # enable dumping payload in Base64 154 | # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log 155 | # payload-printable: yes # enable dumping payload in printable (lossy) format 156 | # packet: yes # enable dumping of packet (without stream segments) 157 | # metadata: no # enable inclusion of app layer metadata with alert. Default yes 158 | # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 159 | # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format 160 | 161 | # Enable the logging of tagged packets for rules using the 162 | # "tag" keyword. 163 | tagged-packets: yes 164 | - anomaly: 165 | # Anomaly log records describe unexpected conditions such 166 | # as truncated packets, packets with invalid IP/UDP/TCP 167 | # length values, and other events that render the packet 168 | # invalid for further processing or describe unexpected 169 | # behavior on an established stream. Networks which 170 | # experience high occurrences of anomalies may experience 171 | # packet processing degradation. 172 | # 173 | # Anomalies are reported for the following: 174 | # 1. Decode: Values and conditions that are detected while 175 | # decoding individual packets. This includes invalid or 176 | # unexpected values for low-level protocol lengths as well 177 | # as stream related events (TCP 3-way handshake issues, 178 | # unexpected sequence number, etc). 179 | # 2. Stream: This includes stream related events (TCP 180 | # 3-way handshake issues, unexpected sequence number, 181 | # etc). 182 | # 3. Application layer: These denote application layer 183 | # specific conditions that are unexpected, invalid or are 184 | # unexpected given the application monitoring state. 185 | # 186 | # By default, anomaly logging is enabled. When anomaly 187 | # logging is enabled, applayer anomaly reporting is 188 | # also enabled. 189 | enabled: yes 190 | # 191 | # Choose one or more types of anomaly logging and whether to enable 192 | # logging of the packet header for packet anomalies. 193 | types: 194 | # decode: no 195 | # stream: no 196 | # applayer: yes 197 | #packethdr: no 198 | - http: 199 | extended: yes # enable this for extended logging information 200 | # custom allows additional HTTP fields to be included in eve-log. 201 | # the example below adds three additional fields when uncommented 202 | #custom: [Accept-Encoding, Accept-Language, Authorization] 203 | # set this value to one and only one from {both, request, response} 204 | # to dump all HTTP headers for every HTTP request and/or response 205 | # dump-all-headers: none 206 | - dns: 207 | # This configuration uses the new DNS logging format, 208 | # the old configuration is still available: 209 | # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format 210 | 211 | # As of Suricata 5.0, version 2 of the eve dns output 212 | # format is the default. 213 | #version: 2 214 | 215 | # Enable/disable this logger. Default: enabled. 216 | #enabled: yes 217 | 218 | # Control logging of requests and responses: 219 | # - requests: enable logging of DNS queries 220 | # - responses: enable logging of DNS answers 221 | # By default both requests and responses are logged. 222 | #requests: no 223 | #responses: no 224 | 225 | # Format of answer logging: 226 | # - detailed: array item per answer 227 | # - grouped: answers aggregated by type 228 | # Default: all 229 | #formats: [detailed, grouped] 230 | 231 | # DNS record types to log, based on the query type. 232 | # Default: all. 233 | #types: [a, aaaa, cname, mx, ns, ptr, txt] 234 | - tls: 235 | extended: yes # enable this for extended logging information 236 | # output TLS transaction where the session is resumed using a 237 | # session id 238 | #session-resumption: no 239 | # custom controls which TLS fields that are included in eve-log 240 | #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] 241 | - files: 242 | force-magic: no # force logging magic on all logged files 243 | # force logging of checksums, available hash functions are md5, 244 | # sha1 and sha256 245 | #force-hash: [md5] 246 | #- drop: 247 | # alerts: yes # log alerts that caused drops 248 | # flows: all # start or all: 'start' logs only a single drop 249 | # # per flow direction. All logs each dropped pkt. 250 | - smtp: 251 | #extended: yes # enable this for extended logging information 252 | # this includes: bcc, message-id, subject, x_mailer, user-agent 253 | # custom fields logging from the list: 254 | # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, 255 | # x-originating-ip, in-reply-to, references, importance, priority, 256 | # sensitivity, organization, content-md5, date 257 | #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] 258 | # output md5 of fields: body, subject 259 | # for the body you need to set app-layer.protocols.smtp.mime.body-md5 260 | # to yes 261 | #md5: [body, subject] 262 | 263 | #- dnp3 264 | - ftp 265 | - rdp 266 | - nfs 267 | - smb 268 | - tftp 269 | - ikev2 270 | - dcerpc 271 | - krb5 272 | - snmp 273 | - rfb 274 | - sip 275 | - dhcp: 276 | enabled: yes 277 | # When extended mode is on, all DHCP messages are logged 278 | # with full detail. When extended mode is off (the 279 | # default), just enough information to map a MAC address 280 | # to an IP address is logged. 281 | extended: no 282 | - ssh 283 | - mqtt: 284 | # passwords: yes # enable output of passwords 285 | # HTTP2 logging. HTTP2 support is currently experimental and 286 | # disabled by default. To enable, uncomment the following line 287 | # and be sure to enable http2 in the app-layer section. 288 | #- http2 289 | - stats: 290 | totals: yes # stats for all threads merged together 291 | threads: no # per thread stats 292 | deltas: no # include delta values 293 | # bi-directional flows 294 | - flow 295 | # uni-directional flows 296 | #- netflow 297 | 298 | # Metadata event type. Triggered whenever a pktvar is saved 299 | # and will include the pktvars, flowvars, flowbits and 300 | # flowints. 301 | #- metadata 302 | 303 | # a line based log of HTTP requests (no alerts) 304 | - http-log: 305 | enabled: no 306 | filename: http.log 307 | append: yes 308 | #extended: yes # enable this for extended logging information 309 | #custom: yes # enable the custom logging format (defined by customformat) 310 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" 311 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 312 | 313 | # a line based log of TLS handshake parameters (no alerts) 314 | - tls-log: 315 | enabled: no # Log TLS connections. 316 | filename: tls.log # File to store TLS logs. 317 | append: yes 318 | #extended: yes # Log extended information like fingerprint 319 | #custom: yes # enabled the custom logging format (defined by customformat) 320 | #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" 321 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 322 | # output TLS transaction where the session is resumed using a 323 | # session id 324 | #session-resumption: no 325 | 326 | # output module to store certificates chain to disk 327 | - tls-store: 328 | enabled: no 329 | #certs-log-dir: certs # directory to store the certificates files 330 | 331 | # Packet log... log packets in pcap format. 3 modes of operation: "normal" 332 | # "multi" and "sguil". 333 | # 334 | # In normal mode a pcap file "filename" is created in the default-log-dir, 335 | # or as specified by "dir". 336 | # In multi mode, a file is created per thread. This will perform much 337 | # better, but will create multiple files where 'normal' would create one. 338 | # In multi mode the filename takes a few special variables: 339 | # - %n -- thread number 340 | # - %i -- thread id 341 | # - %t -- timestamp (secs or secs.usecs based on 'ts-format' 342 | # E.g. filename: pcap.%n.%t 343 | # 344 | # Note that it's possible to use directories, but the directories are not 345 | # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the 346 | # per thread directory. 347 | # 348 | # Also note that the limit and max-files settings are enforced per thread. 349 | # So the size limit when using 8 threads with 1000mb files and 2000 files 350 | # is: 8*1000*2000 ~ 16TiB. 351 | # 352 | # In Sguil mode "dir" indicates the base directory. In this base dir the 353 | # pcaps are created in the directory structure Sguil expects: 354 | # 355 | # $sguil-base-dir/YYYY-MM-DD/$filename. 356 | # 357 | # By default all packets are logged except: 358 | # - TCP streams beyond stream.reassembly.depth 359 | # - encrypted streams after the key exchange 360 | # 361 | - pcap-log: 362 | enabled: no 363 | filename: log.pcap 364 | 365 | # File size limit. Can be specified in kb, mb, gb. Just a number 366 | # is parsed as bytes. 367 | limit: 1000mb 368 | 369 | # If set to a value, ring buffer mode is enabled. Will keep maximum of 370 | # "max-files" of size "limit" 371 | max-files: 2000 372 | 373 | # Compression algorithm for pcap files. Possible values: none, lz4. 374 | # Enabling compression is incompatible with the sguil mode. Note also 375 | # that on Windows, enabling compression will *increase* disk I/O. 376 | compression: none 377 | 378 | # Further options for lz4 compression. The compression level can be set 379 | # to a value between 0 and 16, where higher values result in higher 380 | # compression. 381 | #lz4-checksum: no 382 | #lz4-level: 0 383 | 384 | mode: normal # normal, multi or sguil. 385 | 386 | # Directory to place pcap files. If not provided the default log 387 | # directory will be used. Required for "sguil" mode. 388 | #dir: /nsm_data/ 389 | 390 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec 391 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets 392 | honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged. 393 | 394 | # a full alert log containing much information for signature writers 395 | # or for investigating suspected false positives. 396 | - alert-debug: 397 | enabled: no 398 | filename: alert-debug.log 399 | append: yes 400 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 401 | 402 | # alert output to prelude (https://www.prelude-siem.org/) only 403 | # available if Suricata has been compiled with --enable-prelude 404 | - alert-prelude: 405 | enabled: no 406 | profile: suricata 407 | log-packet-content: no 408 | log-packet-header: yes 409 | 410 | # Stats.log contains data from various counters of the Suricata engine. 411 | - stats: 412 | enabled: yes 413 | filename: stats.log 414 | append: yes # append to file (yes) or overwrite it (no) 415 | totals: yes # stats for all threads merged together 416 | threads: no # per thread stats 417 | #null-values: yes # print counters that have value 0. Default: no 418 | 419 | # a line based alerts log similar to fast.log into syslog 420 | - syslog: 421 | enabled: no 422 | # reported identity to syslog. If omitted the program name (usually 423 | # suricata) will be used. 424 | #identity: "suricata" 425 | facility: local5 426 | #level: Info ## possible levels: Emergency, Alert, Critical, 427 | ## Error, Warning, Notice, Info, Debug 428 | 429 | # Output module for storing files on disk. Files are stored in 430 | # directory names consisting of the first 2 characters of the 431 | # SHA256 of the file. Each file is given its SHA256 as a filename. 432 | # 433 | # When a duplicate file is found, the timestamps on the existing file 434 | # are updated. 435 | # 436 | # Unlike the older filestore, metadata is not written by default 437 | # as each file should already have a "fileinfo" record in the 438 | # eve-log. If write-fileinfo is set to yes, then each file will have 439 | # one more associated .json files that consist of the fileinfo 440 | # record. A fileinfo file will be written for each occurrence of the 441 | # file seen using a filename suffix to ensure uniqueness. 442 | # 443 | # To prune the filestore directory see the "suricatactl filestore 444 | # prune" command which can delete files over a certain age. 445 | - file-store: 446 | version: 2 447 | enabled: no 448 | 449 | # Set the directory for the filestore. Relative pathnames 450 | # are contained within the "default-log-dir". 451 | #dir: filestore 452 | 453 | # Write out a fileinfo record for each occurrence of a file. 454 | # Disabled by default as each occurrence is already logged 455 | # as a fileinfo record to the main eve-log. 456 | #write-fileinfo: yes 457 | 458 | # Force storing of all files. Default: no. 459 | #force-filestore: yes 460 | 461 | # Override the global stream-depth for sessions in which we want 462 | # to perform file extraction. Set to 0 for unlimited; otherwise, 463 | # must be greater than the global stream-depth value to be used. 464 | #stream-depth: 0 465 | 466 | # Uncomment the following variable to define how many files can 467 | # remain open for filestore by Suricata. Default value is 0 which 468 | # means files get closed after each write to the file. 469 | #max-open-files: 1000 470 | 471 | # Force logging of checksums: available hash functions are md5, 472 | # sha1 and sha256. Note that SHA256 is automatically forced by 473 | # the use of this output module as it uses the SHA256 as the 474 | # file naming scheme. 475 | #force-hash: [sha1, md5] 476 | # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled 477 | # HTTP X-Forwarded-For support by adding an extra field or overwriting 478 | # the source or destination IP address (depending on flow direction) 479 | # with the one reported in the X-Forwarded-For HTTP header. This is 480 | # helpful when reviewing alerts for traffic that is being reverse 481 | # or forward proxied. 482 | xff: 483 | enabled: no 484 | # Two operation modes are available, "extra-data" and "overwrite". 485 | mode: extra-data 486 | # Two proxy deployments are supported, "reverse" and "forward". In 487 | # a "reverse" deployment the IP address used is the last one, in a 488 | # "forward" deployment the first IP address is used. 489 | deployment: reverse 490 | # Header name where the actual IP address will be reported. If more 491 | # than one IP address is present, the last IP address will be the 492 | # one taken into consideration. 493 | header: X-Forwarded-For 494 | 495 | # Log TCP data after stream normalization 496 | # Two types: file or dir: 497 | # - file logs into a single logfile. 498 | # - dir creates 2 files per TCP session and stores the raw TCP 499 | # data into them. 500 | # Use 'both' to enable both file and dir modes. 501 | # 502 | # Note: limited by "stream.reassembly.depth" 503 | - tcp-data: 504 | enabled: no 505 | type: file 506 | filename: tcp-data.log 507 | 508 | # Log HTTP body data after normalization, de-chunking and unzipping. 509 | # Two types: file or dir. 510 | # - file logs into a single logfile. 511 | # - dir creates 2 files per HTTP session and stores the 512 | # normalized data into them. 513 | # Use 'both' to enable both file and dir modes. 514 | # 515 | # Note: limited by the body limit settings 516 | - http-body-data: 517 | enabled: no 518 | type: file 519 | filename: http-data.log 520 | 521 | # Lua Output Support - execute lua script to generate alert and event 522 | # output. 523 | # Documented at: 524 | # https://suricata.readthedocs.io/en/latest/output/lua-output.html 525 | - lua: 526 | enabled: no 527 | #scripts-dir: /etc/suricata/lua-output/ 528 | scripts: 529 | # - script1.lua 530 | 531 | # Logging configuration. This is not about logging IDS alerts/events, but 532 | # output about what Suricata is doing, like startup messages, errors, etc. 533 | logging: 534 | # The default log level: can be overridden in an output section. 535 | # Note that debug level logging will only be emitted if Suricata was 536 | # compiled with the --enable-debug configure option. 537 | # 538 | # This value is overridden by the SC_LOG_LEVEL env var. 539 | default-log-level: notice 540 | 541 | # The default output format. Optional parameter, should default to 542 | # something reasonable if not provided. Can be overridden in an 543 | # output section. You can leave this out to get the default. 544 | # 545 | # This value is overridden by the SC_LOG_FORMAT env var. 546 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " 547 | 548 | # A regex to filter output. Can be overridden in an output section. 549 | # Defaults to empty (no filter). 550 | # 551 | # This value is overridden by the SC_LOG_OP_FILTER env var. 552 | default-output-filter: 553 | 554 | # Define your logging outputs. If none are defined, or they are all 555 | # disabled you will get the default: console output. 556 | outputs: 557 | - console: 558 | enabled: yes 559 | # type: json 560 | - file: 561 | enabled: yes 562 | level: info 563 | filename: suricata.log 564 | # type: json 565 | - syslog: 566 | enabled: no 567 | facility: local5 568 | #format: "[%i] <%d> -- " 569 | # type: json 570 | 571 | 572 | ## 573 | ## Step 3: Configure common capture settings 574 | ## 575 | ## See "Advanced Capture Options" below for more options, including Netmap 576 | ## and PF_RING. 577 | ## 578 | 579 | # Linux high speed capture support 580 | af-packet: 581 | - interface: eth0 582 | # Number of receive threads. "auto" uses the number of cores 583 | #threads: auto 584 | # Default clusterid. AF_PACKET will load balance packets based on flow. 585 | cluster-id: 99 586 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. 587 | # This is only supported for Linux kernel > 3.1 588 | # possible value are: 589 | # * cluster_flow: all packets of a given flow are sent to the same socket 590 | # * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket 591 | # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same 592 | # socket. Requires at least Linux 3.14. 593 | # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for 594 | # more info. 595 | # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system 596 | # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning) 597 | cluster-type: cluster_flow 598 | # In some fragmentation cases, the hash can not be computed. If "defrag" is set 599 | # to yes, the kernel will do the needed defragmentation before sending the packets. 600 | defrag: yes 601 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes 602 | #use-mmap: yes 603 | # Lock memory map to avoid it being swapped. Be careful that over 604 | # subscribing could lock your system 605 | #mmap-locked: yes 606 | # Use tpacket_v3 capture mode, only active if use-mmap is true 607 | # Don't use it in IPS or TAP mode as it causes severe latency 608 | #tpacket-v3: yes 609 | # Ring size will be computed with respect to "max-pending-packets" and number 610 | # of threads. You can set manually the ring size in number of packets by setting 611 | # the following value. If you are using flow "cluster-type" and have really network 612 | # intensive single-flow you may want to set the "ring-size" independently of the number 613 | # of threads: 614 | #ring-size: 2048 615 | # Block size is used by tpacket_v3 only. It should set to a value high enough to contain 616 | # a decent number of packets. Size is in bytes so please consider your MTU. It should be 617 | # a power of 2 and it must be multiple of page size (usually 4096). 618 | #block-size: 32768 619 | # tpacket_v3 block timeout: an open block is passed to userspace if it is not 620 | # filled after block-timeout milliseconds. 621 | #block-timeout: 10 622 | # On busy systems, set it to yes to help recover from a packet drop 623 | # phase. This will result in some packets (at max a ring flush) not being inspected. 624 | #use-emergency-flush: yes 625 | # recv buffer size, increased value could improve performance 626 | # buffer-size: 32768 627 | # Set to yes to disable promiscuous mode 628 | # disable-promisc: no 629 | # Choose checksum verification mode for the interface. At the moment 630 | # of the capture, some packets may have an invalid checksum due to 631 | # the checksum computation being offloaded to the network card. 632 | # Possible values are: 633 | # - kernel: use indication sent by kernel for each packet (default) 634 | # - yes: checksum validation is forced 635 | # - no: checksum validation is disabled 636 | # - auto: Suricata uses a statistical approach to detect when 637 | # checksum off-loading is used. 638 | # Warning: 'capture.checksum-validation' must be set to yes to have any validation 639 | #checksum-checks: kernel 640 | # BPF filter to apply to this interface. The pcap filter syntax applies here. 641 | #bpf-filter: port 80 or udp 642 | # You can use the following variables to activate AF_PACKET tap or IPS mode. 643 | # If copy-mode is set to ips or tap, the traffic coming to the current 644 | # interface will be copied to the copy-iface interface. If 'tap' is set, the 645 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action 646 | # will not be copied. 647 | #copy-mode: ips 648 | #copy-iface: eth1 649 | # For eBPF and XDP setup including bypass, filter and load balancing, please 650 | # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. 651 | 652 | # Put default values here. These will be used for an interface that is not 653 | # in the list above. 654 | - interface: default 655 | #threads: auto 656 | #use-mmap: no 657 | #tpacket-v3: yes 658 | 659 | # Cross platform libpcap capture support 660 | pcap: 661 | - interface: eth0 662 | # On Linux, pcap will try to use mmap'ed capture and will use "buffer-size" 663 | # as total memory used by the ring. So set this to something bigger 664 | # than 1% of your bandwidth. 665 | #buffer-size: 16777216 666 | #bpf-filter: "tcp and port 25" 667 | # Choose checksum verification mode for the interface. At the moment 668 | # of the capture, some packets may have an invalid checksum due to 669 | # the checksum computation being offloaded to the network card. 670 | # Possible values are: 671 | # - yes: checksum validation is forced 672 | # - no: checksum validation is disabled 673 | # - auto: Suricata uses a statistical approach to detect when 674 | # checksum off-loading is used. (default) 675 | # Warning: 'capture.checksum-validation' must be set to yes to have any validation 676 | #checksum-checks: auto 677 | # With some accelerator cards using a modified libpcap (like Myricom), you 678 | # may want to have the same number of capture threads as the number of capture 679 | # rings. In this case, set up the threads variable to N to start N threads 680 | # listening on the same interface. 681 | #threads: 16 682 | # set to no to disable promiscuous mode: 683 | #promisc: no 684 | # set snaplen, if not set it defaults to MTU if MTU can be known 685 | # via ioctl call and to full capture if not. 686 | #snaplen: 1518 687 | # Put default values here 688 | - interface: default 689 | #checksum-checks: auto 690 | 691 | # Settings for reading pcap files 692 | pcap-file: 693 | # Possible values are: 694 | # - yes: checksum validation is forced 695 | # - no: checksum validation is disabled 696 | # - auto: Suricata uses a statistical approach to detect when 697 | # checksum off-loading is used. (default) 698 | # Warning: 'checksum-validation' must be set to yes to have checksum tested 699 | checksum-checks: auto 700 | 701 | # See "Advanced Capture Options" below for more options, including Netmap 702 | # and PF_RING. 703 | 704 | 705 | ## 706 | ## Step 4: App Layer Protocol configuration 707 | ## 708 | 709 | # Configure the app-layer parsers. The protocol's section details each 710 | # protocol. 711 | # 712 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". 713 | # "yes" enables both detection and the parser, "no" disables both, and 714 | # "detection-only" enables protocol detection only (parser disabled). 715 | app-layer: 716 | protocols: 717 | rfb: 718 | enabled: yes 719 | detection-ports: 720 | dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 721 | # MQTT, disabled by default. 722 | mqtt: 723 | # enabled: no 724 | # max-msg-length: 1mb 725 | krb5: 726 | enabled: yes 727 | snmp: 728 | enabled: yes 729 | ikev2: 730 | enabled: yes 731 | tls: 732 | enabled: yes 733 | detection-ports: 734 | dp: 443 735 | 736 | # Generate JA3 fingerprint from client hello. If not specified it 737 | # will be disabled by default, but enabled if rules require it. 738 | #ja3-fingerprints: auto 739 | 740 | # What to do when the encrypted communications start: 741 | # - default: keep tracking TLS session, check for protocol anomalies, 742 | # inspect tls_* keywords. Disables inspection of unmodified 743 | # 'content' signatures. 744 | # - bypass: stop processing this flow as much as possible. No further 745 | # TLS parsing and inspection. Offload flow bypass to kernel 746 | # or hardware if possible. 747 | # - full: keep tracking and inspection as normal. Unmodified content 748 | # keyword signatures are inspected as well. 749 | # 750 | # For best performance, select 'bypass'. 751 | # 752 | #encryption-handling: default 753 | 754 | dcerpc: 755 | enabled: yes 756 | ftp: 757 | enabled: yes 758 | # memcap: 64mb 759 | rdp: 760 | #enabled: yes 761 | ssh: 762 | enabled: yes 763 | #hassh: yes 764 | # HTTP2: Experimental HTTP 2 support. Disabled by default. 765 | http2: 766 | enabled: no 767 | smtp: 768 | enabled: yes 769 | raw-extraction: no 770 | # Configure SMTP-MIME Decoder 771 | mime: 772 | # Decode MIME messages from SMTP transactions 773 | # (may be resource intensive) 774 | # This field supersedes all others because it turns the entire 775 | # process on or off 776 | decode-mime: yes 777 | 778 | # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.) 779 | decode-base64: yes 780 | decode-quoted-printable: yes 781 | 782 | # Maximum bytes per header data value stored in the data structure 783 | # (default is 2000) 784 | header-value-depth: 2000 785 | 786 | # Extract URLs and save in state data structure 787 | extract-urls: yes 788 | # Set to yes to compute the md5 of the mail body. You will then 789 | # be able to journalize it. 790 | body-md5: no 791 | # Configure inspected-tracker for file_data keyword 792 | inspected-tracker: 793 | content-limit: 100000 794 | content-inspect-min-size: 32768 795 | content-inspect-window: 4096 796 | imap: 797 | enabled: detection-only 798 | smb: 799 | enabled: yes 800 | detection-ports: 801 | dp: 139, 445 802 | 803 | # Stream reassembly size for SMB streams. By default track it completely. 804 | #stream-depth: 0 805 | 806 | nfs: 807 | enabled: yes 808 | tftp: 809 | enabled: yes 810 | dns: 811 | tcp: 812 | enabled: yes 813 | detection-ports: 814 | dp: 53 815 | udp: 816 | enabled: yes 817 | detection-ports: 818 | dp: 53 819 | http: 820 | enabled: yes 821 | # memcap: Maximum memory capacity for HTTP 822 | # Default is unlimited, values can be 64mb, e.g. 823 | 824 | # default-config: Used when no server-config matches 825 | # personality: List of personalities used by default 826 | # request-body-limit: Limit reassembly of request body for inspection 827 | # by http_client_body & pcre /P option. 828 | # response-body-limit: Limit reassembly of response body for inspection 829 | # by file_data, http_server_body & pcre /Q option. 830 | # 831 | # For advanced options, see the user guide 832 | 833 | 834 | # server-config: List of server configurations to use if address matches 835 | # address: List of IP addresses or networks for this block 836 | # personality: List of personalities used by this block 837 | # 838 | # Then, all the fields from default-config can be overloaded 839 | # 840 | # Currently Available Personalities: 841 | # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, 842 | # IIS_7_0, IIS_7_5, Apache_2 843 | libhtp: 844 | default-config: 845 | personality: IDS 846 | 847 | # Can be specified in kb, mb, gb. Just a number indicates 848 | # it's in bytes. 849 | request-body-limit: 100kb 850 | response-body-limit: 100kb 851 | 852 | # inspection limits 853 | request-body-minimal-inspect-size: 32kb 854 | request-body-inspect-window: 4kb 855 | response-body-minimal-inspect-size: 40kb 856 | response-body-inspect-window: 16kb 857 | 858 | # response body decompression (0 disables) 859 | response-body-decompress-layer-limit: 2 860 | 861 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically 862 | http-body-inline: auto 863 | 864 | # Decompress SWF files. 865 | # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma 866 | # compress-depth: 867 | # Specifies the maximum amount of data to decompress, 868 | # set 0 for unlimited. 869 | # decompress-depth: 870 | # Specifies the maximum amount of decompressed data to obtain, 871 | # set 0 for unlimited. 872 | swf-decompression: 873 | enabled: yes 874 | type: both 875 | compress-depth: 0 876 | decompress-depth: 0 877 | 878 | # Use a random value for inspection sizes around the specified value. 879 | # This lowers the risk of some evasion techniques but could lead 880 | # to detection change between runs. It is set to 'yes' by default. 881 | #randomize-inspection-sizes: yes 882 | # If "randomize-inspection-sizes" is active, the value of various 883 | # inspection size will be chosen from the [1 - range%, 1 + range%] 884 | # range 885 | # Default value of "randomize-inspection-range" is 10. 886 | #randomize-inspection-range: 10 887 | 888 | # decoding 889 | double-decode-path: no 890 | double-decode-query: no 891 | 892 | # Can enable LZMA decompression 893 | #lzma-enabled: false 894 | # Memory limit usage for LZMA decompression dictionary 895 | # Data is decompressed until dictionary reaches this size 896 | #lzma-memlimit: 1mb 897 | # Maximum decompressed size with a compression ratio 898 | # above 2048 (only LZMA can reach this ratio, deflate cannot) 899 | #compression-bomb-limit: 1mb 900 | 901 | server-config: 902 | 903 | #- apache: 904 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] 905 | # personality: Apache_2 906 | # # Can be specified in kb, mb, gb. Just a number indicates 907 | # # it's in bytes. 908 | # request-body-limit: 4096 909 | # response-body-limit: 4096 910 | # double-decode-path: no 911 | # double-decode-query: no 912 | 913 | #- iis7: 914 | # address: 915 | # - 192.168.0.0/24 916 | # - 192.168.10.0/24 917 | # personality: IIS_7_0 918 | # # Can be specified in kb, mb, gb. Just a number indicates 919 | # # it's in bytes. 920 | # request-body-limit: 4096 921 | # response-body-limit: 4096 922 | # double-decode-path: no 923 | # double-decode-query: no 924 | 925 | # Note: Modbus probe parser is minimalist due to the limited usage in the field. 926 | # Only Modbus message length (greater than Modbus header length) 927 | # and protocol ID (equal to 0) are checked in probing parser 928 | # It is important to enable detection port and define Modbus port 929 | # to avoid false positives 930 | modbus: 931 | # How many unanswered Modbus requests are considered a flood. 932 | # If the limit is reached, the app-layer-event:modbus.flooded; will match. 933 | #request-flood: 500 934 | 935 | enabled: no 936 | detection-ports: 937 | dp: 502 938 | # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it 939 | # is recommended to keep the TCP connection opened with a remote device 940 | # and not to open and close it for each MODBUS/TCP transaction. In that 941 | # case, it is important to set the depth of the stream reassembling as 942 | # unlimited (stream.reassembly.depth: 0) 943 | 944 | # Stream reassembly size for modbus. By default track it completely. 945 | stream-depth: 0 946 | 947 | # DNP3 948 | dnp3: 949 | enabled: no 950 | detection-ports: 951 | dp: 20000 952 | 953 | # SCADA EtherNet/IP and CIP protocol support 954 | enip: 955 | enabled: no 956 | detection-ports: 957 | dp: 44818 958 | sp: 44818 959 | 960 | ntp: 961 | enabled: yes 962 | 963 | dhcp: 964 | enabled: yes 965 | 966 | sip: 967 | #enabled: no 968 | 969 | # Limit for the maximum number of asn1 frames to decode (default 256) 970 | asn1-max-frames: 256 971 | 972 | # Datasets default settings 973 | # datasets: 974 | # # Default fallback memcap and hashsize values for datasets in case these 975 | # # were not explicitly defined. 976 | # defaults: 977 | # memcap: 100mb 978 | # hashsize: 2048 979 | 980 | ############################################################################## 981 | ## 982 | ## Advanced settings below 983 | ## 984 | ############################################################################## 985 | 986 | ## 987 | ## Run Options 988 | ## 989 | 990 | # Run Suricata with a specific user-id and group-id: 991 | run-as: 992 | user: 1000 993 | group: 1000 994 | 995 | # Some logging modules will use that name in event as identifier. The default 996 | # value is the hostname 997 | #sensor-name: suricata 998 | 999 | # Default location of the pid file. The pid file is only used in 1000 | # daemon mode (start Suricata with -D). If not running in daemon mode 1001 | # the --pidfile command line option must be used to create a pid file. 1002 | #pid-file: /var/run/suricata.pid 1003 | 1004 | # Daemon working directory 1005 | # Suricata will change directory to this one if provided 1006 | # Default: "/" 1007 | #daemon-directory: "/" 1008 | 1009 | # Umask. 1010 | # Suricata will use this umask if it is provided. By default it will use the 1011 | # umask passed on by the shell. 1012 | #umask: 022 1013 | 1014 | # Suricata core dump configuration. Limits the size of the core dump file to 1015 | # approximately max-dump. The actual core dump size will be a multiple of the 1016 | # page size. Core dumps that would be larger than max-dump are truncated. On 1017 | # Linux, the actual core dump size may be a few pages larger than max-dump. 1018 | # Setting max-dump to 0 disables core dumping. 1019 | # Setting max-dump to 'unlimited' will give the full core dump file. 1020 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size 1021 | # to be 'unlimited'. 1022 | 1023 | coredump: 1024 | max-dump: 0 1025 | 1026 | # If the Suricata box is a router for the sniffed networks, set it to 'router'. If 1027 | # it is a pure sniffing setup, set it to 'sniffer-only'. 1028 | # If set to auto, the variable is internally switched to 'router' in IPS mode 1029 | # and 'sniffer-only' in IDS mode. 1030 | # This feature is currently only used by the reject* keywords. 1031 | host-mode: auto 1032 | 1033 | # Number of packets preallocated per thread. The default is 1024. A higher number 1034 | # will make sure each CPU will be more easily kept busy, but may negatively 1035 | # impact caching. 1036 | #max-pending-packets: 1024 1037 | 1038 | # Runmode the engine should use. Please check --list-runmodes to get the available 1039 | # runmodes for each packet acquisition method. Default depends on selected capture 1040 | # method. 'workers' generally gives best performance. 1041 | #runmode: autofp 1042 | 1043 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. 1044 | # 1045 | # Supported schedulers are: 1046 | # 1047 | # hash - Flow assigned to threads using the 5-7 tuple hash. 1048 | # ippair - Flow assigned to threads using addresses only. 1049 | # 1050 | #autofp-scheduler: hash 1051 | 1052 | # Preallocated size for each packet. Default is 1514 which is the classical 1053 | # size for pcap on Ethernet. You should adjust this value to the highest 1054 | # packet size (MTU + hardware header) on your system. 1055 | #default-packet-size: 1514 1056 | 1057 | # Unix command socket that can be used to pass commands to Suricata. 1058 | # An external tool can then connect to get information from Suricata 1059 | # or trigger some modifications of the engine. Set enabled to yes 1060 | # to activate the feature. In auto mode, the feature will only be 1061 | # activated in live capture mode. You can use the filename variable to set 1062 | # the file name of the socket. 1063 | unix-command: 1064 | enabled: yes 1065 | filename: /var/run/suricata-command.socket 1066 | #filename: /usr/share/suriGUI/tmp/suricata-command.socket 1067 | 1068 | # Magic file. The extension .mgc is added to the value here. 1069 | #magic-file: /usr/share/file/magic 1070 | #magic-file: 1071 | 1072 | # GeoIP2 database file. Specify path and filename of GeoIP2 database 1073 | # if using rules with "geoip" rule option. 1074 | #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb 1075 | 1076 | legacy: 1077 | uricontent: enabled 1078 | 1079 | ## 1080 | ## Detection settings 1081 | ## 1082 | 1083 | # Set the order of alerts based on actions 1084 | # The default order is pass, drop, reject, alert 1085 | # action-order: 1086 | # - pass 1087 | # - drop 1088 | # - reject 1089 | # - alert 1090 | 1091 | # IP Reputation 1092 | #reputation-categories-file: /etc/suricata/iprep/categories.txt 1093 | #default-reputation-path: /etc/suricata/iprep 1094 | #reputation-files: 1095 | # - reputation.list 1096 | 1097 | # When run with the option --engine-analysis, the engine will read each of 1098 | # the parameters below, and print reports for each of the enabled sections 1099 | # and exit. The reports are printed to a file in the default log dir 1100 | # given by the parameter "default-log-dir", with engine reporting 1101 | # subsection below printing reports in its own report file. 1102 | engine-analysis: 1103 | # enables printing reports for fast-pattern for every rule. 1104 | rules-fast-pattern: yes 1105 | # enables printing reports for each rule 1106 | rules: yes 1107 | 1108 | #recursion and match limits for PCRE where supported 1109 | pcre: 1110 | match-limit: 3500 1111 | match-limit-recursion: 1500 1112 | 1113 | ## 1114 | ## Advanced Traffic Tracking and Reconstruction Settings 1115 | ## 1116 | 1117 | # Host specific policies for defragmentation and TCP stream 1118 | # reassembly. The host OS lookup is done using a radix tree, just 1119 | # like a routing table so the most specific entry matches. 1120 | host-os-policy: 1121 | # Make the default policy windows. 1122 | windows: [0.0.0.0/0] 1123 | bsd: [] 1124 | bsd-right: [] 1125 | old-linux: [] 1126 | linux: [] 1127 | old-solaris: [] 1128 | solaris: [] 1129 | hpux10: [] 1130 | hpux11: [] 1131 | irix: [] 1132 | macos: [] 1133 | vista: [] 1134 | windows2k3: [] 1135 | 1136 | # Defrag settings: 1137 | 1138 | defrag: 1139 | memcap: 32mb 1140 | hash-size: 65536 1141 | trackers: 65535 # number of defragmented flows to follow 1142 | max-frags: 65535 # number of fragments to keep (higher than trackers) 1143 | prealloc: yes 1144 | timeout: 60 1145 | 1146 | # Enable defrag per host settings 1147 | # host-config: 1148 | # 1149 | # - dmz: 1150 | # timeout: 30 1151 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] 1152 | # 1153 | # - lan: 1154 | # timeout: 45 1155 | # address: 1156 | # - 192.168.0.0/24 1157 | # - 192.168.10.0/24 1158 | # - 172.16.14.0/24 1159 | 1160 | # Flow settings: 1161 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit 1162 | # for flow allocation inside the engine. You can change this value to allow 1163 | # more memory usage for flows. 1164 | # The hash-size determines the size of the hash used to identify flows inside 1165 | # the engine, and by default the value is 65536. 1166 | # At startup, the engine can preallocate a number of flows, to get better 1167 | # performance. The number of flows preallocated is 10000 by default. 1168 | # emergency-recovery is the percentage of flows that the engine needs to 1169 | # prune before clearing the emergency state. The emergency state is activated 1170 | # when the memcap limit is reached, allowing new flows to be created, but 1171 | # pruning them with the emergency timeouts (they are defined below). 1172 | # If the memcap is reached, the engine will try to prune flows 1173 | # with the default timeouts. If it doesn't find a flow to prune, it will set 1174 | # the emergency bit and it will try again with more aggressive timeouts. 1175 | # If that doesn't work, then it will try to kill the oldest flows using 1176 | # last time seen flows. 1177 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's 1178 | # in bytes. 1179 | 1180 | flow: 1181 | memcap: 128mb 1182 | hash-size: 65536 1183 | prealloc: 10000 1184 | emergency-recovery: 30 1185 | #managers: 1 # default to one flow manager 1186 | #recyclers: 1 # default to one flow recycler thread 1187 | 1188 | # This option controls the use of VLAN ids in the flow (and defrag) 1189 | # hashing. Normally this should be enabled, but in some (broken) 1190 | # setups where both sides of a flow are not tagged with the same VLAN 1191 | # tag, we can ignore the VLAN id's in the flow hashing. 1192 | vlan: 1193 | use-for-tracking: true 1194 | 1195 | # Specific timeouts for flows. Here you can specify the timeouts that the 1196 | # active flows will wait to transit from the current state to another, on each 1197 | # protocol. The value of "new" determines the seconds to wait after a handshake or 1198 | # stream startup before the engine frees the data of that flow it doesn't 1199 | # change the state to established (usually if we don't receive more packets 1200 | # of that flow). The value of "established" is the amount of 1201 | # seconds that the engine will wait to free the flow if that time elapses 1202 | # without receiving new packets or closing the connection. "closed" is the 1203 | # amount of time to wait after a flow is closed (usually zero). "bypassed" 1204 | # timeout controls locally bypassed flows. For these flows we don't do any other 1205 | # tracking. If no packets have been seen after this timeout, the flow is discarded. 1206 | # 1207 | # There's an emergency mode that will become active under attack circumstances, 1208 | # making the engine to check flow status faster. This configuration variables 1209 | # use the prefix "emergency-" and work similar as the normal ones. 1210 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and 1211 | # icmp. 1212 | 1213 | flow-timeouts: 1214 | 1215 | default: 1216 | new: 30 1217 | established: 300 1218 | closed: 0 1219 | bypassed: 100 1220 | emergency-new: 10 1221 | emergency-established: 100 1222 | emergency-closed: 0 1223 | emergency-bypassed: 50 1224 | tcp: 1225 | new: 60 1226 | established: 600 1227 | closed: 60 1228 | bypassed: 100 1229 | emergency-new: 5 1230 | emergency-established: 100 1231 | emergency-closed: 10 1232 | emergency-bypassed: 50 1233 | udp: 1234 | new: 30 1235 | established: 300 1236 | bypassed: 100 1237 | emergency-new: 10 1238 | emergency-established: 100 1239 | emergency-bypassed: 50 1240 | icmp: 1241 | new: 30 1242 | established: 300 1243 | bypassed: 100 1244 | emergency-new: 10 1245 | emergency-established: 100 1246 | emergency-bypassed: 50 1247 | 1248 | # Stream engine settings. Here the TCP stream tracking and reassembly 1249 | # engine is configured. 1250 | # 1251 | # stream: 1252 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a 1253 | # # number indicates it's in bytes. 1254 | # checksum-validation: yes # To validate the checksum of received 1255 | # # packet. If csum validation is specified as 1256 | # # "yes", then packets with invalid csum values will not 1257 | # # be processed by the engine stream/app layer. 1258 | # # Warning: locally generated traffic can be 1259 | # # generated without checksum due to hardware offload 1260 | # # of checksum. You can control the handling of checksum 1261 | # # on a per-interface basis via the 'checksum-checks' 1262 | # # option 1263 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread 1264 | # midstream: false # don't allow midstream session pickups 1265 | # async-oneside: false # don't enable async stream handling 1266 | # inline: no # stream inline mode 1267 | # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine 1268 | # max-synack-queued: 5 # Max different SYN/ACKs to queue 1269 | # bypass: no # Bypass packets when stream.reassembly.depth is reached. 1270 | # # Warning: first side to reach this triggers 1271 | # # the bypass. 1272 | # 1273 | # reassembly: 1274 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number 1275 | # # indicates it's in bytes. 1276 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number 1277 | # # indicates it's in bytes. 1278 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least 1279 | # # this size. Can be specified in kb, mb, 1280 | # # gb. Just a number indicates it's in bytes. 1281 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least 1282 | # # this size. Can be specified in kb, mb, 1283 | # # gb. Just a number indicates it's in bytes. 1284 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. 1285 | # # This lowers the risk of some evasion techniques but could lead 1286 | # # to detection change between runs. It is set to 'yes' by default. 1287 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is 1288 | # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size 1289 | # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same 1290 | # # calculation for toclient-chunk-size. 1291 | # # Default value of randomize-chunk-range is 10. 1292 | # 1293 | # raw: yes # 'Raw' reassembly enabled or disabled. 1294 | # # raw is for content inspection by detection 1295 | # # engine. 1296 | # 1297 | # segment-prealloc: 2048 # number of segments preallocated per thread 1298 | # 1299 | # check-overlap-different-data: true|false 1300 | # # check if a segment contains different data 1301 | # # than what we've already seen for that 1302 | # # position in the stream. 1303 | # # This is enabled automatically if inline mode 1304 | # # is used or when stream-event:reassembly_overlap_different_data; 1305 | # # is used in a rule. 1306 | # 1307 | stream: 1308 | memcap: 64mb 1309 | checksum-validation: yes # reject incorrect csums 1310 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically 1311 | reassembly: 1312 | memcap: 256mb 1313 | depth: 1mb # reassemble 1mb into a stream 1314 | toserver-chunk-size: 2560 1315 | toclient-chunk-size: 2560 1316 | randomize-chunk-size: yes 1317 | #randomize-chunk-range: 10 1318 | #raw: yes 1319 | #segment-prealloc: 2048 1320 | #check-overlap-different-data: true 1321 | 1322 | # Host table: 1323 | # 1324 | # Host table is used by the tagging and per host thresholding subsystems. 1325 | # 1326 | host: 1327 | hash-size: 4096 1328 | prealloc: 1000 1329 | memcap: 32mb 1330 | 1331 | # IP Pair table: 1332 | # 1333 | # Used by xbits 'ippair' tracking. 1334 | # 1335 | #ippair: 1336 | # hash-size: 4096 1337 | # prealloc: 1000 1338 | # memcap: 32mb 1339 | 1340 | # Decoder settings 1341 | 1342 | decoder: 1343 | # Teredo decoder is known to not be completely accurate 1344 | # as it will sometimes detect non-teredo as teredo. 1345 | teredo: 1346 | enabled: true 1347 | # ports to look for Teredo. Max 4 ports. If no ports are given, or 1348 | # the value is set to 'any', Teredo detection runs on _all_ UDP packets. 1349 | ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. 1350 | 1351 | # VXLAN decoder is assigned to up to 4 UDP ports. By default only the 1352 | # IANA assigned port 4789 is enabled. 1353 | vxlan: 1354 | enabled: true 1355 | ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'. 1356 | 1357 | # Geneve decoder is assigned to up to 4 UDP ports. By default only the 1358 | # IANA assigned port 6081 is enabled. 1359 | geneve: 1360 | enabled: true 1361 | ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'. 1362 | 1363 | ## 1364 | ## Performance tuning and profiling 1365 | ## 1366 | 1367 | # The detection engine builds internal groups of signatures. The engine 1368 | # allows us to specify the profile to use for them, to manage memory in an 1369 | # efficient way keeping good performance. For the profile keyword you 1370 | # can use the words "low", "medium", "high" or "custom". If you use custom, 1371 | # make sure to define the values in the "custom-values" section. 1372 | # Usually you would prefer medium/high/low. 1373 | # 1374 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for 1375 | # the signature groups. "single" indicates the use of a single context for 1376 | # all the signature group heads. "full" indicates a mpm-context for each 1377 | # group head. "auto" lets the engine decide the distribution of contexts 1378 | # based on the information the engine gathers on the patterns from each 1379 | # group head. 1380 | # 1381 | # The option inspection-recursion-limit is used to limit the recursive calls 1382 | # in the content inspection code. For certain payload-sig combinations, we 1383 | # might end up taking too much time in the content inspection code. 1384 | # If the argument specified is 0, the engine uses an internally defined 1385 | # default limit. When a value is not specified, there are no limits on the recursion. 1386 | detect: 1387 | profile: medium 1388 | custom-values: 1389 | toclient-groups: 3 1390 | toserver-groups: 25 1391 | sgh-mpm-context: auto 1392 | inspection-recursion-limit: 3000 1393 | # If set to yes, the loading of signatures will be made after the capture 1394 | # is started. This will limit the downtime in IPS mode. 1395 | #delayed-detect: yes 1396 | 1397 | prefilter: 1398 | # default prefiltering setting. "mpm" only creates MPM/fast_pattern 1399 | # engines. "auto" also sets up prefilter engines for other keywords. 1400 | # Use --list-keywords=all to see which keywords support prefiltering. 1401 | default: mpm 1402 | 1403 | # the grouping values above control how many groups are created per 1404 | # direction. Port whitelisting forces that port to get its own group. 1405 | # Very common ports will benefit, as well as ports with many expensive 1406 | # rules. 1407 | grouping: 1408 | #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 1409 | #udp-whitelist: 53, 135, 5060 1410 | 1411 | profiling: 1412 | # Log the rules that made it past the prefilter stage, per packet 1413 | # default is off. The threshold setting determines how many rules 1414 | # must have made it past pre-filter for that rule to trigger the 1415 | # logging. 1416 | #inspect-logging-threshold: 200 1417 | grouping: 1418 | dump-to-disk: false 1419 | include-rules: false # very verbose 1420 | include-mpm-stats: false 1421 | 1422 | # Select the multi pattern algorithm you want to run for scan/search the 1423 | # in the engine. 1424 | # 1425 | # The supported algorithms are: 1426 | # "ac" - Aho-Corasick, default implementation 1427 | # "ac-bs" - Aho-Corasick, reduced memory implementation 1428 | # "ac-ks" - Aho-Corasick, "Ken Steele" variant 1429 | # "hs" - Hyperscan, available when built with Hyperscan support 1430 | # 1431 | # The default mpm-algo value of "auto" will use "hs" if Hyperscan is 1432 | # available, "ac" otherwise. 1433 | # 1434 | # The mpm you choose also decides the distribution of mpm contexts for 1435 | # signature groups, specified by the conf - "detect.sgh-mpm-context". 1436 | # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" 1437 | # to be set to "single", because of ac's memory requirements, unless the 1438 | # ruleset is small enough to fit in memory, in which case one can 1439 | # use "full" with "ac". The rest of the mpms can be run in "full" mode. 1440 | 1441 | mpm-algo: auto 1442 | 1443 | # Select the matching algorithm you want to use for single-pattern searches. 1444 | # 1445 | # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only 1446 | # available if Suricata has been built with Hyperscan support). 1447 | # 1448 | # The default of "auto" will use "hs" if available, otherwise "bm". 1449 | 1450 | spm-algo: auto 1451 | 1452 | # Suricata is multi-threaded. Here the threading can be influenced. 1453 | threading: 1454 | set-cpu-affinity: no 1455 | # Tune cpu affinity of threads. Each family of threads can be bound 1456 | # to specific CPUs. 1457 | # 1458 | # These 2 apply to the all runmodes: 1459 | # management-cpu-set is used for flow timeout handling, counters 1460 | # worker-cpu-set is used for 'worker' threads 1461 | # 1462 | # Additionally, for autofp these apply: 1463 | # receive-cpu-set is used for capture threads 1464 | # verdict-cpu-set is used for IPS verdict threads 1465 | # 1466 | cpu-affinity: 1467 | - management-cpu-set: 1468 | cpu: [ 0 ] # include only these CPUs in affinity settings 1469 | - receive-cpu-set: 1470 | cpu: [ 0 ] # include only these CPUs in affinity settings 1471 | - worker-cpu-set: 1472 | cpu: [ "all" ] 1473 | mode: "exclusive" 1474 | # Use explicitly 3 threads and don't compute number by using 1475 | # detect-thread-ratio variable: 1476 | # threads: 3 1477 | prio: 1478 | low: [ 0 ] 1479 | medium: [ "1-2" ] 1480 | high: [ 3 ] 1481 | default: "medium" 1482 | #- verdict-cpu-set: 1483 | # cpu: [ 0 ] 1484 | # prio: 1485 | # default: "high" 1486 | # 1487 | # By default Suricata creates one "detect" thread per available CPU/CPU core. 1488 | # This setting allows controlling this behaviour. A ratio setting of 2 will 1489 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this 1490 | # will result in 4 detect threads. If values below 1 are used, less threads 1491 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect 1492 | # thread being created. Regardless of the setting at a minimum 1 detect 1493 | # thread will always be created. 1494 | # 1495 | detect-thread-ratio: 1.0 1496 | 1497 | # Luajit has a strange memory requirement, its 'states' need to be in the 1498 | # first 2G of the process' memory. 1499 | # 1500 | # 'luajit.states' is used to control how many states are preallocated. 1501 | # State use: per detect script: 1 per detect thread. Per output script: 1 per 1502 | # script. 1503 | luajit: 1504 | states: 128 1505 | 1506 | # Profiling settings. Only effective if Suricata has been built with 1507 | # the --enable-profiling configure flag. 1508 | # 1509 | profiling: 1510 | # Run profiling for every X-th packet. The default is 1, which means we 1511 | # profile every packet. If set to 1000, one packet is profiled for every 1512 | # 1000 received. 1513 | #sample-rate: 1000 1514 | 1515 | # rule profiling 1516 | rules: 1517 | 1518 | # Profiling can be disabled here, but it will still have a 1519 | # performance impact if compiled in. 1520 | enabled: yes 1521 | filename: rule_perf.log 1522 | append: yes 1523 | 1524 | # Sort options: ticks, avgticks, checks, matches, maxticks 1525 | # If commented out all the sort options will be used. 1526 | #sort: avgticks 1527 | 1528 | # Limit the number of sids for which stats are shown at exit (per sort). 1529 | limit: 10 1530 | 1531 | # output to json 1532 | json: yes 1533 | 1534 | # per keyword profiling 1535 | keywords: 1536 | enabled: yes 1537 | filename: keyword_perf.log 1538 | append: yes 1539 | 1540 | prefilter: 1541 | enabled: yes 1542 | filename: prefilter_perf.log 1543 | append: yes 1544 | 1545 | # per rulegroup profiling 1546 | rulegroups: 1547 | enabled: yes 1548 | filename: rule_group_perf.log 1549 | append: yes 1550 | 1551 | # packet profiling 1552 | packets: 1553 | 1554 | # Profiling can be disabled here, but it will still have a 1555 | # performance impact if compiled in. 1556 | enabled: yes 1557 | filename: packet_stats.log 1558 | append: yes 1559 | 1560 | # per packet csv output 1561 | csv: 1562 | 1563 | # Output can be disabled here, but it will still have a 1564 | # performance impact if compiled in. 1565 | enabled: no 1566 | filename: packet_stats.csv 1567 | 1568 | # profiling of locking. Only available when Suricata was built with 1569 | # --enable-profiling-locks. 1570 | locks: 1571 | enabled: no 1572 | filename: lock_stats.log 1573 | append: yes 1574 | 1575 | pcap-log: 1576 | enabled: no 1577 | filename: pcaplog_stats.log 1578 | append: yes 1579 | 1580 | ## 1581 | ## Netfilter integration 1582 | ## 1583 | 1584 | # When running in NFQ inline mode, it is possible to use a simulated 1585 | # non-terminal NFQUEUE verdict. 1586 | # This permits sending all needed packet to Suricata via this rule: 1587 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE 1588 | # And below, you can have your standard filtering ruleset. To activate 1589 | # this mode, you need to set mode to 'repeat' 1590 | # If you want a packet to be sent to another queue after an ACCEPT decision 1591 | # set the mode to 'route' and set next-queue value. 1592 | # On Linux >= 3.1, you can set batchcount to a value > 1 to improve performance 1593 | # by processing several packets before sending a verdict (worker runmode only). 1594 | # On Linux >= 3.6, you can set the fail-open option to yes to have the kernel 1595 | # accept the packet if Suricata is not able to keep pace. 1596 | # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is 1597 | # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask 1598 | # on packet of a flow that need to be bypassed. The Nefilter ruleset has to 1599 | # directly accept all packets of a flow once a packet has been marked. 1600 | nfq: 1601 | mode: repeat 1602 | repeat-mark: 1 1603 | repeat-mask: 1 1604 | # bypass-mark: 1 1605 | # bypass-mask: 1 1606 | # route-queue: 2 1607 | # batchcount: 20 1608 | # fail-open: yes 1609 | 1610 | #nflog support 1611 | nflog: 1612 | # netlink multicast group 1613 | # (the same as the iptables --nflog-group param) 1614 | # Group 0 is used by the kernel, so you can't use it 1615 | - group: 2 1616 | # netlink buffer size 1617 | buffer-size: 18432 1618 | # put default value here 1619 | - group: default 1620 | # set number of packets to queue inside kernel 1621 | qthreshold: 1 1622 | # set the delay before flushing packet in the kernel's queue 1623 | qtimeout: 100 1624 | # netlink max buffer size 1625 | max-size: 20000 1626 | 1627 | ## 1628 | ## Advanced Capture Options 1629 | ## 1630 | 1631 | # General settings affecting packet capture 1632 | capture: 1633 | # disable NIC offloading. It's restored when Suricata exits. 1634 | # Enabled by default. 1635 | #disable-offloading: false 1636 | # 1637 | # disable checksum validation. Same as setting '-k none' on the 1638 | # commandline. 1639 | #checksum-validation: none 1640 | 1641 | # Netmap support 1642 | # 1643 | # Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which has 1644 | # built-in Netmap support or compile and install the Netmap module and appropriate 1645 | # NIC driver for your Linux system. 1646 | # To reach maximum throughput disable all receive-, segmentation-, 1647 | # checksum- offloading on your NIC (using ethtool or similar). 1648 | # Disabling TX checksum offloading is *required* for connecting OS endpoint 1649 | # with NIC endpoint. 1650 | # You can find more information at https://github.com/luigirizzo/netmap 1651 | # 1652 | netmap: 1653 | # To specify OS endpoint add plus sign at the end (e.g. "eth0+") 1654 | - interface: eth2 1655 | # Number of capture threads. "auto" uses number of RSS queues on interface. 1656 | # Warning: unless the RSS hashing is symmetrical, this will lead to 1657 | # accuracy issues. 1658 | #threads: auto 1659 | # You can use the following variables to activate netmap tap or IPS mode. 1660 | # If copy-mode is set to ips or tap, the traffic coming to the current 1661 | # interface will be copied to the copy-iface interface. If 'tap' is set, the 1662 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action 1663 | # will not be copied. 1664 | # To specify the OS as the copy-iface (so the OS can route packets, or forward 1665 | # to a service running on the same machine) add a plus sign at the end 1666 | # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 1667 | # for return packets. Hardware checksumming must be *off* on the interface if 1668 | # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD 1669 | # or 'ethtool -K eth0 tx off rx off' for Linux). 1670 | #copy-mode: tap 1671 | #copy-iface: eth3 1672 | # Set to yes to disable promiscuous mode 1673 | # disable-promisc: no 1674 | # Choose checksum verification mode for the interface. At the moment 1675 | # of the capture, some packets may have an invalid checksum due to 1676 | # the checksum computation being offloaded to the network card. 1677 | # Possible values are: 1678 | # - yes: checksum validation is forced 1679 | # - no: checksum validation is disabled 1680 | # - auto: Suricata uses a statistical approach to detect when 1681 | # checksum off-loading is used. 1682 | # Warning: 'checksum-validation' must be set to yes to have any validation 1683 | #checksum-checks: auto 1684 | # BPF filter to apply to this interface. The pcap filter syntax apply here. 1685 | #bpf-filter: port 80 or udp 1686 | #- interface: eth3 1687 | #threads: auto 1688 | #copy-mode: tap 1689 | #copy-iface: eth2 1690 | # Put default values here 1691 | - interface: default 1692 | 1693 | # PF_RING configuration: for use with native PF_RING support 1694 | # for more info see http://www.ntop.org/products/pf_ring/ 1695 | pfring: 1696 | - interface: eth0 1697 | # Number of receive threads. If set to 'auto' Suricata will first try 1698 | # to use CPU (core) count and otherwise RSS queue count. 1699 | threads: auto 1700 | 1701 | # Default clusterid. PF_RING will load balance packets based on flow. 1702 | # All threads/processes that will participate need to have the same 1703 | # clusterid. 1704 | cluster-id: 99 1705 | 1706 | # Default PF_RING cluster type. PF_RING can load balance per flow. 1707 | # Possible values are cluster_flow or cluster_round_robin. 1708 | cluster-type: cluster_flow 1709 | 1710 | # bpf filter for this interface 1711 | #bpf-filter: tcp 1712 | 1713 | # If bypass is set then the PF_RING hw bypass is activated, when supported 1714 | # by the network interface. Suricata will instruct the interface to bypass 1715 | # all future packets for a flow that need to be bypassed. 1716 | #bypass: yes 1717 | 1718 | # Choose checksum verification mode for the interface. At the moment 1719 | # of the capture, some packets may have an invalid checksum due to 1720 | # the checksum computation being offloaded to the network card. 1721 | # Possible values are: 1722 | # - rxonly: only compute checksum for packets received by network card. 1723 | # - yes: checksum validation is forced 1724 | # - no: checksum validation is disabled 1725 | # - auto: Suricata uses a statistical approach to detect when 1726 | # checksum off-loading is used. (default) 1727 | # Warning: 'checksum-validation' must be set to yes to have any validation 1728 | #checksum-checks: auto 1729 | # Second interface 1730 | #- interface: eth1 1731 | # threads: 3 1732 | # cluster-id: 93 1733 | # cluster-type: cluster_flow 1734 | # Put default values here 1735 | - interface: default 1736 | #threads: 2 1737 | 1738 | # For FreeBSD ipfw(8) divert(4) support. 1739 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" 1740 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. 1741 | # Additionally, you need to have an ipfw rule for the engine to see 1742 | # the packets from ipfw. For Example: 1743 | # 1744 | # ipfw add 100 divert 8000 ip from any to any 1745 | # 1746 | # N.B. This example uses "8000" -- this number must mach the values 1747 | # you passed on the command line, i.e., -d 8000 1748 | # 1749 | ipfw: 1750 | 1751 | # Reinject packets at the specified ipfw rule number. This config 1752 | # option is the ipfw rule number AT WHICH rule processing continues 1753 | # in the ipfw processing system after the engine has finished 1754 | # inspecting the packet for acceptance. If no rule number is specified, 1755 | # accepted packets are reinjected at the divert rule which they entered 1756 | # and IPFW rule processing continues. No check is done to verify 1757 | # this will rule makes sense so care must be taken to avoid loops in ipfw. 1758 | # 1759 | ## The following example tells the engine to reinject packets 1760 | # back into the ipfw firewall AT rule number 5500: 1761 | # 1762 | # ipfw-reinjection-rule-number: 5500 1763 | 1764 | 1765 | napatech: 1766 | # When use_all_streams is set to "yes" the initialization code will query 1767 | # the Napatech service for all configured streams and listen on all of them. 1768 | # When set to "no" the streams config array will be used. 1769 | # 1770 | # This option necessitates running the appropriate NTPL commands to create 1771 | # the desired streams prior to running Suricata. 1772 | #use-all-streams: no 1773 | 1774 | # The streams to listen on when auto-config is disabled or when and threading 1775 | # cpu-affinity is disabled. This can be either: 1776 | # an individual stream (e.g. streams: [0]) 1777 | # or 1778 | # a range of streams (e.g. streams: ["0-3"]) 1779 | # 1780 | streams: ["0-3"] 1781 | 1782 | # Stream stats can be enabled to provide fine grain packet and byte counters 1783 | # for each thread/stream that is configured. 1784 | # 1785 | enable-stream-stats: no 1786 | 1787 | # When auto-config is enabled the streams will be created and assigned 1788 | # automatically to the NUMA node where the thread resides. If cpu-affinity 1789 | # is enabled in the threading section. Then the streams will be created 1790 | # according to the number of worker threads specified in the worker-cpu-set. 1791 | # Otherwise, the streams array is used to define the streams. 1792 | # 1793 | # This option is intended primarily to support legacy configurations. 1794 | # 1795 | # This option cannot be used simultaneously with either "use-all-streams" 1796 | # or "hardware-bypass". 1797 | # 1798 | auto-config: yes 1799 | 1800 | # Enable hardware level flow bypass. 1801 | # 1802 | hardware-bypass: yes 1803 | 1804 | # Enable inline operation. When enabled traffic arriving on a given port is 1805 | # automatically forwarded out its peer port after analysis by Suricata. 1806 | # 1807 | inline: no 1808 | 1809 | # Ports indicates which Napatech ports are to be used in auto-config mode. 1810 | # these are the port IDs of the ports that will be merged prior to the 1811 | # traffic being distributed to the streams. 1812 | # 1813 | # When hardware-bypass is enabled the ports must be configured as a segment. 1814 | # specify the port(s) on which upstream and downstream traffic will arrive. 1815 | # This information is necessary for the hardware to properly process flows. 1816 | # 1817 | # When using a tap configuration one of the ports will receive inbound traffic 1818 | # for the network and the other will receive outbound traffic. The two ports on a 1819 | # given segment must reside on the same network adapter. 1820 | # 1821 | # When using a SPAN-port configuration the upstream and downstream traffic 1822 | # arrives on a single port. This is configured by setting the two sides of the 1823 | # segment to reference the same port. (e.g. 0-0 to configure a SPAN port on 1824 | # port 0). 1825 | # 1826 | # port segments are specified in the form: 1827 | # ports: [0-1,2-3,4-5,6-6,7-7] 1828 | # 1829 | # For legacy systems when hardware-bypass is disabled this can be specified in any 1830 | # of the following ways: 1831 | # 1832 | # a list of individual ports (e.g. ports: [0,1,2,3]) 1833 | # 1834 | # a range of ports (e.g. ports: [0-3]) 1835 | # 1836 | # "all" to indicate that all ports are to be merged together 1837 | # (e.g. ports: [all]) 1838 | # 1839 | # This parameter has no effect if auto-config is disabled. 1840 | # 1841 | ports: [0-1,2-3] 1842 | 1843 | # When auto-config is enabled the hashmode specifies the algorithm for 1844 | # determining to which stream a given packet is to be delivered. 1845 | # This can be any valid Napatech NTPL hashmode command. 1846 | # 1847 | # The most common hashmode commands are: hash2tuple, hash2tuplesorted, 1848 | # hash5tuple, hash5tuplesorted and roundrobin. 1849 | # 1850 | # See Napatech NTPL documentation other hashmodes and details on their use. 1851 | # 1852 | # This parameter has no effect if auto-config is disabled. 1853 | # 1854 | hashmode: hash5tuplesorted 1855 | 1856 | ## 1857 | ## Configure Suricata to load Suricata-Update managed rules. 1858 | ## 1859 | # suriGUI 1860 | # Reloading rules is not working when starting suricata with "-S /path/to/file" 1861 | default-rule-path: /opt/suriGUI/conf/suricata 1862 | 1863 | rule-files: 1864 | - suricata.rules 1865 | 1866 | ## 1867 | ## Auxiliary configuration files. 1868 | ## 1869 | 1870 | # classification-file: /etc/suricata/classification.config 1871 | # reference-config-file: /etc/suricata/reference.config 1872 | # threshold-file: /etc/suricata/threshold.config 1873 | 1874 | ## 1875 | ## Include other configs 1876 | ## 1877 | 1878 | # Includes: Files included here will be handled as if they were in-lined 1879 | # in this configuration file. Files with relative pathnames will be 1880 | # searched for in the same directory as this configuration file. You may 1881 | # use absolute pathnames too. 1882 | # You can specify more than 2 configuration files, if needed. 1883 | #include: include1.yaml 1884 | #include: include2.yaml 1885 | -------------------------------------------------------------------------------- /qubes-salt/config/sys-ips-config.sls: -------------------------------------------------------------------------------- 1 | # vim: set syntax=yaml ts=2 sw=2 sts=2 et : 2 | # 3 | # coder: ro0t 4 | # stamp: 2022-08-03 5 | 6 | /rw/config/qubes-bind-dirs.d/50_user.conf: 7 | file.managed: 8 | - makedirs: True 9 | - contents: | 10 | binds+=( '/opt/suriGUI' ) 11 | -------------------------------------------------------------------------------- /qubes-salt/config/sys-ips-template-config.sls: -------------------------------------------------------------------------------- 1 | # vim: set syntax=yaml ts=2 sw=2 sts=2 et : 2 | # 3 | # coder: ro0t 4 | # stamp: 2022-08-22 5 | 6 | 7 | # 8 | # IPS Dependencies 9 | # 10 | IPS-install-dependencies: 11 | pkg.installed: 12 | - pkgs: 13 | - qubes-core-agent-networking 14 | - qubes-core-agent-passwordless-root 15 | - git 16 | - yad 17 | - jq 18 | - libnetfilter-queue-dev 19 | - suricata 20 | 21 | # 22 | # suriGUI 23 | # 24 | suriGUI-install: 25 | cmd.run: 26 | - name: "export https_proxy=127.0.0.1:8082 && git clone https://github.com/control-owl/suriGUI.git /opt/suriGUI" 27 | 28 | suriGUI-link: 29 | cmd.run: 30 | - name: "chmod +x /opt/suriGUI/suriGUI && ln -s /opt/suriGUI/suriGUI /usr/bin/suriGUI" 31 | 32 | suriGUI-chown-opt-dir: 33 | cmd.run: 34 | - name: "chown user:user /opt -R" 35 | 36 | 37 | # 38 | # NFQUEUE service 39 | # 40 | /lib/systemd/system/nfqueue.service: 41 | file.managed: 42 | - makedirs: True 43 | - contents: | 44 | [Unit] 45 | Description=NFQUEUE service 46 | After=network.target 47 | Before=suricata.service 48 | [Service] 49 | Type=oneshot 50 | ExecStart=sudo iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE 51 | RemainAfterExit=true 52 | [Install] 53 | WantedBy=multi-user.target 54 | 55 | 56 | # 57 | # SURICATA 58 | # 59 | stop-suricata-service: 60 | cmd.run: 61 | - name: "systemctl stop suricata" 62 | 63 | /lib/systemd/system/suricata.service: 64 | file.managed: 65 | - makedirs: True 66 | - contents: | 67 | [Unit] 68 | Description=Suricata IPS daemon 69 | After=nfqueue.service 70 | Requires=network-online.target 71 | [Service] 72 | Type=simple 73 | User=user 74 | Group=user 75 | ExecStartPre=+/bin/bash -c "if [[ ! -e /opt/suriGUI/conf/suricata/suricata.rules ]]; then /bin/suricata-update --output /opt/suriGUI/conf/suricata --data-dir /opt/suriGUI/tmp --no-test ; fi" 76 | ExecStartPre=+/bin/bash -c "if [[ ! -d /opt/suriGUI/log/$$(date +%%Y-%%m-%%d) ]]; then /bin/mkdir -p /opt/suriGUI/log/$$(date +%%Y-%%m-%%d) && /bin/chown user:user /opt/suriGUI/log/$$(date +%%Y-%%m-%%d) -R ; fi" 77 | ExecStart=+/bin/bash -c '/usr/bin/suricata -l /opt/suriGUI/log/$$(date +%%Y-%%m-%%d) -c /opt/suriGUI/conf/suricata/suricata.yaml -q 0' 78 | ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID 79 | ExecStop=/usr/bin/suricatasc -c shutdown 80 | ProtectSystem=full 81 | ProtectHome=true 82 | [Install] 83 | WantedBy=multi-user.target 84 | 85 | 86 | 87 | # 88 | # suriGUI service 89 | # 90 | /lib/systemd/system/suriGUI.service: 91 | file.managed: 92 | - makedirs: True 93 | - contents: | 94 | [Unit] 95 | Description=suriGUI service 96 | After=systemd-user-sessions.service 97 | [Service] 98 | Environment=DISPLAY=:0 99 | User=user 100 | Group=user 101 | ExecStart=/usr/bin/suriGUI 102 | ExecReload=/bin/kill -HUP $MAINPID 103 | [Install] 104 | WantedBy=multi-user.target 105 | 106 | 107 | # Services 108 | # 109 | enable-nfqueue-service: 110 | cmd.run: 111 | - name: "systemctl enable nfqueue" 112 | 113 | enable-suricata-service: 114 | cmd.run: 115 | - name: "systemctl enable suricata" 116 | 117 | enable-suriGUI-service: 118 | cmd.run: 119 | - name: "systemctl enable suriGUI" 120 | -------------------------------------------------------------------------------- /qubes-salt/config/sys-ips-template.sls: -------------------------------------------------------------------------------- 1 | # vim: set syntax=yaml ts=2 sw=2 sts=2 et : 2 | # 3 | # coder: ro0t 4 | # stamp: 2022-01-11 5 | 6 | qvm-template-installed: 7 | qvm.template_installed: 8 | - name: debian-11-minimal 9 | - fromrepo: qubes-templates-itl-testing 10 | 11 | create-sys-ips-template: 12 | qvm.clone: 13 | - name: sys-ips-template 14 | - source: debian-11-minimal 15 | - label: black 16 | -------------------------------------------------------------------------------- /qubes-salt/config/sys-ips.sls: -------------------------------------------------------------------------------- 1 | # vim: set syntax=yaml ts=2 sw=2 sts=2 et : 2 | # 3 | # coder: ro0t 4 | # stamp: 2022-01-11 5 | 6 | include: 7 | - config.sys-ips-template 8 | 9 | create-sys-ips: 10 | qvm.vm: 11 | - name: sys-ips 12 | - present: 13 | - template: sys-ips-template 14 | - label: red 15 | - prefs: 16 | - include-in-backup: False 17 | - autostart: true 18 | - netvm: sys-net 19 | - provides-network: True 20 | - memory: 2048 21 | - vcpus: 2 22 | - require: 23 | - sls: config.sys-ips-template 24 | -------------------------------------------------------------------------------- /qubes-salt/sys-ips.top: -------------------------------------------------------------------------------- 1 | # vim: set syntax=yaml ts=2 sw=2 sts=2 et : 2 | # 3 | # coder: ro0t 4 | # stamp: 0.211222 5 | 6 | base: 7 | 'dom0': 8 | - config.sys-ips 9 | 'sys-ips-template': 10 | - config.sys-ips-template-config 11 | 'sys-ips': 12 | - config.sys-ips-config 13 | -------------------------------------------------------------------------------- /res/history/sys-ips.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/history/sys-ips.jpg -------------------------------------------------------------------------------- /res/icons/active.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/icons/active.png -------------------------------------------------------------------------------- /res/icons/alert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/icons/alert.png -------------------------------------------------------------------------------- /res/icons/inactive.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/icons/inactive.png -------------------------------------------------------------------------------- /res/icons/menu/exit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/icons/menu/exit.png -------------------------------------------------------------------------------- /res/icons/menu/settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/icons/menu/settings.png -------------------------------------------------------------------------------- /res/icons/menu/start.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/icons/menu/start.png -------------------------------------------------------------------------------- /res/icons/menu/stop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/icons/menu/stop.png -------------------------------------------------------------------------------- /res/icons/menu/update.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/icons/menu/update.png -------------------------------------------------------------------------------- /res/preview/settings-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/preview/settings-1.png -------------------------------------------------------------------------------- /res/preview/settings-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/preview/settings-2.png -------------------------------------------------------------------------------- /res/preview/settings-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/preview/settings-3.png -------------------------------------------------------------------------------- /res/preview/settings-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/preview/settings-4.png -------------------------------------------------------------------------------- /res/preview/status.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/preview/status.png -------------------------------------------------------------------------------- /res/suriGUI.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/control-owl/suriGUI/53ba78e36b9c5e0ddbb23118f7eb5ba0ff197c10/res/suriGUI.png -------------------------------------------------------------------------------- /suriGUI: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # coder: ro0t 3 | 4 | set -o nounset # Exit on undefined variable 5 | set -o errexit # Exit on non-zero status 6 | set -o pipefail # Pipe return exit status 7 | 8 | trap 'echo [FATAL] "$BASH_COMMAND" failed with error code $?' ERR 9 | trap exitSuriGUI EXIT SIGUSR1 SIGUSR2 10 | 11 | 12 | # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 13 | # GLOBAL VARIABLES 14 | # INFO 15 | export _PROJECT_NAME="suriGUI" 16 | export _PROJECT_DESCRIPTION="GUI for Suricata" 17 | export _PROJECT_VER="0.2.220822" 18 | 19 | echo -e \ 20 | "#################### 21 | # $_PROJECT_NAME # 22 | # $_PROJECT_DESCRIPTION # 23 | # build $_PROJECT_VER # 24 | ####################" 25 | 26 | 27 | # 28 | # DIRs 29 | # todo: check if chown is not more needed since there is chown in suricata service (log directory was problem) 30 | export _PROJECT_DIR_MAIN="/opt/suriGUI" && sudo chown user:user "$_PROJECT_DIR_MAIN" -R 31 | export _PROJECT_DIR_BACKUP="$_PROJECT_DIR_MAIN/backup" 32 | export _PROJECT_DIR_CONF="$_PROJECT_DIR_MAIN/conf" 33 | export _PROJECT_DIR_LOG="$_PROJECT_DIR_MAIN/log/$(date +'%Y-%m-%d')" 34 | export _PROJECT_DIR_RES="$_PROJECT_DIR_MAIN/res" 35 | export _PROJECT_DIR_TMP="$_PROJECT_DIR_MAIN/tmp" 36 | export _PROJECT_DIR_SURICATA="$_PROJECT_DIR_CONF/suricata" 37 | 38 | _PROJECT_DB_DIRS=( "$_PROJECT_DIR_MAIN" 39 | "$_PROJECT_DIR_CONF" 40 | "$_PROJECT_DIR_RES" 41 | "$_PROJECT_DIR_LOG" 42 | "$_PROJECT_DIR_TMP" 43 | "$_PROJECT_DIR_SURICATA" ) 44 | 45 | 46 | # 47 | # FILEs 48 | export _PROJECT_FILE_CONFIG_NEW="$_PROJECT_DIR_CONF/suriGUI.yaml" # suriGUI config file 49 | export _PROJECT_FILE_CUSTOM_RULES="$_PROJECT_DIR_CONF/suriGUI.rules" # Custom suricata rules 50 | export _PROJECT_FILE_IGNORED_SIDS="$_PROJECT_DIR_CONF/ignore.list" # Ignored SID list 51 | export _PROJECT_FILE_SPAM="$_PROJECT_DIR_TMP/spam.tmp" # suriGUI-notify spam list 52 | export _PROJECT_FILE_SURICATA_CONFIG="$_PROJECT_DIR_SURICATA/suricata.yaml" # Suricata config file 53 | export _PROJECT_FILE_SURICATA_RULES="$_PROJECT_DIR_SURICATA/suricata.rules" # Default suricata rules 54 | export _PROJECT_FILE_SURICATA_RULES_TIMESTAMP="$_PROJECT_DIR_SURICATA/suricata.rules.timestamp" # Update timestamp 55 | export _PROJECT_FILE_LOG="$_PROJECT_DIR_LOG/suriGUI.log" # suriGUI log file 56 | export _SURICATA_FILE_LOG="$_PROJECT_DIR_LOG/eve.json" # Suricata log file 57 | 58 | _PROJECT_DB_FILES=( "$_PROJECT_FILE_CONFIG_NEW" 59 | "$_PROJECT_FILE_CUSTOM_RULES" 60 | "$_PROJECT_FILE_LOG" 61 | "$_SURICATA_FILE_LOG" 62 | "$_PROJECT_FILE_SURICATA_RULES" 63 | "$_PROJECT_FILE_IGNORED_SIDS" 64 | "$_PROJECT_FILE_SPAM" 65 | "$_PROJECT_FILE_SURICATA_CONFIG" ) 66 | 67 | 68 | # 69 | # PIPEs 70 | export _PROJECT_PIPE_MAIN="$_PROJECT_DIR_TMP/suriGUI.pipe" 71 | export _PROJECT_PIPE_SID_IGNORE="$_PROJECT_DIR_TMP/settings-ignore-sid.pipe" 72 | export _PROJECT_PIPE_SID_CUSTOM="$_PROJECT_DIR_TMP/settings-custom-sid.pipe" 73 | 74 | _PROJECT_DB_PIPES=( "$_PROJECT_PIPE_MAIN" 75 | "$_PROJECT_PIPE_SID_IGNORE" 76 | "$_PROJECT_PIPE_SID_CUSTOM" ) 77 | 78 | 79 | # 80 | # ICONs 81 | export _PROJECT_ICON_MAIN="$_PROJECT_DIR_RES/suriGUI.png" 82 | export _PROJECT_ICON_INACTIVE="$_PROJECT_DIR_RES/icons/inactive.png" 83 | export _PROJECT_ICON_ACTIVE="$_PROJECT_DIR_RES/icons/active.png" 84 | export _PROJECT_ICON_ALERT="$_PROJECT_DIR_RES/icons/alert.png" 85 | 86 | _PROJECT_DB_ICONS=( "$_PROJECT_ICON_MAIN" 87 | "$_PROJECT_ICON_INACTIVE" 88 | "$_PROJECT_ICON_ALERT" 89 | "$_PROJECT_ICON_ACTIVE" ) 90 | 91 | 92 | # 93 | # PIDs 94 | export _PROJECT_PID_MAIN="$_PROJECT_DIR_TMP/suriGUI.pid" 95 | export PROJECT_PID_NOTIFY="$_PROJECT_DIR_TMP/suriGUI-notify.pid" 96 | 97 | _PROJECT_DB_REQS=( "libnetfilter-queue-dev" 98 | "suricata" 99 | "jq" 100 | "yad" ) 101 | 102 | 103 | # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 104 | 105 | # todo: bug found: menu is displayed on every second start ??? 106 | # maybe not closing pipes causes this 107 | # try to investigate 108 | function exitSuriGUI() 109 | # Trap any exit signal and execute this function 110 | # Remove unnecessary files 111 | { 112 | echo "exiting ..." 113 | stopNotifyDaemon 114 | 115 | # Cleaning temp files 116 | find "$_PROJECT_DIR_TMP" -type f -name "*.pipe" -delete &>/dev/null 117 | find "$_PROJECT_DIR_TMP" -type f -name "*.tmp" -delete &>/dev/null 118 | find "$_PROJECT_DIR_TMP" -type f -name "*.tab" -delete &>/dev/null 119 | 120 | # close pipes just to be sure 121 | 122 | case "${CONF_suricata_log_enable:-}" in 123 | "TRUE") cleanLog old ;; 124 | "FALSE") cleanLog all ;; 125 | *) echo "[ERROR] Log not touched.." ;; 126 | esac 127 | 128 | echo "Exit 0" 129 | exit 0 130 | } 131 | 132 | 133 | function d3bug() 134 | # Print output messages, function names, errors 135 | # Usage: d3bug info|error "Lorem ipsum dolor sit amet" 136 | # TODO: do better log output 137 | # TODO: add verbosity and no output, error only 138 | { 139 | local type="${1:-}" 140 | local msg="${2:-}" 141 | local timeStamp="$(date +'%Y-%m-%d %H:%M:%S')" 142 | local verbosity="${CONF_global_log_verbosity:-normal}" 143 | 144 | 145 | if [[ ! -e "$_PROJECT_FILE_LOG" ]] 146 | then 147 | if ! mkdir -p "${_PROJECT_FILE_LOG%/*}" && touch "$_PROJECT_FILE_LOG" 148 | then 149 | echo "[FATAL] Can not write to log file. Exit 1" 150 | exit 1 151 | fi 152 | fi 153 | 154 | local message="function: ${FUNCNAME[1]} $msg" 155 | 156 | case "$type" in 157 | ok) echo "$timeStamp [NOTICE] $message" | tee -a "$_PROJECT_FILE_LOG" ;; 158 | error) echo "$timeStamp [ERROR] $message" | tee -a "$_PROJECT_FILE_LOG" ;; 159 | info) echo "$timeStamp [INFO] $message" | tee -a "$_PROJECT_FILE_LOG" ;; 160 | *) echo "$timeStamp [INFO] $message" | tee -a "$_PROJECT_FILE_LOG" ;; 161 | esac 162 | 163 | #TRACE level: this is a code smell if used in production. This should be used during development to track bugs, but never committed to your VCS. 164 | #DEBUG level: log at this level about anything that happens in the program. This is mostly used during debugging, and I’d advocate trimming down the number of debug statement before entering the production stage, so that only the most meaningful entries are left, and can be activated during troubleshooting. 165 | #INFO level: log at this level all actions that are user-driven, or system specific (ie regularly scheduled operations…) 166 | #NOTICE level: this will certainly be the level at which the program will run when in production. Log at this level all the notable events that are not considered an error. 167 | #WARN level: log at this level all events that could potentially become an error. For instance if one database call took more than a predefined time, or if an in-memory cache is near capacity. This will allow proper automated alerting, and during troubleshooting will allow to better understand how the system was behaving before the failure. 168 | #ERROR level: log every error condition at this level. That can be API calls that return errors or internal error conditions. 169 | #FATAL level: too bad, it’s doomsday. Use this very scarcely, this shouldn't happen a lot in a real program. Usually logging at this level signifies the end of the program. For instance, if a network daemon can’t bind a network socket, log at this level and exit is the only sensible thing to do. 170 | } 171 | 172 | 173 | function cleanLog() 174 | # Clean old log files 175 | # Usage: cleanLog all|old 176 | # TODO: detect old directory based on variable, remove old directories 177 | { 178 | local reason=${1:-*} 179 | local interval="${CONF_suricata_log_old_interval:-}" 180 | 181 | case "$reason" in 182 | "all") 183 | echo "Log is disabled. Removing all files..." 184 | # sudo rm "$_PROJECT_DIR_LOG" -R 185 | ;; 186 | "old") 187 | # for dir in $_PROJECT_DIR_LOG/ 188 | # do 189 | # if ! find . -type d -mtime +"$interval" 190 | # then 191 | # echo "old dir: $dir" 192 | # fi 193 | # done 194 | : 195 | ;; 196 | *) echo "Log not touched" ;; 197 | esac 198 | } 199 | 200 | 201 | #function readConfigFile() 202 | ## Read suriGUI.conf and export all variables to yad 203 | ## Yad is not working if export is not done 204 | ## TODO: remove and replace with suriGUI.yaml 205 | #{ 206 | # d3bug 207 | # local config="${1:-*}" 208 | # 209 | # source "$_PROJECT_CONFIG_FILE" 210 | # 211 | # case "$config" in 212 | ## "actionMenu") 213 | ## actionMode="alert\!pass\!drop\!reject\!rejectsrc\!rejectdst\!rejectboth" 214 | ## makeDefault="^" 215 | ## export setAction=$(echo "$actionMode" | sed "s/$action/$makeDefault$action/g") 216 | ## ;; 217 | # "update") 218 | # export configUpdate="$update" 219 | # ;; 220 | ## "timeout") 221 | ## export configTimeout="$timeout" 222 | ## ;; 223 | ## "duration") 224 | ## export configDuration="$duration" 225 | ## ;; 226 | ## "notifications") 227 | ## export configNotifications="$notifications" 228 | ## ;; 229 | ## "keep") 230 | ## export configKeep="$keep" 231 | ## ;; 232 | ## "action") 233 | ## export configAction="$action" 234 | ## ;; 235 | ## "notificationPositionMenu") 236 | ## defaultPositions="Top_left\!Top_right\!Bottom_left\!Bottom_right" 237 | ## makeDefault="^" 238 | ## export configNotificationPositionMenu=$(echo "$defaultPositions" | sed "s/$position/$makeDefault$position/g") 239 | ## ;; 240 | ## "notificationPosition") 241 | ## export configNotificationPosition="$position" 242 | ## ;; 243 | # *) 244 | # d3bug error "wrong config lookup" 245 | # ;; 246 | # esac 247 | # 248 | # d3bug info "Get config: $config" 249 | #} 250 | 251 | #function updateConfigFile() 252 | ## Write to suriGUI.conf and reload suricata if rule settings were changed 253 | ## NEED TO REWRITE 254 | ## will be removed and replaced with new function 255 | #{ 256 | # d3bug 257 | # 258 | # #updateConfigFile rules "$new" "$old" 259 | # local component="$1" 260 | # local newStatus="$2" 261 | # local oldStatus="${3:-}" 262 | # 263 | # case "$component" in 264 | # "rules") 265 | # d3bug info "Updating $component: $oldStatus -> $newStatus" 266 | # 267 | # sed -i "s/\<$oldStatus\>/$newStatus/" "$_PROJECT_FILE_SURICATA_RULES" 268 | # # checkSuricataStatus &>/dev/null 269 | # # 270 | # # if [[ "$suricataStatus" == "active" ]] 271 | # # then 272 | # # d3bug info "Starting Suricata reload..." 273 | # # if sudo suricatasc -c reload-rules 274 | # # then 275 | # # #sudo systemctl reload suricata #&>/dev/null 276 | # # d3bug info "Rules updated & reloaded" 277 | # # else 278 | # # d3bug error "Can't reload rules??" 279 | # # fi 280 | # # else 281 | # # d3bug info "Rules updated" 282 | # # fi 283 | # ;; 284 | # "action") 285 | # sed -i "s/^\(action\s*=\s*\).*\$/\1$newStatus/" "$_PROJECT_CONFIG_FILE" 286 | # d3bug info "Rule action: $newStatus" 287 | # ;; 288 | # esac 289 | #} 290 | 291 | 292 | function restartSuriGUI() 293 | # Restart suriGUI 294 | # Suricata should not be killed 295 | { 296 | d3bug 297 | 298 | d3bug info "Restarting $_PROJECT_NAME" 299 | pkill -f "$_PROJECT_NAME" && exec "$_PROJECT_NAME" 300 | } 301 | 302 | 303 | # NOT FINISHED 304 | function changeSID() 305 | # changeSID 1234567 add|remove source|destination 1.2.3.4 306 | # changeSID 1234567 enable|disable 307 | { 308 | local SID="$1" 309 | local action="$2" 310 | local location="$3" 311 | local IP="$4" 312 | 313 | 314 | oldRule=$(grep -F "sid:$SID" $_PROJECT_FILE_SURICATA_RULES) 315 | if [[ -z "$oldRule" ]] 316 | then 317 | echo "Rule with SID: $SID is NOT found in file: $_PROJECT_FILE_SURICATA_RULES" 318 | echo "Exit 1" 319 | exit 1 320 | fi 321 | 322 | ruleLineNum="$(grep -n "$SID" $_PROJECT_FILE_SURICATA_RULES | head -n 1 | cut -d: -f1)" 323 | 324 | # get rule status 325 | if [[ "$oldRule" =~ ^[[:space:]]*#.* ]] 326 | then 327 | ruleStatus="inactive" 328 | else 329 | ruleStatus="active" 330 | fi 331 | 332 | # get old source/destination position in rule 333 | if [[ $(cut -d " " -f 5 <<< "$oldRule") == "->" ]] 334 | then 335 | sourcePos=3 336 | destinationPos=6 337 | else 338 | if [[ $(cut -d " " -f 6 <<< "$oldRule") == "->" ]] 339 | then 340 | sourcePos=4 341 | destinationPos=7 342 | else 343 | echo "Rule does NOT have standard formatting." 344 | echo "There is either double spaces in rule or broken comment." 345 | echo "Exit 1" 346 | exit 1 347 | fi 348 | fi 349 | 350 | oldSource=$(cut -d " " -f "$sourcePos" <<< "$oldRule") 351 | oldDestination=$(cut -d " " -f "$destinationPos" <<< "$oldRule") 352 | 353 | 354 | if [[ $location == "source" ]] 355 | then 356 | local oldLocation="$oldSource" 357 | local newLocation="$sourcePos" 358 | else 359 | local oldLocation="$oldDestination" 360 | local newLocation="$destinationPos" 361 | fi 362 | 363 | echo "----------------------" 364 | echo "- Line: $ruleLineNum" 365 | echo "- SID: $SID" 366 | echo "- Action: $action" 367 | echo "- Location: $location" 368 | echo "- IP: $IP" 369 | echo "- Rule: $oldRule" #| head -c 100 370 | echo "- Status: $ruleStatus" 371 | echo "- Source: $oldSource" 372 | echo "- Destination: $oldDestination" 373 | echo "----------------------" 374 | 375 | case "$action" in 376 | "add") 377 | # detect if location already has IP addresses 378 | if grep -F "$IP" &>/dev/null <<< "$oldLocation" 379 | then 380 | echo "SID $SID already contains IP: $IP in $location" 381 | shift 382 | else 383 | echo "SID $SID does not contain IP: $IP in $location" 384 | 385 | # detect if current location is prepared for multiple addresses [] 386 | if [[ "$oldLocation" =~ \[.*\] ]] 387 | then 388 | echo "multiple addresses found" 389 | oldLocation=$(awk -F'[][]' '{print $2}' <<< "$oldLocation") 390 | else 391 | echo "only one address in $location" 392 | fi 393 | 394 | newAddress="[$oldLocation,!$IP]" 395 | echo "newAddress: $newAddress" 396 | echo "new location: $newLocation" 397 | 398 | newRule="$(awk -v r="${newAddress}" -v pos="${newLocation}" '{$pos=r}1' <<< "$oldRule")" 399 | 400 | echo "new location: $newRule" 401 | 402 | # execute change 403 | sed -i -e "${ruleLineNum} c\\" -e "${newRule}" ${_PROJECT_FILE_SURICATA_RULES} 404 | 405 | fi 406 | ;; 407 | "remove") 408 | : 409 | # Remove ip from source or destination address 410 | ;; 411 | "enable") 412 | : 413 | # comment rule 414 | ;; 415 | "disable") 416 | : 417 | # uncomment rule 418 | ;; 419 | *) exit 1 ;; 420 | 421 | esac 422 | } 423 | 424 | 425 | # NOT FINISHED 426 | function editSID() 427 | { 428 | d3bug 429 | local sid="${1:-}" 430 | local cat="${2:-}" 431 | local src="${3:-}" 432 | local dest="${4:-}" 433 | local action="${5:-}" 434 | 435 | TXT="SID: $sid Category: $cat Action: $action \\n" 436 | TXT+="Suricata has prevented $src to communicate with $dest \\n" 437 | TXT+="\\n" 438 | 439 | yad \ 440 | --form \ 441 | --columns=2 \ 442 | --image="utilities-terminal" \ 443 | --image-on-top \ 444 | --width="600" \ 445 | --title="Edit SID: $sid" \ 446 | --text="$TXT" \ 447 | \ 448 | --field="SRC":RO "$src" \ 449 | --field="Allow SRC to DEST":FBTN "bash -c allowSource" \ 450 | \ 451 | --field="DEST":RO "$dest" \ 452 | --field="Allow DEST to SRC":FBTN "bash -c allowDestination" 453 | 454 | } 455 | 456 | 457 | function preventSuricataSpam() 458 | # Prevent showing too many notifications 459 | # For a current SID, show only 1 notification per minute 460 | { 461 | d3bug 462 | 463 | local SID="$1" 464 | local SRC="$2" 465 | local DST="$3" 466 | 467 | local timeStamp="$(date +'%Y-%m-%d-%H:%M')" 468 | local currentLog="$timeStamp|$SID|$SRC|$DST" 469 | 470 | if grep -q "$currentLog" "$_PROJECT_FILE_SPAM" 471 | then 472 | d3bug error "Spam message" 473 | stopSpam="TRUE" 474 | else 475 | d3bug info "Not found in log" 476 | echo "$currentLog" >> "$_PROJECT_FILE_SPAM" 477 | d3bug info "Output written" 478 | stopSpam="FALSE" 479 | fi 480 | } 481 | 482 | 483 | function checkIgnoreSidList() 484 | # Check if SID is on Ignore list 485 | { 486 | d3bug 487 | 488 | local sid="$1" 489 | 490 | if grep -q "$sid" "$_PROJECT_FILE_IGNORED_SIDS" 491 | then 492 | d3bug error "SID: $sid is on ignore list" 493 | ignoreSID="TRUE" 494 | else 495 | d3bug info "SID: $sid is not on ignore list" 496 | ignoreSID="FALSE" 497 | fi 498 | } 499 | 500 | 501 | function send_notify() 502 | # Show suriGUI notification when Suricata produces Alert message 503 | # Check if SID is on Ignore list 504 | # Check if Alert was already showed 505 | { 506 | d3bug 507 | 508 | local type=${1:-Info} 509 | local cat=${2:-Category} 510 | local sig=${3:-Signature} 511 | local sid=${4:-SID} 512 | local src=${5:-SRC} 513 | local dest=${6:-DEST} 514 | local action=${7:-Action} 515 | 516 | 517 | case "$type" in 518 | "info") 519 | yad \ 520 | --title="$_PROJECT_NAME v.$_PROJECT_VER" \ 521 | --image="$_PROJECT_ICON_MAIN" \ 522 | --form \ 523 | --image-on-top \ 524 | --button="OK" \ 525 | --text="$cat" & 526 | ;; 527 | "alert") 528 | checkIgnoreSidList "$sid" 529 | if [[ "${ignoreSID:-}" == "FALSE" ]] 530 | then 531 | preventSuricataSpam "$sid" "$src" "$dest" 532 | if [[ "${stopSpam:-}" == "FALSE" ]] 533 | then 534 | case "${CONF_global_notifications_position:-}" in 535 | "Top left" ) pos="--posx=1 --posy=1" ;; 536 | "Top right" ) pos="--posx=-1 --posy=1" ;; 537 | "Bottom left" ) pos="--posx=1 --posy=-1" ;; 538 | "Bottom right" ) pos="--posx=-1 --posy=-1" ;; 539 | "Center" ) pos="--center" ;; 540 | "Under mouse" ) pos="--mouse" ;; 541 | * ) pos="" ;; 542 | esac 543 | 544 | TXT="${cat:-Potentially Bad traffic}\n" 545 | TXT+="$(date +'%Y-%m-%d') at $(date +'%H:%M:%S') \n" 546 | TXT+="$sig" 547 | 548 | actionControl="Continue blocking (default)!Don't show again (ignore)!Allow (not working yet)" 549 | 550 | set +o errexit # yad problem, error exit must be disabled 551 | yadOutput="$( yad \ 552 | --title="suriGUI-notify" "${pos:-}" \ 553 | --form \ 554 | --on-top \ 555 | --width=500 \ 556 | --timeout="${CONF_global_notifications_duration:-30}" \ 557 | --timeout-indicator="top" \ 558 | --window-icon="$_PROJECT_ICON_ALERT" \ 559 | --image="$_PROJECT_ICON_ALERT" \ 560 | --image-on-top \ 561 | --text="$TXT" \ 562 | --field="SID:RO" "$sid" \ 563 | --field="Source IP:RO" "$src" \ 564 | --field="Destination IP:RO" "$dest" \ 565 | --field="Action:CB" "$actionControl" \ 566 | --button="OK":10)" 567 | 568 | ret=${?:-70} 569 | set -o errexit 570 | d3bug info "Return: $ret" 571 | 572 | case "$ret" in 573 | 10 ) 574 | readarray -d '|' -t array <<< "$yadOutput" 575 | d3bug info "Selected action: ${array[3]}" 576 | 577 | case "${array[3]}" in 578 | "Continue blocking") 579 | : # Do nothing 580 | #write to overview and ignore for today 581 | ;; 582 | 583 | "Don't show again") 584 | if ! grep -q "$sid" "$_PROJECT_FILE_IGNORED_SIDS" 585 | then 586 | d3bug info "Writing SID: $sid to ignore list" 587 | echo "$sid" >> $_PROJECT_FILE_IGNORED_SIDS 588 | else 589 | d3bug info "SID: $sid is already in ignore list" 590 | fi 591 | ;; 592 | 593 | "Allow") 594 | #editSID "$sid" "$cat" "$src" "$dest" #"$action" 595 | : 596 | ;; 597 | *) d3bug error "Can't read action" ;; 598 | esac 599 | ;; 600 | # 20 ) editSID "$sid" "$cat" "$src" "$dest" "$action" ;; 601 | 70 ) d3bug info "Timeout for notification: $sid" ;; 602 | 252 ) d3bug info "Escape key pressed" ;; 603 | * ) echo "error" ;; 604 | esac 605 | fi 606 | fi 607 | ;; 608 | esac 609 | } 610 | 611 | 612 | # NOT FINISHED 613 | function updateSuriGUI() 614 | # Not working yet 615 | { 616 | d3bug 617 | 618 | d3bug info "Starting update" 619 | if [[ -d "_PROJECT_DIR_MAIN" ]] 620 | then 621 | cd "_PROJECT_DIR_MAIN" 622 | if git fetch 623 | then 624 | d3bug info "Update done" 625 | send_notify "info" "Update done. Restarting..." 626 | restartSuriGUI 627 | else 628 | d3bug info "No update found" 629 | send_notify "info" "No update found" 630 | fi 631 | fi 632 | } 633 | 634 | 635 | # NOT FINISHED 636 | function deleteCustomRule() 637 | # Remove custom suriGUI rule 638 | # remove any modification from SID 639 | # to be done 640 | { 641 | d3bug 642 | 643 | } 644 | 645 | 646 | function deleteIgnoredSID() 647 | # Remove ignored SID from Ignore list 648 | # usage: deleteIgnoredSID SID 649 | { 650 | d3bug 651 | 652 | local sid="$1" 653 | 654 | yad --image="$_PROJECT_ICON_MAIN" --image-on-top \ 655 | --title="$_PROJECT_NAME" \ 656 | --button="Yes" --button="No" \ 657 | --text="Delete SID: $sid from Ignore list?" &>/dev/null 658 | 659 | ret=$? 660 | if [ $ret = 0 ] 661 | then 662 | sed -i "/$sid/d" "$_PROJECT_FILE_IGNORED_SIDS" 663 | d3bug info "SID: $sid removed" 664 | exec 4<>$_PROJECT_PIPE_SID_IGNORE echo -e "\f" >&4 & 665 | exec 4<>$_PROJECT_PIPE_SID_IGNORE echo -e "$(cat $_PROJECT_FILE_IGNORED_SIDS)" >&4 & 666 | else 667 | d3bug info "Nothing done" 668 | fi 669 | } 670 | 671 | 672 | function saveSettings() 673 | # Save suriGUI settings to config file 674 | # will be removed and replaced with new function 675 | # TODO: replace with new yaml writer 676 | { 677 | d3bug 678 | 679 | # readarray -d '|' -t tab1 <<< "$(cat $_PROJECT_DIR_TMP/suriGUI.tab)" 680 | # sed -i "s/^\(notifications\s*=\s*\).*\$/\1${tab1[0]}/" "$_PROJECT_CONFIG_FILE" 681 | # sed -i "s/^\(timeout\s*=\s*\).*\$/\1${tab1[3]}/" "$_PROJECT_CONFIG_FILE" 682 | # sed -i "s/^\(position\s*=\s*\).*\$/\1${tab1[6]}/" "$_PROJECT_CONFIG_FILE" 683 | # 684 | # readarray -d '|' -t tab2 <<< "$(cat $_PROJECT_DIR_TMP/suricata.tab)" 685 | # sed -i "s/^\(IPS\s*=\s*\).*\$/\1${tab2[2]}/" "$_PROJECT_CONFIG_FILE" 686 | # sed -i "s/^\(rules\s*=\s*\).*\$/\1${tab2[3]}/" "$_PROJECT_CONFIG_FILE" 687 | # sed -i "s/^\(keep\s*=\s*\).*\$/\1${tab2[6]}/" "$_PROJECT_CONFIG_FILE" 688 | # sed -i "s/^\(log\s*=\s*\).*\$/\1${tab2[7]}/" "$_PROJECT_CONFIG_FILE" 689 | # sed -i "s/^\(duration\s*=\s*\).*\$/\1${tab2[8]}/" "$_PROJECT_CONFIG_FILE" 690 | # 691 | # readarray -d '|' -t tab3 <<< "$(cat $_PROJECT_DIR_TMP/rules.tab)" 692 | # sed -i "s/^\(action\s*=\s*\).*\$/\1${tab3[0]}/" "$_PROJECT_CONFIG_FILE" 693 | # sed -i "s/^\(update\s*=\s*\).*\$/\1${tab3[10]}/" "$_PROJECT_CONFIG_FILE" 694 | } 695 | 696 | 697 | function suriGUISettings() 698 | # suriGUI Setting Window 699 | # PIPE 4 700 | # PIPE 5 701 | # suriGUI settings 702 | # Suricata settings 703 | # Rules settings 704 | # Ignored SID List 705 | # Custom Rules List - will be replaced 706 | # Backup/Restore - Not done yet 707 | # TODO: preview log in tab, create new tab: log 708 | # TODO: keep log forever 709 | { 710 | d3bug 711 | 712 | createProjectSettings 713 | eval export $(createProjectSettings) 714 | local KEY="$RANDOM" 715 | 716 | #--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--# 717 | 718 | local descriptionSettings=" $_PROJECT_NAME Version: $_PROJECT_VER\\n\\n" 719 | local descriptionSettings+=" OS: $(lsb_release -ds) on $(hostname)\\n" 720 | local descriptionSettings+=" Kernel: $(uname -sr)\\n\\n" 721 | local descriptionSettings+=" $(uptime)" 722 | 723 | local descriptionIgnoreList="List of SIDs not shown with suriGUI-notify\\n" 724 | local descriptionIgnoreList+="Double-click on SID to remove it." 725 | 726 | local positionMode="Top left\!Top right\!Bottom left\!Bottom right\!Center\!Under mouse" 727 | local verbosityMode="debug\!normal\!silent" 728 | local actionMode="alert\!pass\!drop\!reject\!rejectsrc\!rejectdst\!rejectboth" 729 | local makeDefault="^" 730 | 731 | #--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--# 732 | 733 | local setPosition=$(echo "$positionMode" \ 734 | | sed "s/$CONF_global_notifications_position/$makeDefault$CONF_global_notifications_position/g") 735 | 736 | local setVerbosity=$(echo "$verbosityMode" \ 737 | | sed "s/${CONF_global_log_verbosity:-}/$makeDefault${CONF_global_log_verbosity:-}/g") 738 | 739 | local setAction=$(echo "$actionMode" \ 740 | | sed "s/${CONF_suricata_action:-}/$makeDefault${CONF_suricata_action:-}/g") 741 | 742 | case "${CONF_suricata_action:-unknown}" in 743 | rejectboth) export setMode="IPS" ;; 744 | *) export setMode="IDS" ;; 745 | esac 746 | 747 | declare -a ignoredSIDS="$(cat "$_PROJECT_FILE_IGNORED_SIDS")" 748 | 749 | #--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--# 750 | # SURIGUI SETTINGS - TAB 1 751 | # TODO: auto update suriGUI 752 | 753 | yad \ 754 | --plug="$KEY" \ 755 | --form \ 756 | --scroll \ 757 | --tabnum=1 \ 758 | --columns=2 \ 759 | --field=" ":NUM "${CONF_global_notifications_duration:-30}\!1..60\!1\!0" \ 760 | --field=" ":CB "${setPosition:-Center}" \ 761 | --field="":LBL "" \ 762 | --field=" ":NUM "${CONF_global_update_interval:-7}\!1..120\!1\!0" \ 763 | --field="":LBL "" \ 764 | --field=" ":CB "${setVerbosity:-normal}" \ 765 | --field="Reduce output to error only":chk "${CONF_global_log_erroronly:-FALSE}" \ 766 | \ 767 | --field="Show notifications (seconds)":chk "${CONF_global_notifications_enable:-TRUE}" \ 768 | --field="Notification position on screen":LBL "" \ 769 | --field="":LBL "" \ 770 | --field="Auto update suriGUI (days)":chk "${CONF_global_update_enable:-FALSE}" \ 771 | --field="":LBL "" \ 772 | --field="Enable log":chk "${CONF_global_log_enable:-FALSE}" \ 773 | --field="Write standard output to file":chk "${CONF_global_file_file:-TRUE}" \ 774 | > "$_PROJECT_DIR_TMP/suriGUI.tab" & 775 | 776 | #--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--# 777 | # SURICATA SETTINGS - TAB 2 778 | # TODO: make help file 779 | # TODO: manual in terminal 780 | 781 | yad \ 782 | --plug="$KEY" \ 783 | --form \ 784 | --scroll \ 785 | --tabnum=2 \ 786 | --columns=2 \ 787 | --field=" ":RO "$setMode" \ 788 | --field=" ":CB "$setAction" \ 789 | --field="":LBL "" \ 790 | --field=" ":FL "${CONF_suricata_config:-}" \ 791 | --field=" ":FL "${CONF_suricata_rules:-}" \ 792 | --field="":LBL "" \ 793 | --field=" ":NUM "${CONF_suricata_update_interval:-7}\!1..365\!1\!0" \ 794 | --field=" ":dir "${CONF_suricata_log_location:-}" \ 795 | --field=" ":NUM "${CONF_suricata_log_interval:-30}\!1..60\!1\!0" \ 796 | --field="":LBL "" \ 797 | --field="Update":fbtn "bash -c updateSuricataRules" \ 798 | \ 799 | --field="Suricata active mode":LBL "" \ 800 | --field="Active rule action":LBL "" \ 801 | --field="":LBL "" \ 802 | --field="Suricata configuration file":LBL "" \ 803 | --field="Suricata rule file":LBL "" \ 804 | --field="":LBL "" \ 805 | --field="Auto update suricata rules (days)":chk "${CONF_suricata_update_enable:-TRUE}" \ 806 | --field="Enable Suricata log":chk "${CONF_suricata_log_enable:-TRUE}" \ 807 | --field="Remove old log (days)":chk "${CONF_suricata_log_keep:-TRUE}" \ 808 | --field="":LBL "" \ 809 | --field="Download latest suricata rules":LBL "" \ 810 | --file-filter="Yaml files (*.yaml)| *.yaml" \ 811 | --file-filter="Config Files (*.cfg *.conf)| *.cfg *.conf" \ 812 | --file-filter="All Files | *.*" \ 813 | > "$_PROJECT_DIR_TMP/suricata.tab" & 814 | 815 | #--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--# 816 | # IGNORED SIDS SETTINGS - TAB 3 817 | 818 | exec 4<> "$_PROJECT_PIPE_SID_IGNORE" 819 | yad \ 820 | --plug="$KEY" \ 821 | --tabnum=3 \ 822 | --list \ 823 | --listen \ 824 | --cycle-read \ 825 | --text="$descriptionIgnoreList" \ 826 | --dclick-action="bash -c 'deleteIgnoredSID %s'" \ 827 | --column="SID" ${ignoredSIDS[@]} \ 828 | <&4 & 829 | 830 | #--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--# 831 | # CUSTOM RULES - TAB 4 832 | # local customRules="$(cat $_SURICATA_CUSTOM_RULES)" 833 | # descCustom="List of custom Rules" 834 | # readarray arrayaa <<< "$(cat "$_SURICATA_CUSTOM_RULES")" 835 | # 836 | # exec 5<> "$_PROJECT_PIPE_SID_CUSTOM" 837 | # 838 | # yad \ 839 | # --plug="$KEY" \ 840 | # --tabnum=4 \ 841 | # --list \ 842 | # --listen \ 843 | # --cycle-read \ 844 | # --separator="|" \ 845 | # --text="$descCustom" \ 846 | # --dclick-action="bash -c 'deleteCustomRule %s'" \ 847 | # --column="SID" --column="Status" --column="IPs" "${arrayaa[@]}" \ 848 | # <&5 & 849 | #--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--# 850 | # yad \ 851 | # --plug="$KEY" \ 852 | # --tabnum=5 \ 853 | # --form \ 854 | # --field="":LBL "" \ 855 | # --field="Backup":fbtn "bash -c backupSuriGUI" \ 856 | # & 857 | 858 | 859 | 860 | #--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--#--# 861 | # MAIN WINDOW - suriGUI 862 | 863 | yad \ 864 | --notebook \ 865 | --key="$KEY" \ 866 | --center \ 867 | --title="suriGUI Settings" \ 868 | --text="$descriptionSettings" \ 869 | --auto-kill \ 870 | --auto-close \ 871 | --window-icon="$_PROJECT_ICON_MAIN" \ 872 | --image="$_PROJECT_ICON_MAIN" \ 873 | --image-on-top \ 874 | --tab="suriGUI" --tab="Suricata" --tab="Ignored SIDs" \ 875 | --button="Close":1 --button="Save":0 876 | 877 | ret=$? 878 | case "$ret" in 879 | 0 ) : 880 | #saveSettings 881 | ;; 882 | 1 ) : ;; 883 | * ) exit 0 ;; 884 | esac 885 | 886 | # for tab in "$_PROJECT_DIR_TMP"/*.tab 887 | # do 888 | # rm "$tab" 889 | # done 890 | } 891 | 892 | 893 | function stopNotifyDaemon() 894 | # Stop showing suriGUI notifications 895 | { 896 | d3bug 897 | 898 | if [[ -f "$PROJECT_PID_NOTIFY" ]] 899 | then 900 | if ps -p "$(cat $PROJECT_PID_NOTIFY)" 901 | then 902 | d3bug info "Notifications are active. PID: $(cat $PROJECT_PID_NOTIFY)" 903 | if sudo kill -9 "$(cat $PROJECT_PID_NOTIFY)" #&>/dev/null 904 | then 905 | d3bug info "suriGUI-notify stopped" 906 | if ! rm "$PROJECT_PID_NOTIFY" 907 | then 908 | d3bug error "Can not remove PROJECT_PID_NOTIFY: $PROJECT_PID_NOTIFY" 909 | fi 910 | else 911 | d3bug error "Can not stop Notifications " 912 | fi 913 | else 914 | d3bug info "suriGUI-notify file found, but process with PID $(cat $PROJECT_PID_NOTIFY) was not" 915 | fi 916 | else 917 | d3bug info "suriGUI-notify PID file not found! Nothing to kill." 918 | fi 919 | } 920 | 921 | # todo: bug found: prsing is not working if file is empty 922 | # make delay until new line is detected 923 | function startNotifyDaemon() 924 | # Start suriGUI notifications 925 | # Tail Suricata eve.json file 926 | { 927 | d3bug 928 | 929 | tail -f "$_PROJECT_DIR_LOG/eve.json" > >( \ 930 | jq --unbuffered -r -c 'select(.event_type=="alert")' \ 931 | | jq --unbuffered -r '@sh "sid=\(.alert.signature_id) category=\(.alert.category) signature=\(.alert.signature) SRC=\(.src_ip) DEST=\(.dest_ip) action=\(.alert.action)"' \ 932 | | while read -r line; do \ 933 | eval "$line" ; \ 934 | send_notify "alert" "${category:-}" "${signature:-}" "$sid" "$SRC" "$DEST" "$action" ; \ 935 | done ) & 936 | 937 | echo "$!" > "$PROJECT_PID_NOTIFY" 938 | 939 | d3bug info "Notifications started with PID: $(cat $PROJECT_PID_NOTIFY)" 940 | } 941 | 942 | 943 | function controlSuricataService() 944 | # Control Suricata service with systemctl 945 | # Usage: controlSuricataService start|stop|restart 946 | { 947 | d3bug 948 | 949 | local action="${1:-status}" 950 | 951 | if sudo systemctl "$action" suricata &>/dev/null 952 | then 953 | d3bug info "$action Suricata service" 954 | else 955 | d3bug error "Can not control Suricata service. $action is not working" 956 | fi 957 | } 958 | 959 | 960 | function updateTrayMenu() 961 | # Create suriGUI tray menu and tray icon 962 | # usage: updateTrayMenu active|inactive 963 | { 964 | d3bug 965 | 966 | local status="$1" 967 | 968 | case "$status" in 969 | "active") menu="Stop Suricata service!bash -c 'controlSuricataService stop'" ;; 970 | "inactive") menu="Start Suricata service!bash -c 'controlSuricataService start'" ;; 971 | *) menu="" ;; 972 | esac 973 | 974 | menu+="|Restart Suricata service!bash -c 'controlSuricataService restart'" 975 | menu+="||Settings!bash -c 'suriGUISettings'" 976 | menu+="||Exit!quit" 977 | 978 | [[ -p $_PROJECT_PIPE_MAIN ]] && exec 3<>$_PROJECT_PIPE_MAIN echo "menu:$menu" >&3 & 979 | 980 | d3bug info "Menu updated: $status" 981 | d3bug info "Menu: $menu" 982 | 983 | [[ -p $_PROJECT_PIPE_MAIN ]] && exec 3<>$_PROJECT_PIPE_MAIN echo "icon:$suricataStatus" >&3 & 984 | 985 | d3bug info "Icon updated: $status" 986 | } 987 | 988 | 989 | # TODO: Parser must me own file and service, second time rewriting 990 | #idiot 991 | 992 | 993 | 994 | function startSuriGUI() 995 | # Start suriGUI 996 | # PIPE 3 997 | # Create yad tray icon 998 | { 999 | d3bug 1000 | 1001 | d3bug info "Starting $_PROJECT_NAME $_PROJECT_VER" 1002 | 1003 | yad \ 1004 | --notification \ 1005 | --no-middle \ 1006 | --listen \ 1007 | --text="$_PROJECT_NAME v$_PROJECT_VER" \ 1008 | --image="$suricataStatus" \ 1009 | --separator="|" \ 1010 | --menu="Exit!quit" \ 1011 | --command="bash -c suriGUISettings" \ 1012 | <&3 &>/dev/null 1013 | 1014 | [[ -f "$_PROJECT_PID_MAIN" ]] && rm "$_PROJECT_PID_MAIN" 1015 | } 1016 | 1017 | 1018 | function createProjectIcons() 1019 | # Register suriGUI icon files 1020 | { 1021 | d3bug 1022 | 1023 | for icon in "${_PROJECT_DB_ICONS[@]}" 1024 | do 1025 | local iconName=$(basename "$icon" | sed "s/\..*//") 1026 | 1027 | if xdg-icon-resource install --context mimetypes --size 48 "$icon" "$iconName" 1028 | then 1029 | d3bug info "registered $iconName" 1030 | else 1031 | d3bug error "Can not register icon: $iconName" 1032 | fi 1033 | done 1034 | } 1035 | 1036 | 1037 | function checkSuricataStatus() 1038 | # Check Suricata's service status 1039 | { 1040 | d3bug 1041 | 1042 | if systemctl is-active --quiet suricata 1043 | then 1044 | export suricataStatus="active" 1045 | else 1046 | export suricataStatus="inactive" 1047 | fi 1048 | 1049 | d3bug info "Suricata is $suricataStatus" 1050 | updateTrayMenu "$suricataStatus" 1051 | } 1052 | 1053 | 1054 | # NOT FINISHED 1055 | function readCustomRules() 1056 | # Read suriGUI.rules and convert it to associative array 1057 | # Print: readCustomRules 1058 | # Set array: eval declare -A $(readCustomRules) 1059 | # Get value: echo ${RULE_1234567[status]} 1060 | { 1061 | local file="$_PROJECT_FILE_CONFIG_NEW" 1062 | local s='[[:space:]]*' w='[a-zA-Z0-9_]*' fs=$(echo @|tr @ '\034') 1063 | sed -ne "s|^\($s\):|\1|" \ 1064 | -e "s|^\($s\)\($w\)$s:$s[\"']\(.*\)[\"']$s\$|\1$fs\2$fs\3|p" \ 1065 | -e "s|^\($s\)\($w\)$s:$s\(.*\)$s\$|\1$fs\2$fs\3|p" $file | 1066 | awk -F$fs '{ 1067 | indent = length($1)/2; 1068 | vname[indent] = $2; 1069 | for (i in vname) {if (i > indent) {delete vname[i]}} 1070 | if (length($3) > 0) { 1071 | vn=""; for (i=0; i/dev/null 1125 | then 1126 | d3bug info "Rules reloaded @ $(date +'%Y-%m-%d') $(date +'%H:%M:%S')" 1127 | else 1128 | d3bug error "Can't reload rules!" 1129 | fi 1130 | } 1131 | 1132 | 1133 | function updateSuricataRules() 1134 | # Download latest Suricata rules 1135 | # Reload Suricata if needed 1136 | { 1137 | d3bug 1138 | 1139 | if command -v suricata-update #&>/dev/null 1140 | then 1141 | d3bug info "Starting update ..." 1142 | 1143 | if sudo suricata-update --output "$_PROJECT_DIR_SURICATA" \ 1144 | --data-dir "$_PROJECT_DIR_TMP" \ 1145 | --no-test #&>/dev/null 1146 | then 1147 | sudo chown user:user "$_PROJECT_DIR_SURICATA" -R 1148 | date +'%Y-%m-%d' > "$_PROJECT_FILE_SURICATA_RULES_TIMESTAMP" 1149 | d3bug info "Update done @ $(date +'%Y-%m-%d %H:%M:%S')" 1150 | 1151 | reloadSuricataRules 1152 | else 1153 | d3bug error "Error updating Suricata rules. Exit 1" 1154 | exit 1 1155 | fi 1156 | else 1157 | d3bug error "suricata-update not installed. Exit 1" 1158 | # TODO: maybe not exit if default file is there 1159 | exit 1 1160 | fi 1161 | } 1162 | 1163 | 1164 | function checkSuricataRules() 1165 | # Check for last update timestamp 1166 | # If rules are too old, update them 1167 | { 1168 | d3bug 1169 | 1170 | if [[ -f "$_PROJECT_FILE_SURICATA_RULES" ]] 1171 | then 1172 | d3bug info "$_PROJECT_FILE_SURICATA_RULES" 1173 | 1174 | if [[ "$CONF_suricata_update_enable" == "TRUE" ]] 1175 | then 1176 | d3bug info "Auto-Update enabled" 1177 | 1178 | if [[ ! -f "$_PROJECT_FILE_SURICATA_RULES_TIMESTAMP" ]] 1179 | then 1180 | d3bug error "Timestamp not found. Updating..." 1181 | updateSuricataRules 1182 | else 1183 | if [[ $(cat "$_PROJECT_FILE_SURICATA_RULES_TIMESTAMP") =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]] 1184 | then 1185 | export lastUpdate="$((($(date +%s)-$(date +%s --date "$(cat $_PROJECT_FILE_SURICATA_RULES_TIMESTAMP)"))/(3600*24)))" 1186 | if [[ "$lastUpdate" -gt "$CONF_suricata_update_interval" ]] 1187 | then 1188 | d3bug error "Rules to old. Updating..." 1189 | updateSuricataRules 1190 | else 1191 | d3bug info "Rules old $lastUpdate days. No need to update. ($CONF_suricata_update_interval day interval)" 1192 | fi 1193 | else 1194 | d3bug error "Rules never updated. Updating..." 1195 | updateSuricataRules 1196 | fi 1197 | fi 1198 | else 1199 | d3bug info "Auto-Update disabled" 1200 | fi 1201 | else 1202 | d3bug error "Suricata rules not found. Updating..." 1203 | updateSuricataRules 1204 | fi 1205 | } 1206 | 1207 | 1208 | function createProjectPipes() 1209 | # Create suriGUI pipes 1210 | # Pipes 3,4,5 1211 | { 1212 | d3bug 1213 | 1214 | for pipe in "${_PROJECT_DB_PIPES[@]}" 1215 | do 1216 | if [[ -e $pipe ]] 1217 | then 1218 | if ! rm "$pipe" 1219 | then 1220 | d3bug error "Can't remove old pipe" 1221 | exit 1 1222 | fi 1223 | else 1224 | if ! mkfifo "$pipe" 1225 | then 1226 | d3bug error "Can't create pipe: $pipe" 1227 | exit 1 1228 | else 1229 | d3bug info "$pipe" 1230 | fi 1231 | fi 1232 | 1233 | done 1234 | 1235 | if exec 3<> "$_PROJECT_PIPE_MAIN" 1236 | then 1237 | d3bug info "Project pipe started" 1238 | else 1239 | d3bug error "Can not start Project pipe. Exit 1" 1240 | exit 1 1241 | fi 1242 | 1243 | } 1244 | 1245 | 1246 | function createProjectSettings() 1247 | # Read suriGui.yaml and convert it to variables 1248 | # Print: createProjectSettings "$_PROJECT_DIR_CONF/settings.yaml" 1249 | # Set variables: eval $(createProjectSettings "$_PROJECT_DIR_CONF/settings.yaml") 1250 | { 1251 | local file="$_PROJECT_FILE_CONFIG_NEW" 1252 | local s='[[:space:]]*' w='[a-zA-Z0-9_]*' fs=$(echo @|tr @ '\034') 1253 | sed -ne "s|^\($s\):|\1|" \ 1254 | -e "s|^\($s\)\($w\)$s:$s[\"']\(.*\)[\"']$s\$|\1$fs\2$fs\3|p" \ 1255 | -e "s|^\($s\)\($w\)$s:$s\(.*\)$s\$|\1$fs\2$fs\3|p" $file | 1256 | awk -F$fs '{ 1257 | indent = length($1)/2; 1258 | vname[indent] = $2; 1259 | for (i in vname) {if (i > indent) {delete vname[i]}} 1260 | if (length($3) > 0) { 1261 | vn=""; for (i=0; i/dev/null 1397 | 1398 | ret=$? 1399 | if [[ $ret = 0 ]] 1400 | then 1401 | d3bug info "Installing $app ..." 1402 | if sudo apt-get install "$app" -y &>/dev/null 1403 | then 1404 | d3bug info "$app was successfully installed" 1405 | else 1406 | d3bug error "Can't install: $app" 1407 | exit 1 1408 | fi 1409 | else 1410 | d3bug error "If you do not want to install $app \n then you can not use Suricata nor suriGUI." 1411 | exit 1 1412 | fi 1413 | fi 1414 | done 1415 | } 1416 | 1417 | 1418 | 1419 | # Export functions for yad 1420 | export -f d3bug 1421 | export -f exitSuriGUI 1422 | #export -f readConfigFile 1423 | export -f saveSettings 1424 | export -f suriGUISettings 1425 | export -f deleteIgnoredSID 1426 | export -f controlSuricataService 1427 | export -f updateSuricataRules 1428 | export -f updateSuriGUI 1429 | export -f send_notify 1430 | 1431 | 1432 | # verbosity = silent file normal high debug 1433 | # TODO: make help function 1434 | while getopts "v:b:c:" opt 1435 | do 1436 | case "$opt" in 1437 | v ) 1438 | export CONF_global_log_verbosity="$OPTARG" ;; 1439 | b ) parameterB="$OPTARG" ;; 1440 | c ) parameterC="$OPTARG" ;; 1441 | ? ) helpFunction ;; # Print helpFunction in case parameter is non-existent 1442 | esac 1443 | done 1444 | 1445 | 1446 | 1447 | # S T A R T S U R I G U I 1448 | checkProjectDependencies 1449 | checkProjectDirectories 1450 | checkProjectFiles 1451 | checkInternetConnection 1452 | 1453 | createProjectSettings 1454 | eval export $(createProjectSettings) 1455 | createProjectPipes 1456 | createProjectIcons 1457 | 1458 | checkSuricataRules 1459 | checkCustomRules 1460 | checkSuricataStatus 1461 | 1462 | startSuriGUI & 1463 | 1464 | 1465 | 1466 | while ( ! systemctl is-active --quiet suricata ) 1467 | do 1468 | ( systemctl is-active --quiet suricata ) && break 1469 | d3bug info "Waiting for Suricata service to start" 1470 | sleep 5 1471 | done #&>/dev/null 1472 | d3bug info "Suricata is active" 1473 | 1474 | exec 3<>$_PROJECT_PIPE_MAIN echo "visible:blink" >&3 & 1475 | while [[ ! -f "$_PROJECT_DIR_LOG/eve.json" ]] 1476 | do 1477 | [[ -f "$_PROJECT_DIR_LOG/eve.json" ]] && break 1478 | d3bug info "Suricata service is active but no output is generated." 1479 | sleep 5 1480 | done #&>/dev/null 1481 | d3bug info "Log output found" 1482 | 1483 | 1484 | [[ "${CONF_global_notifications_enable:-}" == "TRUE" ]] && startNotifyDaemon 1485 | 1486 | 1487 | echo "$$" > "$_PROJECT_PID_MAIN" 1488 | 1489 | while : 1490 | do 1491 | [[ ! -f "$_PROJECT_PID_MAIN" ]] && break 1492 | ( checkSuricataStatus ) #&>/dev/null 1493 | sleep 5 1494 | done &>/dev/null 1495 | 1496 | 1497 | echo "End of script, but not IPS !!!" 1498 | --------------------------------------------------------------------------------