diff options
Diffstat (limited to 'config/suricata')
-rw-r--r-- | config/suricata/dns-events.rules | 15 | ||||
-rw-r--r-- | config/suricata/suricata.xml | 5 | ||||
-rw-r--r-- | config/suricata/suricata_check_for_rule_updates.php | 2 | ||||
-rw-r--r-- | config/suricata/suricata_interfaces_edit.php | 2 | ||||
-rw-r--r-- | config/suricata/suricata_migrate_config.php | 8 | ||||
-rw-r--r-- | config/suricata/suricata_post_install.php | 5 | ||||
-rw-r--r-- | config/suricata/suricata_rulesets.php | 2 |
7 files changed, 36 insertions, 3 deletions
diff --git a/config/suricata/dns-events.rules b/config/suricata/dns-events.rules new file mode 100644 index 00000000..693f2f1b --- /dev/null +++ b/config/suricata/dns-events.rules @@ -0,0 +1,15 @@ +# Response (answer) we didn't see a Request for. Could be packet loss. +alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;) +# Malformed data in request. Malformed means length fields are wrong, etc. +alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240002; rev:1;) +alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240003; rev:1;) +# Response flag set on to_server packet +alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;) +# Response flag not set on to_client packet +alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;) +# Z flag (reserved) not 0 +alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;) +# Request Flood Detected +alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;) +# Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting. +alert dns any any -> any any (msg:"SURICATA DNS flow memcap reached"; flow:to_server; app-layer-event:dns.state_memcap_reached; sid:2240008; rev:2;) diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index d5ea59ad..f9bbd379 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -108,6 +108,11 @@ <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/suricata/dns-events.rules</item> + <prefix>/usr/local/pkg/suricata/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> <item>https://packages.pfsense.org/packages/config/suricata/suricata_download_updates.php</item> <prefix>/usr/local/www/suricata/</prefix> <chmod>0755</chmod> diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 5e977f36..6a3e51f7 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -486,7 +486,7 @@ if ($emergingthreats == 'on') { // The code below renames ET files with a prefix, so we // skip renaming the Suricata default events rule files // that are also bundled in the ET rules. - $default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ); + $default_rules = array( "decoder-events.rules", "dns-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ); $files = glob("{$tmpfname}/emerging/rules/*.rules"); // Determine the correct prefix to use based on which // Emerging Threats rules package is enabled. diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 55c97efc..a3b2e78a 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -399,7 +399,7 @@ if ($_POST["save"] && !$input_errors) { $natent['libhtp_policy']['item'][] = $default; // Enable the basic default rules for the interface - $natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules||tls-events.rules"; + $natent['rulesets'] = "decoder-events.rules||dns-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules||tls-events.rules"; // Adding a new interface, so set flag to build new rules $rebuild_rules = true; diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 97e3cde6..abbdcf64 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -116,6 +116,14 @@ foreach ($rule as &$r) { } /***********************************************************/ + /* Add the new 'dns-events.rules' file to the rulesets. */ + /***********************************************************/ + if (strpos("dns-events.rules", $pconfig['rulesets']) === FALSE) { + $pconfig['rulesets'] = rtrim($pconfig['rulesets'], "||") . "||dns-events.rules"; + $updated_cfg = true; + } + + /***********************************************************/ /* Add new HTTP Log Extended Info setting if not present */ /***********************************************************/ if (!isset($pconfig['http_log_extended'])) { diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 955751ad..47dd3ad7 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -112,6 +112,11 @@ safe_mkdir(SURICATALOGDIR); safe_mkdir(SID_MODS_PATH); safe_mkdir(IPREP_PATH); +// Copy the new dns-events.rules file to the +// Suricata directory if not already present. +if (!file_exists(SURICATADIR . "rules/dns-events.rules")) + @copy("/usr/local/pkg/suricata/dns-events.rules", SURICATADIR . "rules/dns-events.rules"); + // remake saved settings if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') { log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings...")); diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php index 14da068e..ce32af20 100644 --- a/config/suricata/suricata_rulesets.php +++ b/config/suricata/suricata_rulesets.php @@ -47,7 +47,7 @@ $suricatadir = SURICATADIR; $flowbit_rules_file = FLOWBITS_FILENAME; // Array of default events rules for Suricata -$default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", +$default_rules = array( "decoder-events.rules", "dns-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ); if (!is_array($config['installedpackages']['suricata']['rule'])) { |