These rules do not drop anything, but only alert when internal parts of the engine trigger an event. This will allow us more insight on what is happening.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/rootfiles/common/suricata | 22 ++++++++++++++++++++++ config/suricata/suricata.yaml | 24 ++++++++++++++++++++++-- lfs/suricata | 3 --- 3 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 32358483a..21dbeae64 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -19,6 +19,28 @@ usr/bin/suricata #usr/share/man/man1/suricatactl-filestore.1 #usr/share/man/man1/suricatactl.1 #usr/share/man/man1/suricatasc.1 +usr/share/suricata/ +#usr/share/suricata/classification.config +#usr/share/suricata/reference.config +#usr/share/suricata/rules +#usr/share/suricata/rules/app-layer-events.rules +#usr/share/suricata/rules/decoder-events.rules +#usr/share/suricata/rules/dhcp-events.rules +#usr/share/suricata/rules/dnp3-events.rules +#usr/share/suricata/rules/dns-events.rules +#usr/share/suricata/rules/files.rules +#usr/share/suricata/rules/http2-events.rules +#usr/share/suricata/rules/http-events.rules +#usr/share/suricata/rules/ipsec-events.rules +#usr/share/suricata/rules/kerberos-events.rules +#usr/share/suricata/rules/modbus-events.rules +#usr/share/suricata/rules/mqtt-events.rules +#usr/share/suricata/rules/nfs-events.rules +#usr/share/suricata/rules/ntp-events.rules +#usr/share/suricata/rules/smb-events.rules +#usr/share/suricata/rules/smtp-events.rules +#usr/share/suricata/rules/stream-events.rules +#usr/share/suricata/rules/tls-events.rules var/lib/suricata var/lib/suricata/classification.config var/lib/suricata/reference.config diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 6f37671c8..0ad36e705 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -46,8 +46,28 @@ vars: ## default-rule-path: /var/lib/suricata rule-files: - # Include enabled ruleset files from external file. - include: /var/ipfire/suricata/suricata-used-rulefiles.yaml + # Default rules + - /usr/share/suricata/rules/app-layer-events.rules + - /usr/share/suricata/rules/decoder-events.rules + - /usr/share/suricata/rules/dhcp-events.rules + - /usr/share/suricata/rules/dnp3-events.rules + - /usr/share/suricata/rules/dns-events.rules + - /usr/share/suricata/rules/files.rules + - /usr/share/suricata/rules/http2-events.rules + - /usr/share/suricata/rules/http-events.rules + - /usr/share/suricata/rules/ipsec-events.rules + - /usr/share/suricata/rules/kerberos-events.rules + - /usr/share/suricata/rules/modbus-events.rules + - /usr/share/suricata/rules/mqtt-events.rules + - /usr/share/suricata/rules/nfs-events.rules + - /usr/share/suricata/rules/ntp-events.rules + - /usr/share/suricata/rules/smb-events.rules + - /usr/share/suricata/rules/smtp-events.rules + - /usr/share/suricata/rules/stream-events.rules + - /usr/share/suricata/rules/tls-events.rules + + # Include enabled ruleset files from external file + - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
classification-file: /var/lib/suricata/classification.config reference-config-file: /var/lib/suricata/reference.config diff --git a/lfs/suricata b/lfs/suricata index c7f189bf4..bd57b829e 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -96,9 +96,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install IPFire related config file. install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
- # Remove shipped rules. - rm -rvf /usr/share/suricata - # Create emtpy rules directory. -mkdir -p /var/lib/suricata