{"id":94,"date":"2024-10-11T11:54:42","date_gmt":"2024-10-11T16:54:42","guid":{"rendered":"https:\/\/danielbondurantcybersecurityportfolio.online\/?p=94"},"modified":"2024-11-07T10:00:16","modified_gmt":"2024-11-07T16:00:16","slug":"custom-firewall-with-suricata-part-1-suricata-alert","status":"publish","type":"post","link":"https:\/\/danielbondurantcybersecurityportfolio.online\/?p=94","title":{"rendered":"Custom Firewall with Suricata     Part 1: Suricata Alert"},"content":{"rendered":"\n<p>This post will demonstrate creating a custom rule in Suricata to generate an alert.<\/p>\n\n\n\n<p>In the <code>\/etc\/suricata\/rules<\/code> directory I made a new rules file called <code>custom.rules<\/code>:<\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdJcyiALvOL3L_Hh34zcAmpBp1R-oCpi39ZEQYdyvcojZbvo4UZwMerT0ShcCNjS4Zau1f2YsF2PhtGrq_TXtV30qiDjLQ-2Zwty_nYjidHXoSxVyv6nIgtsLxJuiypdPvIFkj9pri5R59CGudRynp8bsbm?key=3JVRg5fHbIDDB8n3n0xfFw\" width=\"537\" height=\"167\"><\/p>\n\n\n\n<p>For Suricata to run this rule, the new rule file needs to be added to the <code>suricata.yaml<\/code> file:<\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdmZqur5RZUCSh5m68bDumS339dKFjzDq0_Pwssh9A_f8XB-Ih4jZ04U6HWC8E8C3R9ai1TsZkRMdXg3V8l0OMxQN2OM-FSRXi0b3XFMj9tx2RfkTlFeun8Z7AL7mFEkixcHV_B3A5a6A5CxwawBIAJJ7k?key=3JVRg5fHbIDDB8n3n0xfFw\" width=\"499\" height=\"121\"><\/p>\n\n\n\n<p>Now for the actual rule in the custom file:<\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcdRmLF5ZOlMOX32oktgbkHTe0V_u3UfpKLMdjs02O9gjELOLqSN9QJz_VmeGonlU82c1NShxVwWd-sI1-Fkae0IkcDNRGdf4Fni90vcDOS2k4fu1e5X6F25FoAcBpH1MgBj_vFEtf7pTOhNOJD0UXrJOek?key=3JVRg5fHbIDDB8n3n0xfFw\" width=\"624\" height=\"116\"><\/p>\n\n\n\n<p>All this rule is doing is letting us know if any TCP traffic is identified from our internal network going to 1.1.1.1, either HTTP or HTTPS.<\/p>\n\n\n\n<p>To start Suricata, we run the <code>--af-packet<\/code> command:<\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXd5EmEobB1qcyI59aLd1MTwfoDjOFQcAYTXfmarP6ecxmkhhq1kVHDhwZxx0ld9sMEMPqvh-a5j5VOSXh77X8Lsw_1HcppExEo6rv2pCU8UysT6Ps3RKhmzASA4-VNRH3WaqX8pUBS9opgErWuBgwBWHgY?key=3JVRg5fHbIDDB8n3n0xfFw\" width=\"618\" height=\"144\"><\/p>\n\n\n\n<p>Note: My interface is br0, the default is eth0.<\/p>\n\n\n\n<p>When I open a browser and go to 1.1.1.1, the alert should trigger and write to the fast.log file.<\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcT6Z0KVaKzDBOxkHmQlE4-OPL1WmmUdIzhp2vhpV5oRNiTfBIyq-APgB3JNEWqhT0gHJQivwbZyesgfPXs6OHqf9TdxUNL_0yby9ql90C_tHJrG5WUXEXhDEckq6VIRw0kBLt95dRe_as6llJHt_Vei2fI?key=3JVRg5fHbIDDB8n3n0xfFw\" width=\"624\" height=\"520\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Sure enough, the alert message appears in fast.log.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"661\" height=\"99\" src=\"https:\/\/danielbondurantcybersecurityportfolio.online\/wp-content\/uploads\/2024\/10\/image.png\" alt=\"\" class=\"wp-image-99\" srcset=\"https:\/\/danielbondurantcybersecurityportfolio.online\/wp-content\/uploads\/2024\/10\/image.png 661w, https:\/\/danielbondurantcybersecurityportfolio.online\/wp-content\/uploads\/2024\/10\/image-300x45.png 300w\" sizes=\"auto, (max-width: 661px) 100vw, 661px\" \/><\/figure>\n\n\n\n<p>This simple rule example does not do much for us by itself. However, combining it with some Python scripting and a few more functions within Linux, this becomes the first part of creating a custom firewall.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post will demonstrate creating a custom rule in Suricata to generate an alert. In the \/etc\/suricata\/rules directory I made a new rules file called custom.rules: For Suricata to run this rule, the new rule file needs to be added to the suricata.yaml file: Now for the actual rule in the custom file: All this [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"[]"},"categories":[6,9],"tags":[],"class_list":["post-94","post","type-post","status-publish","format-standard","hentry","category-linux","category-suricata"],"blocksy_meta":{"has_hero_section":"enabled","hero_elements":[{"id":"custom_title","enabled":true,"heading_tag":"h1","title":"Home","__id":"BBYoXEmuq6jlq_QpUrRvp"},{"id":"custom_description","enabled":true,"description_visibility":{"desktop":true,"tablet":true,"mobile":false},"__id":"qXr8xzKb0V8P3DLB4L0XW","hero_item_max_width":{"desktop":"100","tablet":"100","mobile":"100"}},{"id":"custom_meta","enabled":true,"meta_elements":[{"id":"author","enabled":true,"label":"By","has_author_avatar":"yes","avatar_size":25},{"id":"post_date","enabled":true,"label":"On","date_format_source":"default","date_format":"M j, Y"},{"id":"updated_date","enabled":false,"label":"On","date_format_source":"default","date_format":"M j, Y"},{"id":"categories","enabled":true,"label":"In","style":"simple"},{"id":"comments","enabled":true}],"page_meta_elements":{"joined":true,"articles_count":true,"comments":true},"__id":"P5GShbmNyfokas-5FfLqP"},{"id":"breadcrumbs","enabled":false,"__id":"NWpm0rjfjpp-fJVxWRt38"}],"hero_alignment1":{"desktop":"left","tablet":"left","mobile":"left","__changed":["tablet"]},"styles_descriptor":{"styles":{"desktop":"[data-prefix=\"single_blog_post\"] .entry-header .page-title {--theme-font-size:30px;} [data-prefix=\"single_blog_post\"] .entry-header .entry-meta {--theme-font-weight:600;--theme-text-transform:uppercase;--theme-font-size:12px;--theme-line-height:1.3;} [data-prefix=\"single_blog_post\"] .hero-section[data-type=\"type-1\"] {--alignment:left;} [data-prefix=\"single_blog_post\"] .hero-section .page-description {--description-max-width:100%;}","tablet":"","mobile":""},"google_fonts":[],"version":6}},"_links":{"self":[{"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/94","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=94"}],"version-history":[{"count":7,"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":138,"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions\/138"}],"wp:attachment":[{"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/danielbondurantcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}