Differences

This shows you the differences between two versions of the page.

Link to this comparison view

installing_and_configuring_suricata_on_centos7_en [2019/08/08 15:24] (current)
Line 1: Line 1:
 +====== Installing and Configuring Suricata on CentOS 7 ======
 +
 +
 +===== Configuring the new Kernel =====
 +
 +We need to disable some services on <nowiki>CentOS</nowiki> 7.
 +<sxh bash>
 +systemctl stop firewalld.service 
 +systemctl disable firewalld.service
 +</sxh>
 +
 +We need to install the kernel with suport to work with huge values on network throughput.
 +
 +Let's add the new repository
 +<sxh bash>
 +rpm -ivh http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
 +</sxh>
 +
 +Now we need to install the new kernel 
 +<sxh bash>
 +yum --enablerepo=elrepo-kernel install kernel-ml -y
 +</sxh>
 +
 +Now it'd better clean up the /boot with the other kernels and recreate the grub with the follow command.
 +<sxh bash>
 +grub2-mkconfig -o /boot/grub2/grub.cfg
 +</sxh>
 +
 +Now need to reboot the server
 +<sxh bash>
 +reboot
 +</sxh>
 +
 +===== Installing the Suricata =====
 +
 +  * Prerequisites:
 +    * <nowiki>CentOS</nowiki> 7 working as Suricata
 +      * IP: 192.168.1.252
 +    * Debian Wheezy working as Snorby
 +      * IP: 192.168.1.251
 +    * Debian Wheezy working as Apache
 +      * IP: 192.168.1.250
 +
 +
 +Now we need to install the dependences for Suricata, let's update the repositories
 +<sxh bash>
 +yum check-update
 +</sxh>
 +
 +Now we need to install the dependences like this
 +<sxh bash>
 +yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel mariadb-devel GeoIP-devel \
 +zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel libnetfilter_queue-devel ethtool -y
 +</sxh>
 +
 +Now we need to fetch the suricata tarball and decompress it.
 +<sxh bash>
 +cd /usr/src
 +wget http://wiki.douglasqsantos.com.br/Downloads/snort/suricata-2.0.7.tar.gz
 +tar -xvzf suricata-2.0.7.tar.gz
 +cd suricata-2.0.7
 +</sxh>
 +
 +Now we need to configure the the sources to compile the suricata as IPS
 +<sxh bash>
 +./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-geoip
 +</sxh>
 +
 +Now let's compile the suricata like this
 +<sxh bash>
 +make && make install-full
 +</sxh>
 +
 +Now let's update the libraries.
 +<sxh bash>
 +ldconfig
 +</sxh>
 +
 +Whether you have some problems with the rules we can get it with the follow command
 +<sxh bash>
 +wget -qO - http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -
 +</sxh>
 +
 +Now we need to configure the suricata main file like this
 +<sxh yaml>
 +vim /etc/suricata/suricata.yaml
 +[...]
 +  - drop:
 +      enabled: yes
 +[...]
 +  - dns-log:
 +      enabled: yes
 +[...]
 +#line 784
 +  outputs:
 +  - console:
 +      enabled: yes
 +  - file:
 +      enabled: yes
 +      filename: /var/log/suricata/suricata.log
 +[...]
 +classification-file: /etc/suricata/rules/classification.config
 +reference-config-file: /etc/suricata/rules/reference.config
 +[...]
 +    # Here we need to set up the networks in our company like below.
 +    HOME_NET: "[192.168.1.0/24]"
 +[...]
 +host-os-policy:
 +  # Make the default policy windows.
 +  windows: [0.0.0.0/0]
 +  bsd: []
 +  bsd-right: []
 +  old-linux: []
 +  linux: [192.168.1.0/24, 192.168.1.252]
 +  old-solaris: []
 +  solaris: ["::1"]
 +  hpux10: []
 +  hpux11: []
 +  irix: []
 +  macos: []
 +  vista: []
 +  windows2k3: []
 +</sxh>
 +
 +Now we need to adjust some variables on the kernel that able work with a huge amount of packets per second.
 +<sxh bash>
 +modprobe ip_conntrack
 +modprobe ip_conntrack_ftp
 +modprobe ip_nat_ftp
 +echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize
 +echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 +echo 1 > /proc/sys/net/ipv4/tcp_timestamps
 +echo 1 > /proc/sys/net/ipv4/ip_forward
 +echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
 +echo 2000000 > /proc/sys/net/netfilter/nf_conntrack_max
 +PSNI=/proc/sys/net/ipv4
 +for END in $PSNI/conf/*/rp_filter ; do echo 1 > $END ; done
 +echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 +PSNI=/proc/sys/net/ipv6
 +for END in $PSNI/conf/*/disable_ipv6 ; do echo 1 > $END ; done
 +echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
 +</sxh>
 +
 +As we are enabling the ips/ids we need to disable the interface to filtering the packets and send all of them to ips/ids.
 +<sxh bash>
 +ethtool -K enp0s3 tx off
 +ethtool -K enp0s3 tso off
 +ethtool -K enp0s3 gro off
 +ethtool -K enp0s3 rxvlan off
 +ethtool -K enp0s3 txvlan off
 +</sxh>
 +
 +Now we can star the Suricata
 +<sxh bash>
 +suricata -c /etc/suricata/suricata.yaml -i enp0s3 -D
 +</sxh>
 +
 +Now we need to redirect the connetion to the port 80 to another server that I shall use the Apache
 +<sxh bash>
 +iptables -t nat -A PREROUTING -d 192.168.1.252 -p tcp --dport 80 -j DNAT --to 192.168.1.250
 +iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
 +</sxh>
 +
 +Here we made the redirect the incoming connection that arrive in Suricata to Apache server and after that we need to masquerade the network.
 +
 +Now on the Apache server we need to configure it to use the Suricata as Gateway.
 +<sxh bash>
 +route del default 
 +route add default gw 192.168.1.252
 +</sxh>
 +
 +Now we need to test the connection with the internet like this
 +<sxh bash>
 +ping 8.8.8.8
 +</sxh>
 +
 +Now on suricata let's open the http log files like this
 +<sxh bash>
 +tail -f /var/log/suricata/http.log
 +</sxh>
 +
 +Now from another computer we need to open a test attack like this
 +<sxh bash>
 +nikto -h 192.168.1.252 -C all
 +</sxh>
 +
 +In the log files we'll get something like this
 +<sxh bash>
 +04/13/2015-17:08:43.040495 192.168.1.252 [**] /Script/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.040511 192.168.1.252 [**] /Script/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.041728 192.168.1.252 [**] /sites/all/modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.041742 192.168.1.252 [**] /sites/all/modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.043356 192.168.1.252 [**] /modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.043366 192.168.1.252 [**] /modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.044312 192.168.1.252 [**] /class/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.044312 192.168.1.252 [**] /class/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.045458 192.168.1.252 [**] /inc/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.045487 192.168.1.252 [**] /inc/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.046864 192.168.1.252 [**] /sites/all/libraries/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.046878 192.168.1.252 [**] /sites/all/libraries/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.047958 192.168.1.252 [**] /FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.047965 192.168.1.252 [**] /FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.049023 192.168.1.252 [**] /Script/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.049023 192.168.1.252 [**] /Script/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.050128 192.168.1.252 [**] /sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.050128 192.168.1.252 [**] /sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.051718 192.168.1.252 [**] /modules/fckeditor/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.051819 192.168.1.252 [**] /modules/fckeditor/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.054704 192.168.1.252 [**] /class/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.054727 192.168.1.252 [**] /class/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.056559 192.168.1.252 [**] /inc/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.056605 192.168.1.252 [**] /inc/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +04/13/2015-17:08:43.058358 192.168.1.252 [**] /sites/all/libraries/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
 +04/13/2015-17:08:43.058358 192.168.1.252 [**] /sites/all/libraries/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80
 +</sxh>
 +
 +Now on Suricata let's open another log file.
 +<sxh bash>
 +tail -f /var/log/suricata/eve.json
 +</sxh>
 +
 +Now from another machine let's open a Scanner to the Suricata like this
 +<sxh bash>
 +nmap -sS -v -n -A 192.168.1.252 -T4
 +</sxh>
 +
 +In the logs we'll get something like this
 +<sxh bash>
 +{"timestamp":"2015-04-13T17:11:31.308899","event_type":"http","src_ip":"192.168.1.254","src_port":34461,"dest_ip":"192.168.1.252","dest_port":80,"proto":"TCP","http":{"url":"\/","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.0","status":"200","length":177}}
 +{"timestamp":"2015-04-13T17:11:31.308910","event_type":"http","src_ip":"192.168.1.252","src_port":34461,"dest_ip":"192.168.1.250","dest_port":80,"proto":"TCP","http":{"url":"\/","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.0","status":"200","length":177}}
 +{"timestamp":"2015-04-13T17:11:31.310502","event_type":"fileinfo","src_ip":"192.168.1.250","src_port":80,"dest_ip":"192.168.1.252","dest_port":34461,"proto":"TCP","http":{"url":"\/"},"fileinfo":{"filename":"\/","state":"CLOSED","stored":false,"size":177}}
 +{"timestamp":"2015-04-13T17:11:31.310528","event_type":"fileinfo","src_ip":"192.168.1.252","src_port":80,"dest_ip":"192.168.1.254","dest_port":34461,"proto":"TCP","http":{"url":"\/"},"fileinfo":{"filename":"\/","state":"CLOSED","stored":false,"size":177}}
 +{"timestamp":"2015-04-13T17:11:32.011592","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:32.011676","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:32.287971","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:32.288004","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:32.538840","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:32.538873","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:32.790094","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:32.790130","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:34.779427","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:34.779493","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:34.955370","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:34.955402","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:35.081111","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:35.081145","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:35.231245","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:35.231273","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:37.107218","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:37.107283","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:41.356211","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:41.356276","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:41.856659","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:41.856711","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:42.184192","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:42.184238","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:42.514244","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:42.514282","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:44.588082","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:44.588140","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:44.838373","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:44.838415","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:45.017505","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:45.017541","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:45.244572","event_type":"alert","src_ip":"192.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:45.244597","event_type":"alert","src_ip":"192.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_code":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"signature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
 +{"timestamp":"2015-04-13T17:11:45.792743","event_type":"http","src_ip":"192.168.1.254","src_port":34475,"dest_ip":"192.168.1.252","dest_port":80,"proto":"TCP","http":{"hostname":"192.168.1.252","url":"\/","http_user_agent":"Mozilla\/5.0 (compatible; Nmap Scripting Engine; http:\/\/nmap.org\/book\/nse.html)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":"200","length":177}}
 +{"timestamp":"2015-04-13T17:11:45.792753","event_type":"http","src_ip":"192.168.1.252","src_port":34475,"dest_ip":"192.168.1.250","dest_port":80,"proto":"TCP","http":{"hostname":"192.168.1.252","url":"\/","http_user_agent":"Mozilla\/5.0 (compatible; Nmap Scripting Engine; http:\/\/nmap.org\/book\/nse.html)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":"200","length":177}}
 +{"timestamp":"2015-04-13T17:11:45.792766","event_type":"fileinfo","src_ip":"192.168.1.250","src_port":80,"dest_ip":"192.168.1.252","dest_port":34475,"proto":"TCP","http":{"url":"\/","hostname":"192.168.1.252","http_user_agent":"Mozilla\/5.0 (compatible; Nmap Scripting Engine; http:\/\/nmap.org\/book\/nse.html)"},"fileinfo":{"filename":"\/","state":"CLOSED","stored":false,"size":177}}
 +{"timestamp":"2015-04-13T17:11:45.792771","event_type":"fileinfo","src_ip":"192.168.1.252","src_port":80,"dest_ip":"192.168.1.254","dest_port":34475,"proto":"TCP","http":{"url":"\/","hostname":"192.168.1.252","http_user_agent":"Mozilla\/5.0 (compatible; Nmap Scripting Engine; http:\/\/nmap.org\/book\/nse.html)"},"fileinfo":{"filename":"\/","state":"CLOSED","stored":false,"size":177}}
 +</sxh>
 +
 +We can check in the Apache server too that we have a lot of connections like this.
 +<sxh bash>
 +tail -f /var/log/apache2/access.log
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-915/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /mpcgi/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 541 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ows-bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-sys/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-local/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 545 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /htbin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 541 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgibin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 542 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgis/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 540 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /scripts/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-win/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /fcgi-bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-exe/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-home/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-perl/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /scgi-bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf  HTTP/1.1" 404 544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /sitemap.gz HTTP/1.1" 404 526 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003582)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /content/sitemap.gz HTTP/1.1" 404 534 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003583)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /icons/README HTTP/1.1" 200 5375 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003584)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /localstart.asp HTTP/1.1" 404 530 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003585)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ampache/update.php HTTP/1.1" 404 534 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003586)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ampache/login.php HTTP/1.1" 404 533 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003587)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ampache/docs/README HTTP/1.1" 404 535 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003588)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-bin/webcgi/about HTTP/1.1" 404 536 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003589)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /webservices/IlaWebServices HTTP/1.1" 404 541 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003590)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /SoundBridgeStatus.html HTTP/1.1" 404 537 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003591)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /CFIDE/componentutils/cfcexplorer.cfc HTTP/1.1" 404 551 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003592)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /phone/ HTTP/1.1" 404 521 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003593)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /Host/Portals/tabid/19/ctl/Login/portalid/0/Default.aspx HTTP/1.1" 404 570 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003594)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jsp-examples/jsp2/jspx/textRotate.jspx?name=<script>alert(111)</script> HTTP/1.1" 404 553 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003595)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jsp-examples/jsp2/el/implicit-objects.jsp?foo=<script>alert(112)</script> HTTP/1.1" 404 556 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003596)"
 +192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jsp-examples/jsp2/el/functions.jsp?foo=<script>alert(113)</script> HTTP/1.1" 404 549 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003597)"
 +
 +</sxh>
 +
 +Now let's put the Suricata to work as IPS, let's change some informations in the suricata main file only for testing here.
 +<sxh bash>
 +vim /etc/suricata/suricata.yaml
 +[...]
 +    HOME_NET: "any"
 +    #HOME_NET: "[192.168.1.0/24]"
 +    
 +    EXTERNAL_NET: "any"
 +    #EXTERNAL_NET: "!$HOME_NET"
 +</sxh>
 +
 +Now we need to make a back up of the rule files
 +<sxh bash>
 +cp -Rfa /etc/suricata/rules ~/rules
 +</sxh>
 +
 +Now we need to drop some kind of attacks like this
 +<sxh bash>
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-scan.rules
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-web_server.rules
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-web_specific_apps.rules
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-web_client.rules
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/drop.rules
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/stream-events.rules
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-policy.rules
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-shellcode.rules
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/decoder-events.rules
 +sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-exploit.rules
 +</sxh>
 +
 +Now we need to kill the suricata process like this
 +<sxh bash>
 +PSU=$(pidof suricata);  kill -9 $PSU
 +</sxh>
 +
 +Now we need to start the suricata in the inline mode (IPS) like this
 +<sxh bash>
 +suricata -c /etc/suricata/suricata.yaml -q 0 -D
 +</sxh>
 +
 +Now we need to redirect all connection in the port 80 to the queue afterwards the Suricata will process all of them and decide what will happen with the packet.
 +<sxh bash>
 +iptables -P FORWARD DROP
 +iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE
 +iptables -A FORWARD -p tcp --sport 80 -j NFQUEUE
 +</sxh>
 +
 +Now we can open the logs of the suricata like this
 +<sxh bash>
 +tail -f /var/log/suricata/fast.log /var/log/suricata/drop.log
 +</sxh>
 +
 +Now we need to open an test attack from another machine against the Suricata like this.
 +<sxh bash>
 +nikto -h 192.168.1.252 -C all
 +</sxh>
 +
 +Now we can check in the Suricata log files like this
 +<sxh bash>
 +tail -f /var/log/suricata/fast.log /var/log/suricata/drop.log
 +==> /var/log/suricata/fast.log <==
 +04/13/2015-17:21:44.772236  [Drop] [**] [1:2002677:13] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:34840 -> 192.168.1.250:80
 +
 +==> /var/log/suricata/drop.log <==
 +04/13/2015-17:21:44.772236: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=7455 PROTO=TCP SPT=34840 DPT=80 SEQ=812639632 ACK=3464940515 WINDOW=262 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:21:47.918031: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=586 TOS=0x00 TTL=63 ID=47579 PROTO=TCP SPT=80 DPT=34840 SEQ=3464939981 ACK=812639632 WINDOW=2346 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:21:54.774944: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=23285 PROTO=TCP SPT=34845 DPT=80 SEQ=1536905794 ACK=3348384629 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:21:55.772148: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34845 SEQ=3348384628 ACK=1536905794 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/13/2015-17:22:04.779775: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=202 TOS=0x00 TTL=63 ID=49545 PROTO=TCP SPT=34858 DPT=80 SEQ=1308021760 ACK=1100202517 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:22:05.972261: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34858 SEQ=1100202516 ACK=1308021760 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/13/2015-17:22:14.790753: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=202 TOS=0x00 TTL=63 ID=3168 PROTO=TCP SPT=34866 DPT=80 SEQ=3727036513 ACK=3268194257 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:22:16.171470: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34866 SEQ=3268194256 ACK=3727036513 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/13/2015-17:22:24.795966: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=199 TOS=0x00 TTL=63 ID=50075 PROTO=TCP SPT=34878 DPT=80 SEQ=3459769758 ACK=1952858872 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:22:25.971993: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34878 SEQ=1952858871 ACK=3459769758 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/13/2015-17:22:34.808455: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=199 TOS=0x00 TTL=63 ID=57943 PROTO=TCP SPT=34885 DPT=80 SEQ=2584071583 ACK=1252079019 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:22:36.172188: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34885 SEQ=1252079018 ACK=2584071583 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +
 +==> /var/log/suricata/fast.log <==
 +04/13/2015-17:22:44.827179  [Drop] [**] [1:2002677:13] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:34894 -> 192.168.1.250:80
 +
 +==> /var/log/suricata/drop.log <==
 +04/13/2015-17:22:44.827179: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=51878 PROTO=TCP SPT=34894 DPT=80 SEQ=675935592 ACK=4002722971 WINDOW=262 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:22:47.995799: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=580 TOS=0x00 TTL=63 ID=5199 PROTO=TCP SPT=80 DPT=34894 SEQ=4002722443 ACK=675935592 WINDOW=2346 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:22:54.829643: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=26662 PROTO=TCP SPT=34897 DPT=80 SEQ=3048942461 ACK=420962227 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:22:56.372487: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34897 SEQ=420962226 ACK=3048942461 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/13/2015-17:23:04.838129: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=13814 PROTO=TCP SPT=34900 DPT=80 SEQ=292845803 ACK=2369351393 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:23:06.172247: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34900 SEQ=2369351392 ACK=292845803 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/13/2015-17:23:14.849031: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=10016 PROTO=TCP SPT=34909 DPT=80 SEQ=2092855804 ACK=2654305631 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:23:15.972834: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34909 SEQ=2654305630 ACK=2092855804 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/13/2015-17:23:24.859782: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=37382 PROTO=TCP SPT=34912 DPT=80 SEQ=4239520425 ACK=1204384680 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:23:26.372347: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34912 SEQ=1204384679 ACK=4239520425 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/13/2015-17:23:34.867725: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=20552 PROTO=TCP SPT=34917 DPT=80 SEQ=821639733 ACK=3031914370 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:23:36.172463: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34917 SEQ=3031914369 ACK=821639733 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +
 +==> /var/log/suricata/fast.log <==
 +04/13/2015-17:23:44.916071  [Drop] [**] [1:2002677:13] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:34927 -> 192.168.1.250:80
 +
 +==> /var/log/suricata/drop.log <==
 +04/13/2015-17:23:44.916071: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=37617 PROTO=TCP SPT=34927 DPT=80 SEQ=2943871269 ACK=1547692160 WINDOW=262 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:23:48.076577: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=580 TOS=0x00 TTL=63 ID=4861 PROTO=TCP SPT=80 DPT=34927 SEQ=1547691632 ACK=2943871269 WINDOW=2346 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:23:54.927989: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=4771 PROTO=TCP SPT=34930 DPT=80 SEQ=1683975337 ACK=473377258 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:23:56.172266: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34930 SEQ=473377257 ACK=1683975337 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/13/2015-17:24:04.939915: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=27939 PROTO=TCP SPT=34933 DPT=80 SEQ=539880178 ACK=2700461480 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/13/2015-17:24:06.372664: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34933 SEQ=2700461479 ACK=539880178 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +</sxh>
 +
 +As we can see here in the fast.log we have the [Drop] that indicates the packet was dropped and won't sent to the Apache Server in the drop.log we have the connections that were dropped.
 +
 +
 +Whether we check the apache log files now we will get a little access unlike before without the IPS.
 +<sxh bash>
 +tail -f /var/log/apache2/access.log 
 +192.168.1.252 - - [13/Apr/2015:17:22:45 -0300] "GET /PIzR7b1c.el HTTP/1.1" 404 527 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +192.168.1.252 - - [13/Apr/2015:17:22:45 -0300] "GET /PIzR7b1c.axd HTTP/1.1" 404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.jse HTTP/1.1" 404 529 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.tmp HTTP/1.1" 404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.dpgs HTTP/1.1" 404 529 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.mdb HTTP/1.1" 404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.shtml HTTP/1.1" 404 531 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.cfg HTTP/1.1" 404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.bas:ShowVolume HTTP/1.1" 404 539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.chl+ HTTP/1.1" 404 529 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
 +</sxh>
 +
 +Testing ddos.
 +
 +**Note:** Be aware the it can shutdown the switch or router.
 +
 +We can test the syn flood with the following commands
 +<sxh bash>
 +t50 192.168.1.252 --flood -S --turbo --dport 80
 +</sxh>
 +
 +or we can use the follow command
 +<sxh bash>
 +hping3 -S 192.168.1.252 -p 80 --flood
 +</sxh>
 +
 +===== Installing and Configuring the Barnyard2 =====
 +
 +Barnyard2 will feed the Snorby database with the logs let's install this guy need to install on the Suricata Server.
 +
 +We need to fetch the tarball and decompress it.
 +
 +<sxh bash>
 +cd /usr/src
 +wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/barnyard2-1.9.tar.gz
 +tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9
 +</sxh>
 +
 +Now we need to configure the packet to work with <nowiki>MySQL</nowiki>
 +
 +<sxh bash>
 +./configure --with-mysql --with-mysql-libraries=/usr/lib64 --sysconfdir=/etc/suricata --prefix=/usr --localstatedir=/var
 +</sxh>
 +
 +Now let's compile it.
 +
 +<sxh bash>
 +make && make install clean
 +</sxh>
 +
 +Now we need to create the barnyard log directory like this
 +<sxh bash>
 +mkdir /var/log/barnyard2
 +</sxh>
 +
 +Now let's make some changes in barnyard configuration file
 +<sxh bash>
 +vim /etc/suricata/barnyard2.conf
 +[...]
 +config reference_file:      /etc/suricata/rules/reference.config
 +config classification_file: /etc/suricata/rules/classification.config
 +config gen_file:            /etc/suricata/rules/gen-msg.map
 +config sid_file:            /etc/suricata/rules/sid-msg.map
 +[...]
 +config hostname:        ips01
 +config interface:       enp0s3
 +[...]
 +output alert_fast
 +#Let's input this line below in the end of the file, change the values whether you need.
 +output database: log, mysql, user=snorby password=senha dbname=snorby host=192.168.1.251
 +</sxh>
 +
 +Now we need to kill the suricata
 +<sxh bash>
 +PSU=$(pidof suricata);  kill -9 $PSU
 +</sxh>
 +
 +Now let's start the barnyard2 and the suricata daemons.
 +<sxh bash>
 +suricata -c /etc/suricata/suricata.yaml -q 0 -D
 +barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
 +</sxh>
 +
 +====== Configuring the SystemD ======
 +
 +Now we need to kill the process of the suricata and barnyard2 like this
 +<sxh bash>
 +PSU=$(pidof suricata);  kill -9 $PSU
 +PSU=$(pidof barnyard2);  kill -9 $PSU
 +</sxh>
 +
 +Now we need to create the scripts to work with <nowiki>SystemD</nowiki> and enable the suricata and barnyard to launch on boot time.
 +<sxh bash>
 +vim /usr/lib/systemd/system/suricata.service
 +[Unit]
 +Description=Suricata Intrusion Detection Service
 +After=syslog.target network.target auditd.service
 +
 +[Service]
 +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml $OPTIONS
 +EnvironmentFile=-/etc/sysconfig/suricata
 +
 +[Install]
 +WantedBy=multi-user.target
 +</sxh>
 +
 +Now let's create the sysconfig file to suricata like this
 +<sxh bash>
 +vim /etc/sysconfig/suricata 
 +# The following parameters are the most commonly needed to configure
 +# # suricata. A full list can be seen by running /sbin/suricata --help
 +# # -i <network interface device>
 +# # --user <acct name>
 +# # --group <group name>
 +#
 +# # Add options to be passed to the daemon
 +OPTIONS="-q 0 "
 +</sxh>
 +
 +Now we need to enable the service like this
 +<sxh bash>
 +systemctl enable suricata.service
 +</sxh>
 +
 +We can start the service like this
 +<sxh bash>
 +systemctl start suricata.service
 +</sxh>
 +
 +We can display the status like this
 +<sxh bash>
 +systemctl status suricata.service
 +</sxh>
 +
 +We can display the services that is current running with the follow command
 +<sxh bash>
 +systemd-cgls -l
 +</sxh>
 +
 +We can display the services available with the follow command
 +<sxh bash>
 +systemctl list-units --type service
 +</sxh>
 +
 +Now we need to create the service for barnyard2 like this
 +<sxh bash>
 +vim /usr/lib/systemd/system/barnyard2.service
 +[Unit]
 +Description=Barnyard2 Spooler Service
 +After=syslog.target suricata.service
 +
 +[Service]
 +ExecStart=/usr/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata \
 +-f  unified2.alert -w /var/log/suricata/suricata.waldo $OPTIONS
 +EnvironmentFile=-/etc/sysconfig/barnyard2
 +
 +[Install]
 +WantedBy=multi-user.target
 +</sxh>
 +
 +
 +Now let's create the sysconfig for barnyard2 like this
 +<sxh bash>
 +vim /etc/sysconfig/barnyard2
 +# The following parameters are the most commonly needed to configure
 +# barnyard2. A full list can be seen by running  /usr/local/bin/barnyard2 --help
 +
 +# Add options to be passed to the daemon
 +OPTIONS=" "
 +</sxh>
 +
 +Now we need to enable the barnyard2 service like this
 +<sxh bash>
 +systemctl enable barnyard2.service
 +</sxh>
 +
 +Let's start the barnyard2 service like this
 +<sxh bash>
 +systemctl start barnyard2.service
 +</sxh>
 +
 +Let's display its status like this
 +<sxh bash>
 +systemctl status barnyard2.service
 +</sxh>
 +
 +Now we need to create the firewall service script like this
 +<sxh bash>
 +vim /usr/lib/systemd/system/firewall.service
 +[Unit]
 +Description=Firewall ConfiServ
 +After=barnyard2.service
 +
 +[Service]
 +Type=oneshot
 +RemainAfterExit=yes
 +ExecStart=/etc/firewall/firewall-start
 +ExecStop=/etc/firewall/firewall-stop
 +
 +[Install]
 +WantedBy=multi-user.target
 +</sxh>
 +
 +Now we need to create the directory that will store all the scripts files like this
 +<sxh bash>
 +mkdir /etc/firewall
 +</sxh>
 +
 +Now let's create the firewall-start script file
 +<sxh bash>
 +vim /etc/firewall/firewall-start
 +#!/bin/bash
 +
 +### Loading some modules
 +modprobe ip_conntrack
 +modprobe ip_conntrack_ftp
 +modprobe ip_nat_ftp
 +
 +### Adjusting some variables
 +echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize
 +echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 +echo 1 > /proc/sys/net/ipv4/tcp_timestamps
 +echo 1 > /proc/sys/net/ipv4/ip_forward
 +echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
 +echo 2000000 > /proc/sys/net/netfilter/nf_conntrack_max
 +PSNI=/proc/sys/net/ipv4
 +for END in $PSNI/conf/*/rp_filter ; do echo 1 > $END ; done
 +echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 +PSNI=/proc/sys/net/ipv6
 +for END in $PSNI/conf/*/disable_ipv6 ; do echo 1 > $END ; done
 +echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
 +
 +### Cleaning up the interface
 +ethtool -K enp0s3 tx off
 +ethtool -K enp0s3 tso off
 +ethtool -K enp0s3 gro off
 +ethtool -K enp0s3 rxvlan off
 +ethtool -K enp0s3 txvlan off
 +
 +### Cleaning up
 +iptables -t filter -F
 +iptables -t filter -X
 +iptables -t nat -F
 +iptables -t nat -X
 +iptables -t raw -F
 +iptables -t raw -X
 +
 +### INPUT
 +iptables -P INPUT DROP
 +iptables -t filter -A INPUT -m state --state INVALID -j DROP
 +iptables -A INPUT -f -j DROP
 +iptables -t filter -A INPUT -p tcp --dport 22022 -j NFQUEUE --queue-num 0
 +iptables -t filter -A INPUT -p tcp --sport 22022 -j NFQUEUE --queue-num 0
 +iptables -t filter -A INPUT -p all -s 192.168.1.0/24 -j ACCEPT
 +
 +### NAT
 +iptables -t nat -A PREROUTING -d 192.168.1.252 -p tcp --dport 80 -j DNAT --to 192.168.1.250
 +iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
 +
 +
 +### FORWARD
 +iptables -P FORWARD DROP
 +iptables -t filter -A FORWARD -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 0
 +iptables -t filter -A FORWARD -p tcp -m tcp --sport 80 -j NFQUEUE --queue-num 0
 +</sxh>
 +
 +Now we need to create the firewall-stop script like this
 +<sxh bash>
 +vim /etc/firewall/firewall-stop 
 +#!/bin/bash
 +
 +iptables -t filter -F
 +iptables -t filter -X
 +iptables -t raw -F
 +iptables -t raw -X
 +iptables -P INPUT ACCEPT
 +iptables -P FORWARD ACCEPT
 +</sxh>
 +
 +Now we need to set up the execution permission to our script like this
 +<sxh bash>
 +chmod +x /etc/firewall/firewall*
 +</sxh>
 +
 +Now we need to enable our new service like this
 +<sxh bash>
 +systemctl enable firewall.service
 +</sxh>
 +
 +**Note:** Be aware that when you start the service yours sshd connection will be shutdown because we need to make sure that all connection on this port pass by suricata.
 +
 +Now we need to start the service like this
 +<sxh bash>
 +systemctl start firewall.service
 +</sxh>
 +
 +To check the status of the script we can use the following command
 +<sxh bash>
 +systemctl status firewall.service
 +</sxh>
 +
 +====== Sample FW ======
 +
 +Here let's get one sample of production
 +
 +Let's take a look at variables
 +
 +<sxh bash>
 +vim /etc/firewall/variables
 +### VARIABLES
 +
 +### PATH
 +PSNI="/proc/sys/net/ipv4"
 +PSNN="/proc/sys/net/netfilter"
 +
 +### COMMANDS
 +MODPROBE="/sbin/modprobe"
 +ETHTOOL="/sbin/ethtool"
 +IPTABLES="/sbin/iptables"
 +
 +### NETWORKS
 +LAN_NETWORK="10.23.0.0/24"
 +
 +### SERVERS
 +ZABBIX="10.23.0.117"
 +BACULA="10.23.0.198"
 +WAPP01="10.23.0.247"
 +KACE_INT="172.33.0.194"
 +KACE_EXT="200.200.200.34"
 +EXT_FTP01="200.200.200.46"
 +DMZ_FTP01="10.23.0.147"
 +DMZ_FTP02="10.23.0.246"
 +DMZ_HTTP02="10.23.0.143"
 +DMZ_HTTP01="10.23.0.247"
 +
 +## EXTERNAL IP
 +EXT_F10="177.177.177.10"
 +EXT_F14="177.177.177.14"
 +
 +### PORTS
 +BACULA_PORT="9102"
 +ZABBIX_PORT="10050"
 +DEV_PORT="2000"
 +WTS_PORT="3389"
 +SSH_PORT="22022"
 +VOIP_TCP_PORTS="5060:5061"
 +VOIP_UDP_PORTS="5040:5081,10000:20000"
 +KACE_PORTS="80,139,443,445,52230"
 +FTP_PORTS="20,21,12000:12100"
 +HTTP_PORT="80"
 +HTTP_PORTS="80,443"
 +HTTPS_PORT="443"
 +WEB_PORTS="80,443,3306"
 +DNS_PORT="53"
 +
 +### ALIAS
 +PRE_EXT="${IPTABLES} -t nat -A PREROUTING -i eno2 "
 +POS_EXT="${IPTABLES} -t nat -A POSTROUTING -o eno2 "
 +COM="-m comment --comment"
 +TCP="-p tcp -m tcp"
 +UDP="-p udp -m udp"
 +ICMP="-p icmp --icmp-type"
 +LIMIT="-m limit --limit"
 +DMULTIPORT="-m multiport --dports"
 +SMULTIPORT="-m multiport --sports"
 +LOG="LOG --log-prefix"
 +LOG_LEV="--log-level info"
 +SURICATA="--queue-num 0"
 +</sxh>
 +
 +Let's take a look at firewall-start
 +
 +<sxh bash>
 +vim /etc/firewall/firewall-start
 +#!/bin/bash
 +### Loading variables
 +. /etc/firewall/variables
 +
 +### Loading some modules
 +${MODPROBE} ip_conntrack
 +${MODPROBE} ip_conntrack_ftp
 +${MODPROBE} ip_nat_ftp
 +
 +### Adjusting some variables
 +echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize
 +echo 1 > ${PSNI}/tcp_syncookies
 +echo 1 > ${PSNI}/tcp_timestamps
 +echo 1 > ${PSNI}/ip_forward
 +echo 0 > ${PSNN}/nf_conntrack_tcp_loose
 +echo 2000000 > ${PSNN}/nf_conntrack_max
 +for END in ${PSNI}/conf/*/rp_filter ; do echo 1 > ${END} ; done
 +echo 0 > ${PSNI}/icmp_echo_ignore_all
 +echo 1 > ${PSNI}/icmp_echo_ignore_broadcasts
 +PSNI=/proc/sys/net/ipv6
 +for END in ${PSNI}/conf/*/disable_ipv6 ; do echo 1 > ${END} ; done
 +## IF ENABLE THE VARIABLE BELOW THE NAT DOES NOT WORK PROPERLY AND FTP DOESNT WORK IN EXPLORER OR NAUTILUS
 +#echo 0> ${PSNN}/nf_conntrack_helper
 +
 +### Cleaning up the interface
 +${ETHTOOL} -K eno1 tx off
 +${ETHTOOL} -K eno1 tso off
 +${ETHTOOL} -K eno1 gro off
 +${ETHTOOL} -K eno1 rxvlan off
 +${ETHTOOL} -K eno1 txvlan off
 +
 +${ETHTOOL} -K eno2 tx off
 +${ETHTOOL} -K eno2 tso off
 +${ETHTOOL} -K eno2 gro off
 +${ETHTOOL} -K eno2 rxvlan off
 +${ETHTOOL} -K eno2 txvlan off
 +
 +### Cleaning up
 +${IPTABLES} -t filter -F
 +${IPTABLES} -t filter -X
 +${IPTABLES} -t nat -F
 +${IPTABLES} -t nat -X
 +${IPTABLES} -t raw -F
 +${IPTABLES} -t raw -X
 +
 +### ALLOWING LOOPBACK
 +${IPTABLES} -A INPUT -s 127.0.0.1/32 -j ACCEPT
 +
 +## Given more priority to VOIP
 +${IPTABLES} -t mangle -A OUTPUT -p udp -j DSCP --set-dscp-class EF
 +${IPTABLES} -t mangle -A FORWARD -p udp -j DSCP --set-dscp-class EF
 +
 +### INPUT
 +${IPTABLES} -P INPUT DROP
 +${IPTABLES} -t filter -A INPUT -m state --state INVALID -j DROP
 +${IPTABLES} -A INPUT -f -j DROP
 +${IPTABLES} -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j NFQUEUE ${SURICATA}
 +
 +### FORWARD
 +${IPTABLES} -P FORWARD DROP
 +${IPTABLES} -t filter -A FORWARD -m state --state INVALID -j DROP
 +${IPTABLES} -A FORWARD -f -j DROP
 +${IPTABLES} -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j NFQUEUE ${SURICATA}
 +
 +### Allowing access to SSH
 +${IPTABLES} -t filter -A INPUT -p tcp --dport ${SSH_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -t filter -A INPUT -p tcp --sport ${SSH_PORT} -j NFQUEUE ${SURICATA}
 +
 +### DEV ACCESS TO WTS
 +${PRE_EXT} -d ${EXT_F10} -p tcp --dport ${DEV_PORT} -j DNAT --to ${WAPP01}:${WTS_PORT} ${COM} "DEV access to WTS"
 +${POS_EXT} -d ${WAPP01} ${TCP} --dport ${WTS_PORT} -j SNAT --to ${EXT_F10}:${DEV_PORT} ${COM} "DEV access to WTS"
 +${IPTABLES} -t filter -A FORWARD ${TCP} ${SMULTIPORT} ${DEV_PORT},${WTS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -t filter -A FORWARD ${TCP} ${DMULTIPORT} ${DEV_PORT},${WTS_PORT} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING VOIP
 +${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} ${DMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} ${SMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING KACE
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_INT} ${TCP} ${DMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_INT} ${TCP} ${SMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_EXT} ${TCP} ${DMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_EXT} ${TCP} ${SMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING ZABBIX
 +${IPTABLES} -A INPUT  ${TCP} --dport ${ZABBIX_PORT} -s ${ZABBIX} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A OUTPUT  ${TCP} --sport ${ZABBIX_PORT} -d ${ZABBIX} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING BACULA
 +${IPTABLES} -A INPUT ${TCP} --dport ${BACULA_PORT} -s ${BACULA} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A OUTPUT ${TCP} --sport ${BACULA_PORT} -d ${BACULA} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING FTP 
 +${IPTABLES} -A FORWARD -d ${EXT_FTP01} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${EXT_FTP01} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING FTP 02
 +${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to ${DMZ_FTP01} ${COM} "FTP 01"
 +${IPTABLES} -A FORWARD -s ${DMZ_FTP01} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -d ${DMZ_FTP01} -j NFQUEUE ${SURICATA}
 +${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "FTP 01"
 +${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "FTP 01"
 +
 +### ALLOWING FTP 02
 +${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to ${DMZ_FTP02} ${COM} "FTP 02"
 +${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA}
 +${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "FTP 02"
 +${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "FTP 02"
 +
 +### ALLOWING HTTP
 +${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to ${DMZ_HTTP01} ${COM} "HTTP SERVER 01"
 +${POS_EXT} -s ${DMZ_HTTP01} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "HTTP SERVER 01"
 +${IPTABLES} -A FORWARD -s ${DMZ_HTTP01}  ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -d ${DMZ_HTTP01}  ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING HTTP2
 +${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to ${DMZ_HTTP02} ${COM} "HTTP SERVER 02"
 +${POS_EXT} -s ${DMZ_HTTP02} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "HTTP SERVER 02"
 +${IPTABLES} -A FORWARD -s ${DMZ_HTTP02} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -d ${DMZ_HTTP02} ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING ACCESS FROM LAN
 +${IPTABLES} -A INPUT -s ${LAN_NETWORK} -j ACCEPT ${COM} "ACCESS FROM LAN"
 +${IPTABLES} -A OUTPUT -d ${LAN_NETWORK} -j ACCEPT ${COM} "ACCESS FROM LAN"
 +
 +### ALLOWING DNS QUERY
 +${IPTABLES} -A INPUT ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING HTTP AND FTP ACCESS
 +${IPTABLES} -A INPUT ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING ICMP
 +${IPTABLES} -A INPUT ${ICMP} 0 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${ICMP} 8 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${ICMP} 0 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${ICMP} 8 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +
 +### MASQUERADE
 +${IPTABLES} -t nat -A POSTROUTING -s ${LAN_NETWORK} -j MASQUERADE
 +</sxh>
 +
 +Let's take a look at firewall-stop
 +
 +<sxh bash>
 +cat /etc/firewall/firewall-stop
 +#!/bin/bash
 +### Loading variables
 +. /etc/firewall/variables
 +
 +### Cleaning up the rules
 +${IPTABLES} -t filter -F
 +${IPTABLES} -t filter -X
 +${IPTABLES} -t raw -F
 +${IPTABLES} -t raw -X
 +${IPTABLES} -P INPUT ACCEPT
 +${IPTABLES} -P FORWARD ACCEPT
 +</sxh>
 +
 +Here we have the rules with some fixes: [[http://wiki.douglasqsantos.com.br/Downloads/ips/rules.tar.xz|http://wiki.douglasqsantos.com.br/Downloads/ips/rules.tar.xz]]
 +
 +====== References ======
 +  - http://techminded.net/blog/using-snort-as-service-ips.html
 +  - http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks
 +  - http://repo.hackerzvoice.net/depot_madchat/reseau/ids|nids/snort_rules.html
 +  - http://books.gigatux.nl/mirror/snortids/0596006616/snortids-CHP-7-SECT-3.html
 +  - http://manual.snort.org/node27.html
 +  - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
 +  - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Tuning_and_Optimizing_Red_Hat_Enterprise_Linux_for_Oracle_9i_and_10g_Databases/sect-Oracle_9i_and_10g_Tuning_Guide-Adjusting_Network_Settings-Flow_Control_for_e1000_Network_Interface_Cards.html
 +  - http://docs.oracle.com/cd/E24290_01/coh.371/e22838/tune_perftune.htm#COHAG5263
 +  - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_7_Installation
 +  - http://www.darknet.org.uk/
 +  - http://www.spamhaus.org/drop/
 +  - http://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time
 +  - http://myip.ms/files/blacklist/csf/latest_blacklist.txt
 +  - http://www10.org/cdrom/papers/409/
 +  - https://r00t-services.net/knowledgebase/14/Homemade-DDoS-Protection-Using-IPTables-SYNPROXY.html
 +  - http://hackerzelite.blogspot.com.br/2014/01/top-10-ddos-and-dos-attacking-tools.html
 +  - http://ddoshackingarticles.blogspot.com.br/2014/07/how-to-use-metagoofil-on-kali-linux.html
 +  - http://www.kalitutorials.net/2014/03/denial-of-service-attacks-explained-for.html
 +  - http://www.darkmoreops.com/2014/08/21/dos-using-hping3-spoofed-ip-kali-linux/
 +  - http://null-byte.wonderhowto.com/how-to/become-elite-hacker-part-3-easy-ddos-0147212/
 +  - http://ha.ckers.org/slowloris/
 +  - http://www.r00tsec.com/2012/02/ddos-tool-list-from-anonymous.html
 +  - https://www.frozentux.net/iptables-tutorial/iptables-tutorial.htmlhttps://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
 +  - https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NETFILTERHACKINGHOWTO
 +  - http://www.ibm.com/developerworks/library/se-intrusion/index.html
 +  - http://rules.emergingthreats.net/open/