enabling suricata in ipfire 2.23

General questions.
Post Reply
username_is_how
Posts: 8
Joined: June 5th, 2019, 6:52 am

enabling suricata in ipfire 2.23

Post by username_is_how » June 5th, 2019, 7:04 am

I have installed ipfire 2.23 on my raspberry pi. However on booting and connecting to the ethernetport via webui, I found that the intrusion prevention system was off. There was no option of turning it on.

I also tried to find `snort` installation, but found `snort` was no longer installed by default in ipfire 2.23: https://wiki.ipfire.org/configuration/f ... /ips/start

Secondly, I don't have any rules for suricata on my system.

How do I obtain the rules?

Because I couldn't find the Intrusion prevention system via the web interface I essentially used it via the command line:

`suricata -c /etc/suricata/suricata.yaml -i green0 -i red0 -D`.

This lead to `/etc/init.d/suricata status` reporting that `suricata` is running.

However, I got a bunch of errors in `/var/log/messages`:
`[ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid rule-files configuration section: expected a list of filenames.
`[ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argument
`[ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error`

Wonder how I can solve these?

JonM
Posts: 142
Joined: August 4th, 2017, 5:49 pm
Location: US

Re: enabling suricata in ipfire 2.23

Post by JonM » June 5th, 2019, 7:42 pm

This might help turn on IPS.
viewtopic.php?f=27&t=22752&p=124595#p124595

Once you click Save then things will look similar to the image on the Wiki:
https://wiki.ipfire.org/configuration/f ... /ips/start

Hope this helps!
Production:
Image

Testing Raspi 3B+:
Image

username_is_how
Posts: 8
Joined: June 5th, 2019, 6:52 am

Re: enabling suricata in ipfire 2.23

Post by username_is_how » June 6th, 2019, 6:25 am

Thanks. After doing what you said, it seems that `suricata` has started.

However I still get this error: `[ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid rule-files configuration section: expected a list of filenames.`

Any idea what this might be for?

username_is_how
Posts: 8
Joined: June 5th, 2019, 6:52 am

Re: enabling suricata in ipfire 2.23

Post by username_is_how » June 6th, 2019, 6:33 am

Also when I do `suricata --dump-config | grep rules`, it shows that `rule-files = (null)`. Is there a reason for that?

JonM
Posts: 142
Joined: August 4th, 2017, 5:49 pm
Location: US

Re: enabling suricata in ipfire 2.23

Post by JonM » June 6th, 2019, 5:01 pm

Those errors I do not know. Hopefully one of the IPS suricata experts will answer!
Production:
Image

Testing Raspi 3B+:
Image

username_is_how
Posts: 8
Joined: June 5th, 2019, 6:52 am

Re: enabling suricata in ipfire 2.23

Post by username_is_how » June 8th, 2019, 6:41 am

Actually what I realized is that I didn't add any rules to the suricata profile. Even if you select a Ruleset, you still have to select a set of rules for that ruleset.

Post Reply