Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend Suricata support #8372

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Extend Suricata support #8372

wants to merge 1 commit into from
+566 −258

Conversation

0xThiebaut
Copy link

@0xThiebaut 0xThiebaut commented Feb 22, 2025
edited
Loading

Extend Suricata support in OPNsense to increase the monitoring capabilities (e.g., integrate with Malcolm)

Features:

  • Extend support for EVE log, supporting all available protocols (RDP, DNS, ...).
  • Add support for PCAP logs.

Subsequent changes:

  • Update configuration template to align with Suricata 7.0.8 (e.g., add new fields such as ja4).
  • Disable stats.log (stats can be enabled in EVE).
  • Add migration logic.

0xThiebaut
0xThiebaut commented Feb 22, 2025
View reviewed changes
src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
payload-printable: yes
{% if not helpers.empty('OPNsense.IDS.general.eveLog.alert.payload') %}
payload: yes # enable dumping payload in Base64
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should consider whether this default should be override-able.

src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
- quic:
# ja4 hashes in quic records will never be logged unless
# the following is set to on. (Default off)
ja4: {{ 'on' if helpers.empty('OPNsense.IDS.general.eveLog.tls.custom') or 'ja4' in OPNsense.IDS.general.eveLog.tls.custom else 'off' }}
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QUIC's JA4 support is enabled if JA4 is enabled for TLS. We should consider whether a standalone setting for QUIC is preferred.

@0xThiebaut 0xThiebaut marked this pull request as ready for review February 23, 2025 11:30
Monviech
Monviech reviewed Feb 23, 2025
View reviewed changes
src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml Outdated
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.files.forceMagic</id>
Copy link
Member

@Monviech Monviech Feb 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There seem to be a lot of checkboxes. Maybe it would make more sense for one multi select option dropdown to save lots of code:
https://github.com/opnsense/plugins/blob/58c646121f2babb6f66ac47e2fb63c869af9924f/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml#L113-L122

https://github.com/opnsense/plugins/blob/58c646121f2babb6f66ac47e2fb63c869af9924f/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml#L35-L40

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pushed a new variant using multi-selects; it indeed looks a lot more user-friendly. Would this work for you? If so, I'll update the migration logic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Monviech Monviech Monviech left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@0xThiebaut @Monviech