From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sun, 24 Jul 2022 12:24:05 +0000 (+0200)
Subject: tor: Add service related IDS rules file.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ef2c29c3fcacd1f2074df381bff0f547d3537f7b;p=people%2Fstevee%2Fipfire-2.x.git

tor: Add service related IDS rules file.

This rules should prevent flooding the IDS log when using Tor as relay
or proxy.

May some of those rules has to be adjusted a bit at a later time or more
rules are required.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---

diff --git a/config/tor/ipfire-tor.rules b/config/tor/ipfire-tor.rules
index cd19a81f3f..82d065b6d9 100644
--- a/config/tor/ipfire-tor.rules
+++ b/config/tor/ipfire-tor.rules
@@ -1,4 +1,4 @@
-pass http any !$HTTP_PORTS ->  $HOME_NET any (msg:"LOCAL No alerts for HTTP gzip decompression failed"; flowbits:noalert; flow:established; app-layer-event:http.gzip_decompression_failed; sid:998877010; rev:1;)
-pass tls $HOME_NET $TOR_RELAY_PORT -> $EXTERNAL_NET any (msg:"LOCAL No alerts for outgoing TLS traffic on tor port"; flowbits:noalert; flow:established; sid:998877011; rev:1;)
-pass tls $EXTERNAL_NET any -> $HOME_NET $TOR_RELAY_PORT (msg:"LOCAL No alerts for incomming TLS traffic on tor port"; flowbits:noalert; flow:established; sid:998877012; rev:1;)
-pass ip $EXTERNAL_NET any -> $HOME_NET $TOR_SOCKS_PORT (msg:"LOCAL No alerts for first Data in wrong direction"; flowbits:noalert; flow:established; app-layer-event:applayer_wrong_direction_first_data; sid:998877013; rev:1;)
+pass http any !$HTTP_PORTS ->  $HOME_NET any (msg:"LOCAL No alerts for HTTP gzip decompression failed"; flowbits:noalert; flow:established; app-layer-event:http.gzip_decompression_failed; sid:1200000; rev:1;)
+pass tls $HOME_NET $TOR_RELAY_PORT -> $EXTERNAL_NET any (msg:"LOCAL No alerts for outgoing TLS traffic on tor port"; flowbits:noalert; flow:established; sid:1200001; rev:1;)
+pass tls $EXTERNAL_NET any -> $HOME_NET $TOR_RELAY_PORT (msg:"LOCAL No alerts for incomming TLS traffic on tor port"; flowbits:noalert; flow:established; sid:1200002; rev:1;)
+pass ip $EXTERNAL_NET any -> $HOME_NET $TOR_SOCKS_PORT (msg:"LOCAL No alerts for first Data in wrong direction"; flowbits:noalert; flow:established; app-layer-event:applayer_wrong_direction_first_data; sid:1000003; rev:1;)