From 5da15c5d3b1772f133d10a309d99b3588b98be0f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 13 Sep 2024 10:12:30 +0200 Subject: [PATCH] suricata: Track whitelisted traffic and add it to the IPS graph Signed-off-by: Michael Tremer --- config/cfgroot/graphs.pl | 20 +++++++++++++++++--- config/collectd/collectd.conf | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 7 +++++++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + src/initscripts/system/suricata | 13 +++++++++++-- 14 files changed, 46 insertions(+), 5 deletions(-) diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index ba7887840..cdfc1a180 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -1219,9 +1219,17 @@ sub updateipsthroughputgraph { "VDEF:scanned_bytes_min=scanned_bytes,MINIMUM", "VDEF:scanned_bytes_max=scanned_bytes,MAXIMUM", + # Read whitelisted packets + "DEF:whitelisted_bytes=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_bytes-WHITELISTED.rrd:value:AVERAGE", + #"DEF:whitelisted_packets=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_packets-WHITELISTED.rrd:value:AVERAGE", + + "VDEF:whitelisted_bytes_avg=whitelisted_bytes,AVERAGE", + "VDEF:whitelisted_bytes_min=whitelisted_bytes,MINIMUM", + "VDEF:whitelisted_bytes_max=whitelisted_bytes,MAXIMUM", + # Total - "CDEF:total_bytes=bypassed_bytes,scanned_bytes,+", - #"CDEF:total_packets=bypassed_packets,scanned_packets,+", + "CDEF:total_bytes=bypassed_bytes,scanned_bytes,ADDNAN,whitelisted_bytes,ADDNAN", + #"CDEF:total_packets=bypassed_packets,scanned_packets,ADDNAN,whitelisted_packets,ADDNAN", "VDEF:total_bytes_avg=total_bytes,AVERAGE", "VDEF:total_bytes_min=total_bytes,MINIMUM", @@ -1236,8 +1244,14 @@ sub updateipsthroughputgraph { "COMMENT:" . sprintf("%16s", $Lang::tr{'minimum'}), "COMMENT:" . sprintf("%16s", $Lang::tr{'maximum'}) . "\\j", + # Whitelisted Packets + "AREA:whitelisted_bytes$color{'color12'}A0:" . sprintf("%-30s", $Lang::tr{'whitelisted'}), + "GPRINT:whitelisted_bytes_avg:%9.2lf %sbps", + "GPRINT:whitelisted_bytes_min:%9.2lf %sbps", + "GPRINT:whitelisted_bytes_max:%9.2lf %sbps\\j", + # Bypassed Packets - "AREA:bypassed_bytes$color{'color12'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}), + "STACK:bypassed_bytes$color{'color11'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}), "GPRINT:bypassed_bytes_avg:%9.2lf %sbps", "GPRINT:bypassed_bytes_min:%9.2lf %sbps", "GPRINT:bypassed_bytes_max:%9.2lf %sbps\\j", diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index fd548b6cf..a90331f21 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -56,6 +56,7 @@ include "/etc/collectd.precache" # IPS Chain mangle IPS BYPASSED Chain mangle IPS SCANNED + Chain mangle IPS WHITELISTED # diff --git a/doc/language_issues.en b/doc/language_issues.en index e32edc44c..c762cc6f7 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -2161,6 +2161,7 @@ WARNING: untranslated string: webradio playlist = Webradio Playlist WARNING: untranslated string: website = Website WARNING: untranslated string: wednesday = Wednesday WARNING: untranslated string: weeks = Weeks +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.es b/doc/language_issues.es index e4aa7c3fc..67f82a450 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1061,6 +1061,7 @@ WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z WARNING: untranslated string: total = Total WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: wio = unknown string WARNING: untranslated string: wio checked = unknown string WARNING: untranslated string: wio cron = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 245f3cc31..db8b6071e 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -999,6 +999,7 @@ WARNING: untranslated string: system time = System Time (as of last page load) WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z WARNING: untranslated string: total = Total WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: wio = unknown string WARNING: untranslated string: wio checked = unknown string WARNING: untranslated string: wio cron = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 41049ff99..553417e59 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1347,6 +1347,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 8c3828a00..0b16d098d 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1370,6 +1370,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.pl b/doc/language_issues.pl index eccba9d7e..a3acd734f 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1611,6 +1611,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 3d514aa7b..66b6cae13 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1604,6 +1604,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 516a009ec..ec657539f 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1231,6 +1231,7 @@ WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_missings b/doc/language_missings index 63e137971..6a44630bd 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -164,6 +164,7 @@ < transport mode does not support vti < warning < wg +< whitelisted < wireguard < wlanap < wlanap psk @@ -200,6 +201,7 @@ < upload fcdsl.o < warning < wg +< whitelisted < wireguard < wlanap psk < wlanap wireless mode @@ -690,6 +692,7 @@ < warning < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -1258,6 +1261,7 @@ < warning < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -2241,6 +2245,7 @@ < warning < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -3261,6 +3266,7 @@ < week-graph < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -3658,6 +3664,7 @@ < warning < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index d40ffa661..0598952ca 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2942,6 +2942,7 @@ 'week-graph' => 'Woche', 'weekly firewallhits' => 'wöchentliche Firewalltreffer', 'weeks' => 'Wochen', +'whitelisted' => 'Ausgenommen', 'whois results from' => 'WHOIS-Ergebnisse von', 'wildcards' => 'Wildcards', 'wins server' => 'WINS-Server', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 998ead065..91ea2e64a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -3027,6 +3027,7 @@ 'weekly firewallhits' => 'weekly firewallhits', 'weeks' => 'Weeks', 'wg' => 'WireGuard', +'whitelisted' => 'Whitelisted', 'whois results from' => 'WHOIS results from', 'wildcards' => 'Wildcards', 'winbind daemon' => 'Winbind Daemon', diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 150984d93..a80a32f78 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -40,6 +40,10 @@ IPS_BYPASS_MASK="0x20000000" IPS_SCAN_MARK="0x10000000" IPS_SCAN_MASK="0x10000000" +# Set if a packet has been whitelisted +IPS_WHITELISTED_MARK="0x08000000" +IPS_WHITELISTED_MASK="0x08000000" + # Supported network zones NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" ) @@ -122,9 +126,14 @@ generate_fw_rules() { # Skip disabled entries [ "${enabled}" = "enabled" ] || continue - iptables -w -t mangle -A IPS -s "${network}" -j RETURN - iptables -w -t mangle -A IPS -d "${network}" -j RETURN + iptables -w -t mangle -A IPS -s "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" + iptables -w -t mangle -A IPS -d "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" done < "/var/ipfire/suricata/ignored" + + # Count and skip the whitelisted packets + iptables -w -t mangle -A IPS \ + -m comment --comment "WHITELISTED" \ + -m mark --mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" -j RETURN fi # Send packets to suricata -- 2.39.5