From 7e685543ec66eef9bdf1f7fff2d20284cda131c2 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 13 Sep 2024 10:12:30 +0200 Subject: [PATCH] suricata: Track whitelisted traffic and add it to the IPS graph Signed-off-by: Michael Tremer --- config/cfgroot/graphs.pl | 20 +++++++++++++++++--- config/collectd/collectd.conf | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 7 +++++++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + src/initscripts/system/suricata | 13 +++++++++++-- 14 files changed, 46 insertions(+), 5 deletions(-) diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index ba7887840..cdfc1a180 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -1219,9 +1219,17 @@ sub updateipsthroughputgraph { "VDEF:scanned_bytes_min=scanned_bytes,MINIMUM", "VDEF:scanned_bytes_max=scanned_bytes,MAXIMUM", + # Read whitelisted packets + "DEF:whitelisted_bytes=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_bytes-WHITELISTED.rrd:value:AVERAGE", + #"DEF:whitelisted_packets=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_packets-WHITELISTED.rrd:value:AVERAGE", + + "VDEF:whitelisted_bytes_avg=whitelisted_bytes,AVERAGE", + "VDEF:whitelisted_bytes_min=whitelisted_bytes,MINIMUM", + "VDEF:whitelisted_bytes_max=whitelisted_bytes,MAXIMUM", + # Total - "CDEF:total_bytes=bypassed_bytes,scanned_bytes,+", - #"CDEF:total_packets=bypassed_packets,scanned_packets,+", + "CDEF:total_bytes=bypassed_bytes,scanned_bytes,ADDNAN,whitelisted_bytes,ADDNAN", + #"CDEF:total_packets=bypassed_packets,scanned_packets,ADDNAN,whitelisted_packets,ADDNAN", "VDEF:total_bytes_avg=total_bytes,AVERAGE", "VDEF:total_bytes_min=total_bytes,MINIMUM", @@ -1236,8 +1244,14 @@ sub updateipsthroughputgraph { "COMMENT:" . sprintf("%16s", $Lang::tr{'minimum'}), "COMMENT:" . sprintf("%16s", $Lang::tr{'maximum'}) . "\\j", + # Whitelisted Packets + "AREA:whitelisted_bytes$color{'color12'}A0:" . sprintf("%-30s", $Lang::tr{'whitelisted'}), + "GPRINT:whitelisted_bytes_avg:%9.2lf %sbps", + "GPRINT:whitelisted_bytes_min:%9.2lf %sbps", + "GPRINT:whitelisted_bytes_max:%9.2lf %sbps\\j", + # Bypassed Packets - "AREA:bypassed_bytes$color{'color12'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}), + "STACK:bypassed_bytes$color{'color11'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}), "GPRINT:bypassed_bytes_avg:%9.2lf %sbps", "GPRINT:bypassed_bytes_min:%9.2lf %sbps", "GPRINT:bypassed_bytes_max:%9.2lf %sbps\\j", diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index fd548b6cf..a90331f21 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -56,6 +56,7 @@ include "/etc/collectd.precache" # IPS Chain mangle IPS BYPASSED Chain mangle IPS SCANNED + Chain mangle IPS WHITELISTED # diff --git a/doc/language_issues.en b/doc/language_issues.en index 7daeb078c..0e3a3eb74 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -2161,6 +2161,7 @@ WARNING: untranslated string: webradio playlist = Webradio Playlist WARNING: untranslated string: website = Website WARNING: untranslated string: wednesday = Wednesday WARNING: untranslated string: weeks = Weeks +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.es b/doc/language_issues.es index e71e77480..b33ffa2dc 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1062,6 +1062,7 @@ WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z WARNING: untranslated string: total = Total WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: wio = unknown string WARNING: untranslated string: wio checked = unknown string WARNING: untranslated string: wio cron = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index a5f566822..93466bd9e 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -1000,6 +1000,7 @@ WARNING: untranslated string: system time = System Time (as of last page load) WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z WARNING: untranslated string: total = Total WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: wio = unknown string WARNING: untranslated string: wio checked = unknown string WARNING: untranslated string: wio cron = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index d72b90335..426df7759 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1347,6 +1347,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 3b926a64c..046e5943b 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1370,6 +1370,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 8461f9a27..f0a60ab30 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1611,6 +1611,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 6fe35a0ed..a8f2c1549 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1604,6 +1604,7 @@ WARNING: untranslated string: vpn weak = Weak WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_issues.tr b/doc/language_issues.tr index cb7b50a52..93619c0a4 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1231,6 +1231,7 @@ WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: warning = Warning +WARNING: untranslated string: whitelisted = Whitelisted WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wio = unknown string diff --git a/doc/language_missings b/doc/language_missings index 603530c74..2a2333d94 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -164,6 +164,7 @@ < transport mode does not support vti < warning < wg +< whitelisted < wireguard < wlanap < wlanap hide ssid @@ -201,6 +202,7 @@ < upload fcdsl.o < warning < wg +< whitelisted < wireguard < wlanap hide ssid < wlanap psk @@ -692,6 +694,7 @@ < warning < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -1260,6 +1263,7 @@ < warning < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -2243,6 +2247,7 @@ < warning < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -3263,6 +3268,7 @@ < week-graph < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard @@ -3660,6 +3666,7 @@ < warning < Weekly < wg +< whitelisted < whois results from < winbind daemon < wireguard diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 99349758c..61288dddf 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2942,6 +2942,7 @@ 'week-graph' => 'Woche', 'weekly firewallhits' => 'wöchentliche Firewalltreffer', 'weeks' => 'Wochen', +'whitelisted' => 'Ausgenommen', 'whois results from' => 'WHOIS-Ergebnisse von', 'wildcards' => 'Wildcards', 'wins server' => 'WINS-Server', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2038f2e76..d73655560 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -3027,6 +3027,7 @@ 'weekly firewallhits' => 'weekly firewallhits', 'weeks' => 'Weeks', 'wg' => 'WireGuard', +'whitelisted' => 'Whitelisted', 'whois results from' => 'WHOIS results from', 'wildcards' => 'Wildcards', 'winbind daemon' => 'Winbind Daemon', diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 150984d93..a80a32f78 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -40,6 +40,10 @@ IPS_BYPASS_MASK="0x20000000" IPS_SCAN_MARK="0x10000000" IPS_SCAN_MASK="0x10000000" +# Set if a packet has been whitelisted +IPS_WHITELISTED_MARK="0x08000000" +IPS_WHITELISTED_MASK="0x08000000" + # Supported network zones NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" ) @@ -122,9 +126,14 @@ generate_fw_rules() { # Skip disabled entries [ "${enabled}" = "enabled" ] || continue - iptables -w -t mangle -A IPS -s "${network}" -j RETURN - iptables -w -t mangle -A IPS -d "${network}" -j RETURN + iptables -w -t mangle -A IPS -s "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" + iptables -w -t mangle -A IPS -d "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" done < "/var/ipfire/suricata/ignored" + + # Count and skip the whitelisted packets + iptables -w -t mangle -A IPS \ + -m comment --comment "WHITELISTED" \ + -m mark --mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" -j RETURN fi # Send packets to suricata -- 2.39.5