After the initial scans are done, a while loop starts. First, the number of current number of alerts is recorded again by calling the alert_count function. If the current number of alerts (currentAlertCount) is not higher than the inital alert count, the loop sleeps for 5 seconds. If the current number if alerts is higher, the loop continues.<\/p>\n\n\n\n
First, it creates an empty list called reduced log. Then, the log formatter function is called on the current eve.json file and stored in the variable updatedLog. A for loop is then performed on updatedLog which appends only the newest eve.json alerts to reducedLog. The loop is able to know the number of alerts to add by using the difference the initial alert count and the current alert count as ranges.<\/p>\n\n\n\n
Then, the log_parser function is called using the reducedLog as an argument. If any of the alerts contain the relevant keywords, their IP will be added to the ipset list.<\/p>\n\n\n\n
Finally, initialAlertCount is set equal currentAlertCount to reset their difference and the loop sleeps for 5 seconds. <\/p>\n\n\n\n
The two exception clauses are included for manually stopping the program with a keyboard interrupt or some other unexpected reason. In both cases, the reason and time of the error are logged to an error file.<\/p>\n\n\n\n<\/span>Daemon Setup<\/span><\/h3>\n\n\n\nWhile this program can run in the background by default, we can use supervisor to automatically run it at startup. Start by moving the program to the \/opt folder.<\/p>\n\n\n\n
Next, we need to create the configuration file in supervisor to manage the firewall program as a daemon. Navigate to the supervisor directory and create the configuration file with the following commands:<\/p>\n\n\n\n
cd \/etc\/supervisor\/conf.d\nsudo vim suricata-firewall.conf<\/code><\/pre>\n\n\n\nCopy the following into the configuration file:<\/p>\n\n\n\n
\n[program:suricata_firewall]\nprocess_name=suricata_firewall\ncommand=python3 \/opt\/suricata_firewall.py \/var\/log\/suricata\/eve.json blocklist\nautostart=true\nautorestart=unexpected\nnumprocs=1\nstartsecs=1\nstartretries=30\nstopsignal=QUIT\nstopwaitsecs=30<\/code><\/pre>\n\n\n\nOn the command line, we’re running this script with the default path of the Suricata eve.json file and the name of the ipset blocklist used earlier. You can change these based on your system’s setup.<\/p>\n\n\n\n
Now, restart supervisor with:<\/p>\n\n\n\n
sudo service restart supervisor<\/code><\/pre>\n\n\n\nThen, run supervisor to make sure the firewall program is running:<\/p>\n\n\n\n
sudo supervisorctl<\/code><\/pre>\n\n\n\n<\/span>Add Program to Cron<\/span><\/h4>\n\n\n\nThe final step in setting up the daemon is using another daemon manager called cron. Cron allows us to run commands at certain intervals for us. In this case, we’re going to have cron restart supervisor every 24 hours or in other words, reset all of our daemons every day.<\/p>\n\n\n\n
Run the command:<\/p>\n\n\n\n
crontab -e<\/code><\/pre>\n\n\n\nAt the end of the file add:<\/p>\n\n\n\n
@daily supervisorctl restart all<\/code><\/pre>\n\n\n\n
<\/span>Firewall Demonstration<\/span><\/h2>\n\n\n\nNow that the firewall is up and running, we’re going to test it by:<\/p>\n\n\n\n
\nTrying to SSH into this machine from an unauthorized machine<\/li>\n\n\n\n Running a pcap that will trigger alerts related to malware<\/li>\n<\/ul>\n\n\n\nMake sure Suricata is running. You can run it with:<\/p>\n\n\n\n
sudo systemctl start suricata.service<\/code><\/pre>\n\n\n\n<\/span>Block IPs from SSH Brute Force<\/span><\/h3>\n\n\n\nIn this scenario, our machine is only allows SSH access from certain machines. In Suricata, we’ll make a custom rule in the local.rules file.<\/p>\n\n\n\n
sudo vim \/etc\/suricata\/rules\/local.rules<\/code><\/pre>\n\n\n\nThe rule says to alert if any machine that is not 10.80.80.2 that tries to connect to this device over port 22.<\/p>\n\n\n
\n
From our program, recall that we made one of the keywords ‘SSH”.<\/p>\n\n\n
\n
To test this alert and the firewall, we need to attempt to SSH into this machine from another one on the same isolated network. On the other machine, I make an SSH attempt.<\/p>\n\n\n
\n
SSH is blocked on the target machine by default but we should still see an alert from Suricata and the IP added to the ipset list.<\/p>\n\n\n\n
Checking the fast.log on our target machine, we see the alert.<\/p>\n\n\n
\n
Now, if the firewall is working properly, the IP of the machine that tried to SSH should be added to the ipset blocklist. We can check the list with:<\/p>\n\n\n\n
sudo ipset list<\/code><\/pre>\n\n\n\n
This is exactly what we needed to see. Now this IP is blocked. We can confirm this by enabling the SSH service on the target machine and trying to SSH into again. We’ll see the connection refuse again. Re-enable the SSH service with:<\/p>\n\n\n\n
sudo systemctl start ssh.service<\/code><\/pre>\n\n\n\nWhen trying to SSH into the target machine, the connection times out.<\/p>\n\n\n
\n