Added suricata config

2025-02-01 13:24:08 -08:00 · 2025-02-01 13:24:08 -08:00 · 7ebbd4044e
commit 7ebbd4044e
parent 01e58f22c2
2 changed files with 142 additions and 7 deletions
--- a/config/logging.nix
+++ b/config/logging.nix
@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }: {
+{ lib, config, pkgs, inputs, ... }: {

  imports = [
    ../hardware/logging.nix
@ -12,19 +12,148 @@
  ];

  users.users.logging = import ./user.nix;
-
  environment.systemPackages = with pkgs; [
    suricata
  ];

  systemd.services.suricata = {
-    enable = true;
    description = "Suricata IDS/IPS";
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      type = "simple";
-      ExecStart = "${pkgs.suricata}/bin/suricata -c '/home/logging/suricata.yaml' -i ens18";
+      User = "logging";
+      ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s18";
      Restart = "on-failure";
+      CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
+      AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN";
    };
  };
+
+  environment.etc."suricata.yaml".source = pkgs.writeTextFile {
+    name = "suricata.yaml";
+    text = ''
+    %YAML 1.1
+    ---
+
+    vars:
+      address-groups:
+        HOME_NET: "[192.168.100.0/24]"
+        EXTERNAL_NET: "!$HOME_NET"
+        HTTP_SERVERS: "$HOME_NET"
+        SMTP_SERVERS: "$HOME_NET"
+        SQL_SERVERS: "$HOME_NET"
+        DNS_SERVERS: "$HOME_NET"
+        TELNET_SERVERS: "$HOME_NET"
+        AIM_SERVERS: "$EXTERNAL_NET"
+        DC_SERVERS: "$HOME_NET"
+        DNP3_SERVER: "$HOME_NET"
+        DNP3_CLIENT: "$HOME_NET"
+        MODBUS_CLIENT: "$HOME_NET"
+        MODBUS_SERVER: "$HOME_NET"
+        ENIP_CLIENT: "$HOME_NET"
+        ENIP_SERVER: "$HOME_NET"
+      port-groups:
+        HTTP_PORTS: "80"
+        SHELLCODE_PORTS: "!80"
+        ORACLE_PORTS: 1521
+        SSH_PORTS: 22
+        DNP3_PORTS: 20000
+        MODBUS_PORTS: 502
+        FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+        FTP_PORTS: 21
+        GENEVE_PORTS: 6081
+        VXLAN_PORTS: 4789
+        TEREDO_PORTS: 3544
+        SIP_PORTS: "[5060, 5061]"
+
+    default-log-dir: /home/logging/logs
+    classification-file: /etc/suricata/classification.config
+    reference-config-file: /etc/suricata/reference.config
+    default-rule-path: /etc/suricata/rules
+    rule-files:
+      - suricata.rules
+
+    stats:
+      enabled: yes
+
+    af-packet:
+      - interface: enp6s18
+        use-mmap: yes
+        tpacket-v3: yes
+        cluster-id: 99
+        cluster-type: cluster_flow
+        defrag: yes
+
+    outputs:
+      - fast:
+          enabled: yes
+          filename: fast.log
+          append: yes
+
+      - eve-log:
+          enabled: yes
+          filetype: regular
+          filename: eve.json
+          types:
+            - alert:
+                tagged-packets: yes
+            - http:
+                extended: yes
+            - http2
+            - dns:
+                enabled: yes
+            - tls:
+                extended: yes
+            - flow
+            - mqtt
+            - ssh
+            - dhcp:
+                enabled: yes
+            - arp:
+                enabled: yes
+            - ldap
+            - quic
+            - sip
+            - rfb
+            - snmp
+            - bittorrent-dht
+            - krb5
+            - dcerpc
+            - ike
+            - tftp
+            - smb
+            - nfs
+            - rdp
+            - ftp
+            - websocket
+            - smtp
+
+      - pcap-log:
+          enabled: yes
+          filename: log.pcap
+          limit: 1gb
+          max-files: 20
+
+      - stats:
+          enabled: yes
+          filename: stats.log
+          append: yes
+          totals: yes
+          threads: no
+            
+    '';
+  };
+
+  environment.etc."suricata/classification.config".text = ''
+  '';
+
+  environment.etc."suricata/reference.config".text = ''
+  '';
+
+  environment.etc."suricata/threshold.config".text = ''
+  '';
+
+  environment.etc."suricata/rules/suricata.rules".text = ''
+    alert tcp any any -> any any (msg:"TCP traffic detected"; sid:1000001; rev:1;)
+  '';
 }
--- a/hardware/logging.nix
+++ b/hardware/logging.nix
@ -8,16 +8,22 @@
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];

-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4b91f41b-e619-41e1-a602-c60862cd6fb9";
+    { device = "/dev/disk/by-uuid/d8ec7c7e-ce95-432c-932d-663dc261c623";
      fsType = "ext4";
    };

+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1842-1672";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
  swapDevices = [ ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -25,7 +31,7 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }