Differences

This shows you the differences between two versions of the page.

Link to this comparison view

installing_and_configuring_suricata_on_centos7_en [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== Installing and Configuring Suricata on CentOS 7 ======
 +
 +
 +===== Configuring the new Kernel =====
 +
 +We need to disable some services on <​nowiki>​CentOS</​nowiki>​ 7.
 +<sxh bash>
 +systemctl stop firewalld.service ​
 +systemctl disable firewalld.service
 +</​sxh>​
 +
 +We need to install the kernel with suport to work with huge values on network throughput.
 +
 +Let's add the new repository
 +<sxh bash>
 +rpm -ivh http://​elrepo.org/​linux/​elrepo/​el7/​x86_64/​RPMS/​elrepo-release-7.0-2.el7.elrepo.noarch.rpm
 +</​sxh>​
 +
 +Now we need to install the new kernel ​
 +<sxh bash>
 +yum --enablerepo=elrepo-kernel install kernel-ml -y
 +</​sxh>​
 +
 +Now it'd better clean up the /boot with the other kernels and recreate the grub with the follow command.
 +<sxh bash>
 +grub2-mkconfig -o /​boot/​grub2/​grub.cfg
 +</​sxh>​
 +
 +Now need to reboot the server
 +<sxh bash>
 +reboot
 +</​sxh>​
 +
 +===== Installing the Suricata =====
 +
 +  * Prerequisites:​
 +    * <​nowiki>​CentOS</​nowiki>​ 7 working as Suricata
 +      * IP: 192.168.1.252
 +    * Debian Wheezy working as Snorby
 +      * IP: 192.168.1.251
 +    * Debian Wheezy working as Apache
 +      * IP: 192.168.1.250
 +
 +
 +Now we need to install the dependences for Suricata, let's update the repositories
 +<sxh bash>
 +yum check-update
 +</​sxh>​
 +
 +Now we need to install the dependences like this
 +<sxh bash>
 +yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel mariadb-devel GeoIP-devel \
 +zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel libnetfilter_queue-devel ethtool -y
 +</​sxh>​
 +
 +Now we need to fetch the suricata tarball and decompress it.
 +<sxh bash>
 +cd /usr/src
 +wget http://​wiki.douglasqsantos.com.br/​Downloads/​snort/​suricata-2.0.7.tar.gz
 +tar -xvzf suricata-2.0.7.tar.gz
 +cd suricata-2.0.7
 +</​sxh>​
 +
 +Now we need to configure the the sources to compile the suricata as IPS
 +<sxh bash>
 +./configure --enable-nfqueue --prefix=/​usr --sysconfdir=/​etc --localstatedir=/​var --enable-geoip
 +</​sxh>​
 +
 +Now let's compile the suricata like this
 +<sxh bash>
 +make && make install-full
 +</​sxh>​
 +
 +Now let's update the libraries.
 +<sxh bash>
 +ldconfig
 +</​sxh>​
 +
 +Whether you have some problems with the rules we can get it with the follow command
 +<sxh bash>
 +wget -qO - http://​rules.emergingthreats.net/​open/​suricata-2.0/​emerging.rules.tar.gz | tar -x -z -C "/​etc/​suricata/"​ -f -
 +</​sxh>​
 +
 +Now we need to configure the suricata main file like this
 +<sxh yaml>
 +vim /​etc/​suricata/​suricata.yaml
 +[...]
 +  - drop:
 +      enabled: yes
 +[...]
 +  - dns-log:
 +      enabled: yes
 +[...]
 +#line 784
 +  outputs:
 +  - console:
 +      enabled: yes
 +  - file:
 +      enabled: yes
 +      filename: /​var/​log/​suricata/​suricata.log
 +[...]
 +classification-file:​ /​etc/​suricata/​rules/​classification.config
 +reference-config-file:​ /​etc/​suricata/​rules/​reference.config
 +[...]
 +    # Here we need to set up the networks in our company like below.
 +    HOME_NET: "​[192.168.1.0/​24]"​
 +[...]
 +host-os-policy:​
 +  # Make the default policy windows.
 +  windows: [0.0.0.0/0]
 +  bsd: []
 +  bsd-right: []
 +  old-linux: []
 +  linux: [192.168.1.0/​24,​ 192.168.1.252]
 +  old-solaris:​ []
 +  solaris: ["::​1"​]
 +  hpux10: []
 +  hpux11: []
 +  irix: []
 +  macos: []
 +  vista: []
 +  windows2k3: []
 +</​sxh>​
 +
 +Now we need to adjust some variables on the kernel that able work with a huge amount of packets per second.
 +<sxh bash>
 +modprobe ip_conntrack
 +modprobe ip_conntrack_ftp
 +modprobe ip_nat_ftp
 +echo 1000000 > /​sys/​module/​nf_conntrack/​parameters/​hashsize
 +echo 1 > /​proc/​sys/​net/​ipv4/​tcp_syncookies
 +echo 1 > /​proc/​sys/​net/​ipv4/​tcp_timestamps
 +echo 1 > /​proc/​sys/​net/​ipv4/​ip_forward
 +echo 0 > /​proc/​sys/​net/​netfilter/​nf_conntrack_tcp_loose
 +echo 2000000 > /​proc/​sys/​net/​netfilter/​nf_conntrack_max
 +PSNI=/​proc/​sys/​net/​ipv4
 +for END in $PSNI/​conf/​*/​rp_filter ; do echo 1 > $END ; done
 +echo 0 > /​proc/​sys/​net/​ipv4/​icmp_echo_ignore_all
 +echo 1 > /​proc/​sys/​net/​ipv4/​icmp_echo_ignore_broadcasts
 +PSNI=/​proc/​sys/​net/​ipv6
 +for END in $PSNI/​conf/​*/​disable_ipv6 ; do echo 1 > $END ; done
 +echo 0 > /​proc/​sys/​net/​netfilter/​nf_conntrack_helper
 +</​sxh>​
 +
 +As we are enabling the ips/ids we need to disable the interface to filtering the packets and send all of them to ips/ids.
 +<sxh bash>
 +ethtool -K enp0s3 tx off
 +ethtool -K enp0s3 tso off
 +ethtool -K enp0s3 gro off
 +ethtool -K enp0s3 rxvlan off
 +ethtool -K enp0s3 txvlan off
 +</​sxh>​
 +
 +Now we can star the Suricata
 +<sxh bash>
 +suricata -c /​etc/​suricata/​suricata.yaml -i enp0s3 -D
 +</​sxh>​
 +
 +Now we need to redirect the connetion to the port 80 to another server that I shall use the Apache
 +<sxh bash>
 +iptables -t nat -A PREROUTING -d 192.168.1.252 -p tcp --dport 80 -j DNAT --to 192.168.1.250
 +iptables -t nat -A POSTROUTING -s 192.168.1.0/​24 -j MASQUERADE
 +</​sxh>​
 +
 +Here we made the redirect the incoming connection that arrive in Suricata to Apache server and after that we need to masquerade the network.
 +
 +Now on the Apache server we need to configure it to use the Suricata as Gateway.
 +<sxh bash>
 +route del default ​
 +route add default gw 192.168.1.252
 +</​sxh>​
 +
 +Now we need to test the connection with the internet like this
 +<sxh bash>
 +ping 8.8.8.8
 +</​sxh>​
 +
 +Now on suricata let's open the http log files like this
 +<sxh bash>
 +tail -f /​var/​log/​suricata/​http.log
 +</​sxh>​
 +
 +Now from another computer we need to open a test attack like this
 +<sxh bash>
 +nikto -h 192.168.1.252 -C all
 +</​sxh>​
 +
 +In the log files we'll get something like this
 +<sxh bash>
 +04/​13/​2015-17:​08:​43.040495 192.168.1.252 [**] /​Script/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.040511 192.168.1.252 [**] /​Script/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.041728 192.168.1.252 [**] /​sites/​all/​modules/​fckeditor/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.041742 192.168.1.252 [**] /​sites/​all/​modules/​fckeditor/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.043356 192.168.1.252 [**] /​modules/​fckeditor/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.043366 192.168.1.252 [**] /​modules/​fckeditor/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.044312 192.168.1.252 [**] /​class/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.044312 192.168.1.252 [**] /​class/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.045458 192.168.1.252 [**] /​inc/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.045487 192.168.1.252 [**] /​inc/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.046864 192.168.1.252 [**] /​sites/​all/​libraries/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.046878 192.168.1.252 [**] /​sites/​all/​libraries/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.047958 192.168.1.252 [**] /​FCKeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.047965 192.168.1.252 [**] /​FCKeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.049023 192.168.1.252 [**] /​Script/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.049023 192.168.1.252 [**] /​Script/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.050128 192.168.1.252 [**] /​sites/​all/​modules/​fckeditor/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.050128 192.168.1.252 [**] /​sites/​all/​modules/​fckeditor/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.051718 192.168.1.252 [**] /​modules/​fckeditor/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.051819 192.168.1.252 [**] /​modules/​fckeditor/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.054704 192.168.1.252 [**] /​class/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.054727 192.168.1.252 [**] /​class/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.056559 192.168.1.252 [**] /​inc/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.056605 192.168.1.252 [**] /​inc/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.058358 192.168.1.252 [**] /​sites/​all/​libraries/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.058358 192.168.1.252 [**] /​sites/​all/​libraries/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +</​sxh>​
 +
 +Now on Suricata let's open another log file.
 +<sxh bash>
 +tail -f /​var/​log/​suricata/​eve.json
 +</​sxh>​
 +
 +Now from another machine let's open a Scanner to the Suricata like this
 +<sxh bash>
 +nmap -sS -v -n -A 192.168.1.252 -T4
 +</​sxh>​
 +
 +In the logs we'll get something like this
 +<sxh bash>
 +{"​timestamp":"​2015-04-13T17:​11:​31.308899","​event_type":"​http","​src_ip":"​192.168.1.254","​src_port":​34461,"​dest_ip":"​192.168.1.252","​dest_port":​80,"​proto":"​TCP","​http":​{"​url":"​\/","​http_content_type":"​text\/​html","​http_method":"​GET","​protocol":"​HTTP\/​1.0","​status":"​200","​length":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​31.308910","​event_type":"​http","​src_ip":"​192.168.1.252","​src_port":​34461,"​dest_ip":"​192.168.1.250","​dest_port":​80,"​proto":"​TCP","​http":​{"​url":"​\/","​http_content_type":"​text\/​html","​http_method":"​GET","​protocol":"​HTTP\/​1.0","​status":"​200","​length":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​31.310502","​event_type":"​fileinfo","​src_ip":"​192.168.1.250","​src_port":​80,"​dest_ip":"​192.168.1.252","​dest_port":​34461,"​proto":"​TCP","​http":​{"​url":"​\/"​},"​fileinfo":​{"​filename":"​\/","​state":"​CLOSED","​stored":​false,"​size":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​31.310528","​event_type":"​fileinfo","​src_ip":"​192.168.1.252","​src_port":​80,"​dest_ip":"​192.168.1.254","​dest_port":​34461,"​proto":"​TCP","​http":​{"​url":"​\/"​},"​fileinfo":​{"​filename":"​\/","​state":"​CLOSED","​stored":​false,"​size":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.011592","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.011676","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.287971","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.288004","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.538840","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.538873","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.790094","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.790130","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​34.779427","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​34.779493","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​34.955370","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​34.955402","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​35.081111","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​35.081145","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​35.231245","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​35.231273","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​37.107218","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​37.107283","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​41.356211","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​41.356276","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​41.856659","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​41.856711","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​42.184192","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​42.184238","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​42.514244","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​42.514282","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​44.588082","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​44.588140","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​44.838373","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​44.838415","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.017505","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.017541","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.244572","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.244597","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.792743","​event_type":"​http","​src_ip":"​192.168.1.254","​src_port":​34475,"​dest_ip":"​192.168.1.252","​dest_port":​80,"​proto":"​TCP","​http":​{"​hostname":"​192.168.1.252","​url":"​\/","​http_user_agent":"​Mozilla\/​5.0 (compatible;​ Nmap Scripting Engine; http:​\/​\/​nmap.org\/​book\/​nse.html)","​http_content_type":"​text\/​html","​http_method":"​GET","​protocol":"​HTTP\/​1.1","​status":"​200","​length":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.792753","​event_type":"​http","​src_ip":"​192.168.1.252","​src_port":​34475,"​dest_ip":"​192.168.1.250","​dest_port":​80,"​proto":"​TCP","​http":​{"​hostname":"​192.168.1.252","​url":"​\/","​http_user_agent":"​Mozilla\/​5.0 (compatible;​ Nmap Scripting Engine; http:​\/​\/​nmap.org\/​book\/​nse.html)","​http_content_type":"​text\/​html","​http_method":"​GET","​protocol":"​HTTP\/​1.1","​status":"​200","​length":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.792766","​event_type":"​fileinfo","​src_ip":"​192.168.1.250","​src_port":​80,"​dest_ip":"​192.168.1.252","​dest_port":​34475,"​proto":"​TCP","​http":​{"​url":"​\/","​hostname":"​192.168.1.252","​http_user_agent":"​Mozilla\/​5.0 (compatible;​ Nmap Scripting Engine; http:​\/​\/​nmap.org\/​book\/​nse.html)"​},"​fileinfo":​{"​filename":"​\/","​state":"​CLOSED","​stored":​false,"​size":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.792771","​event_type":"​fileinfo","​src_ip":"​192.168.1.252","​src_port":​80,"​dest_ip":"​192.168.1.254","​dest_port":​34475,"​proto":"​TCP","​http":​{"​url":"​\/","​hostname":"​192.168.1.252","​http_user_agent":"​Mozilla\/​5.0 (compatible;​ Nmap Scripting Engine; http:​\/​\/​nmap.org\/​book\/​nse.html)"​},"​fileinfo":​{"​filename":"​\/","​state":"​CLOSED","​stored":​false,"​size":​177}}
 +</​sxh>​
 +
 +We can check in the Apache server too that we have a lot of connections like this.
 +<sxh bash>
 +tail -f /​var/​log/​apache2/​access.log
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-915/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 539 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 539 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​mpcgi/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 541 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​ows-bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-sys/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-local/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 545 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​htbin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 541 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgibin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 542 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgis/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 540 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​scripts/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-win/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​fcgi-bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 544 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-exe/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-home/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 544 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-perl/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 544 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​scgi-bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 544 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /sitemap.gz HTTP/​1.1"​ 404 526 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003582)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​content/​sitemap.gz HTTP/​1.1"​ 404 534 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003583)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​icons/​README HTTP/​1.1"​ 200 5375 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003584)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​localstart.asp HTTP/​1.1"​ 404 530 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003585)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​ampache/​update.php HTTP/​1.1"​ 404 534 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003586)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​ampache/​login.php HTTP/​1.1"​ 404 533 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003587)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​ampache/​docs/​README HTTP/​1.1"​ 404 535 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003588)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-bin/​webcgi/​about HTTP/​1.1"​ 404 536 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003589)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​webservices/​IlaWebServices HTTP/​1.1"​ 404 541 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003590)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​SoundBridgeStatus.html HTTP/​1.1"​ 404 537 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003591)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​CFIDE/​componentutils/​cfcexplorer.cfc HTTP/​1.1"​ 404 551 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003592)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /phone/ HTTP/​1.1"​ 404 521 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003593)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​Host/​Portals/​tabid/​19/​ctl/​Login/​portalid/​0/​Default.aspx HTTP/​1.1"​ 404 570 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003594)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​jsp-examples/​jsp2/​jspx/​textRotate.jspx?​name=<​script>​alert(111)</​script>​ HTTP/​1.1"​ 404 553 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003595)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​jsp-examples/​jsp2/​el/​implicit-objects.jsp?​foo=<​script>​alert(112)</​script>​ HTTP/​1.1"​ 404 556 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003596)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​jsp-examples/​jsp2/​el/​functions.jsp?​foo=<​script>​alert(113)</​script>​ HTTP/​1.1"​ 404 549 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003597)"​
 +
 +</​sxh>​
 +
 +Now let's put the Suricata to work as IPS, let's change some informations in the suricata main file only for testing here.
 +<sxh bash>
 +vim /​etc/​suricata/​suricata.yaml
 +[...]
 +    HOME_NET: "​any"​
 +    #HOME_NET: "​[192.168.1.0/​24]"​
 +    ​
 +    EXTERNAL_NET:​ "​any"​
 +    #​EXTERNAL_NET:​ "​!$HOME_NET"​
 +</​sxh>​
 +
 +Now we need to make a back up of the rule files
 +<sxh bash>
 +cp -Rfa /​etc/​suricata/​rules ~/rules
 +</​sxh>​
 +
 +Now we need to drop some kind of attacks like this
 +<sxh bash>
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-scan.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-web_server.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-web_specific_apps.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-web_client.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​drop.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​stream-events.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-policy.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-shellcode.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​decoder-events.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-exploit.rules
 +</​sxh>​
 +
 +Now we need to kill the suricata process like this
 +<sxh bash>
 +PSU=$(pidof suricata); ​ kill -9 $PSU
 +</​sxh>​
 +
 +Now we need to start the suricata in the inline mode (IPS) like this
 +<sxh bash>
 +suricata -c /​etc/​suricata/​suricata.yaml -q 0 -D
 +</​sxh>​
 +
 +Now we need to redirect all connection in the port 80 to the queue afterwards the Suricata will process all of them and decide what will happen with the packet.
 +<sxh bash>
 +iptables -P FORWARD DROP
 +iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE
 +iptables -A FORWARD -p tcp --sport 80 -j NFQUEUE
 +</​sxh>​
 +
 +Now we can open the logs of the suricata like this
 +<sxh bash>
 +tail -f /​var/​log/​suricata/​fast.log /​var/​log/​suricata/​drop.log
 +</​sxh>​
 +
 +Now we need to open an test attack from another machine against the Suricata like this.
 +<sxh bash>
 +nikto -h 192.168.1.252 -C all
 +</​sxh>​
 +
 +Now we can check in the Suricata log files like this
 +<sxh bash>
 +tail -f /​var/​log/​suricata/​fast.log /​var/​log/​suricata/​drop.log
 +==> /​var/​log/​suricata/​fast.log <==
 +04/​13/​2015-17:​21:​44.772236 ​ [Drop] [**] [1:​2002677:​13] ET SCAN Nikto Web App Scan in Progress [**] [Classification:​ Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:​34840 -> 192.168.1.250:​80
 +
 +==> /​var/​log/​suricata/​drop.log <==
 +04/​13/​2015-17:​21:​44.772236:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=7455 PROTO=TCP SPT=34840 DPT=80 SEQ=812639632 ACK=3464940515 WINDOW=262 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​21:​47.918031:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=586 TOS=0x00 TTL=63 ID=47579 PROTO=TCP SPT=80 DPT=34840 SEQ=3464939981 ACK=812639632 WINDOW=2346 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​21:​54.774944:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=23285 PROTO=TCP SPT=34845 DPT=80 SEQ=1536905794 ACK=3348384629 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​21:​55.772148:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34845 SEQ=3348384628 ACK=1536905794 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​04.779775:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=202 TOS=0x00 TTL=63 ID=49545 PROTO=TCP SPT=34858 DPT=80 SEQ=1308021760 ACK=1100202517 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​05.972261:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34858 SEQ=1100202516 ACK=1308021760 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​14.790753:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=202 TOS=0x00 TTL=63 ID=3168 PROTO=TCP SPT=34866 DPT=80 SEQ=3727036513 ACK=3268194257 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​16.171470:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34866 SEQ=3268194256 ACK=3727036513 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​24.795966:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=199 TOS=0x00 TTL=63 ID=50075 PROTO=TCP SPT=34878 DPT=80 SEQ=3459769758 ACK=1952858872 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​25.971993:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34878 SEQ=1952858871 ACK=3459769758 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​34.808455:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=199 TOS=0x00 TTL=63 ID=57943 PROTO=TCP SPT=34885 DPT=80 SEQ=2584071583 ACK=1252079019 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​36.172188:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34885 SEQ=1252079018 ACK=2584071583 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +
 +==> /​var/​log/​suricata/​fast.log <==
 +04/​13/​2015-17:​22:​44.827179 ​ [Drop] [**] [1:​2002677:​13] ET SCAN Nikto Web App Scan in Progress [**] [Classification:​ Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:​34894 -> 192.168.1.250:​80
 +
 +==> /​var/​log/​suricata/​drop.log <==
 +04/​13/​2015-17:​22:​44.827179:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=51878 PROTO=TCP SPT=34894 DPT=80 SEQ=675935592 ACK=4002722971 WINDOW=262 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​47.995799:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=580 TOS=0x00 TTL=63 ID=5199 PROTO=TCP SPT=80 DPT=34894 SEQ=4002722443 ACK=675935592 WINDOW=2346 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​54.829643:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=26662 PROTO=TCP SPT=34897 DPT=80 SEQ=3048942461 ACK=420962227 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​56.372487:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34897 SEQ=420962226 ACK=3048942461 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​04.838129:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=13814 PROTO=TCP SPT=34900 DPT=80 SEQ=292845803 ACK=2369351393 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​06.172247:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34900 SEQ=2369351392 ACK=292845803 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​14.849031:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=10016 PROTO=TCP SPT=34909 DPT=80 SEQ=2092855804 ACK=2654305631 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​15.972834:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34909 SEQ=2654305630 ACK=2092855804 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​24.859782:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=37382 PROTO=TCP SPT=34912 DPT=80 SEQ=4239520425 ACK=1204384680 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​26.372347:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34912 SEQ=1204384679 ACK=4239520425 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​34.867725:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=20552 PROTO=TCP SPT=34917 DPT=80 SEQ=821639733 ACK=3031914370 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​36.172463:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34917 SEQ=3031914369 ACK=821639733 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +
 +==> /​var/​log/​suricata/​fast.log <==
 +04/​13/​2015-17:​23:​44.916071 ​ [Drop] [**] [1:​2002677:​13] ET SCAN Nikto Web App Scan in Progress [**] [Classification:​ Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:​34927 -> 192.168.1.250:​80
 +
 +==> /​var/​log/​suricata/​drop.log <==
 +04/​13/​2015-17:​23:​44.916071:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=37617 PROTO=TCP SPT=34927 DPT=80 SEQ=2943871269 ACK=1547692160 WINDOW=262 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​48.076577:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=580 TOS=0x00 TTL=63 ID=4861 PROTO=TCP SPT=80 DPT=34927 SEQ=1547691632 ACK=2943871269 WINDOW=2346 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​54.927989:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=4771 PROTO=TCP SPT=34930 DPT=80 SEQ=1683975337 ACK=473377258 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​56.172266:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34930 SEQ=473377257 ACK=1683975337 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​24:​04.939915:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=27939 PROTO=TCP SPT=34933 DPT=80 SEQ=539880178 ACK=2700461480 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​24:​06.372664:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34933 SEQ=2700461479 ACK=539880178 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +</​sxh>​
 +
 +As we can see here in the fast.log we have the [Drop] that indicates the packet was dropped and won't sent to the Apache Server in the drop.log we have the connections that were dropped.
 +
 +
 +Whether we check the apache log files now we will get a little access unlike before without the IPS.
 +<sxh bash>
 +tail -f /​var/​log/​apache2/​access.log ​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​22:​45 -0300] "GET /​PIzR7b1c.el HTTP/​1.1"​ 404 527 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​22:​45 -0300] "GET /​PIzR7b1c.axd HTTP/​1.1"​ 404 528 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​23:​45 -0300] "GET /​PIzR7b1c.jse HTTP/​1.1"​ 404 529 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​23:​45 -0300] "GET /​PIzR7b1c.tmp HTTP/​1.1"​ 404 528 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​23:​45 -0300] "GET /​PIzR7b1c.dpgs HTTP/​1.1"​ 404 529 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​23:​45 -0300] "GET /​PIzR7b1c.mdb HTTP/​1.1"​ 404 528 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​24:​46 -0300] "GET /​PIzR7b1c.shtml HTTP/​1.1"​ 404 531 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​24:​46 -0300] "GET /​PIzR7b1c.cfg HTTP/​1.1"​ 404 528 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​24:​46 -0300] "GET /​PIzR7b1c.bas:​ShowVolume HTTP/​1.1"​ 404 539 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​24:​46 -0300] "GET /​PIzR7b1c.chl+ HTTP/​1.1"​ 404 529 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +</​sxh>​
 +
 +Testing ddos.
 +
 +**Note:** Be aware the it can shutdown the switch or router.
 +
 +We can test the syn flood with the following commands
 +<sxh bash>
 +t50 192.168.1.252 --flood -S --turbo --dport 80
 +</​sxh>​
 +
 +or we can use the follow command
 +<sxh bash>
 +hping3 -S 192.168.1.252 -p 80 --flood
 +</​sxh>​
 +
 +===== Installing and Configuring the Barnyard2 =====
 +
 +Barnyard2 will feed the Snorby database with the logs let's install this guy need to install on the Suricata Server.
 +
 +We need to fetch the tarball and decompress it.
 +
 +<sxh bash>
 +cd /usr/src
 +wget -c http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​barnyard2-1.9.tar.gz
 +tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9
 +</​sxh>​
 +
 +Now we need to configure the packet to work with <​nowiki>​MySQL</​nowiki>​
 +
 +<sxh bash>
 +./configure --with-mysql --with-mysql-libraries=/​usr/​lib64 --sysconfdir=/​etc/​suricata --prefix=/​usr --localstatedir=/​var
 +</​sxh>​
 +
 +Now let's compile it.
 +
 +<sxh bash>
 +make && make install clean
 +</​sxh>​
 +
 +Now we need to create the barnyard log directory like this
 +<sxh bash>
 +mkdir /​var/​log/​barnyard2
 +</​sxh>​
 +
 +Now let's make some changes in barnyard configuration file
 +<sxh bash>
 +vim /​etc/​suricata/​barnyard2.conf
 +[...]
 +config reference_file: ​     /​etc/​suricata/​rules/​reference.config
 +config classification_file:​ /​etc/​suricata/​rules/​classification.config
 +config gen_file: ​           /​etc/​suricata/​rules/​gen-msg.map
 +config sid_file: ​           /​etc/​suricata/​rules/​sid-msg.map
 +[...]
 +config hostname: ​       ips01
 +config interface: ​      ​enp0s3
 +[...]
 +output alert_fast
 +#Let's input this line below in the end of the file, change the values whether you need.
 +output database: log, mysql, user=snorby password=senha dbname=snorby host=192.168.1.251
 +</​sxh>​
 +
 +Now we need to kill the suricata
 +<sxh bash>
 +PSU=$(pidof suricata); ​ kill -9 $PSU
 +</​sxh>​
 +
 +Now let's start the barnyard2 and the suricata daemons.
 +<sxh bash>
 +suricata -c /​etc/​suricata/​suricata.yaml -q 0 -D
 +barnyard2 -c /​etc/​suricata/​barnyard2.conf -d /​var/​log/​suricata -f unified2.alert -w /​var/​log/​suricata/​suricata.waldo -D
 +</​sxh>​
 +
 +====== Configuring the SystemD ======
 +
 +Now we need to kill the process of the suricata and barnyard2 like this
 +<sxh bash>
 +PSU=$(pidof suricata); ​ kill -9 $PSU
 +PSU=$(pidof barnyard2); ​ kill -9 $PSU
 +</​sxh>​
 +
 +Now we need to create the scripts to work with <​nowiki>​SystemD</​nowiki>​ and enable the suricata and barnyard to launch on boot time.
 +<sxh bash>
 +vim /​usr/​lib/​systemd/​system/​suricata.service
 +[Unit]
 +Description=Suricata Intrusion Detection Service
 +After=syslog.target network.target auditd.service
 +
 +[Service]
 +ExecStart=/​usr/​bin/​suricata -c /​etc/​suricata/​suricata.yaml $OPTIONS
 +EnvironmentFile=-/​etc/​sysconfig/​suricata
 +
 +[Install]
 +WantedBy=multi-user.target
 +</​sxh>​
 +
 +Now let's create the sysconfig file to suricata like this
 +<sxh bash>
 +vim /​etc/​sysconfig/​suricata ​
 +# The following parameters are the most commonly needed to configure
 +# # suricata. A full list can be seen by running /​sbin/​suricata --help
 +# # -i <network interface device>
 +# # --user <acct name>
 +# # --group <group name>
 +#
 +# # Add options to be passed to the daemon
 +OPTIONS="​-q 0 "
 +</​sxh>​
 +
 +Now we need to enable the service like this
 +<sxh bash>
 +systemctl enable suricata.service
 +</​sxh>​
 +
 +We can start the service like this
 +<sxh bash>
 +systemctl start suricata.service
 +</​sxh>​
 +
 +We can display the status like this
 +<sxh bash>
 +systemctl status suricata.service
 +</​sxh>​
 +
 +We can display the services that is current running with the follow command
 +<sxh bash>
 +systemd-cgls -l
 +</​sxh>​
 +
 +We can display the services available with the follow command
 +<sxh bash>
 +systemctl list-units --type service
 +</​sxh>​
 +
 +Now we need to create the service for barnyard2 like this
 +<sxh bash>
 +vim /​usr/​lib/​systemd/​system/​barnyard2.service
 +[Unit]
 +Description=Barnyard2 Spooler Service
 +After=syslog.target suricata.service
 +
 +[Service]
 +ExecStart=/​usr/​bin/​barnyard2 -c /​etc/​suricata/​barnyard2.conf -d /​var/​log/​suricata \
 +-f  unified2.alert -w /​var/​log/​suricata/​suricata.waldo $OPTIONS
 +EnvironmentFile=-/​etc/​sysconfig/​barnyard2
 +
 +[Install]
 +WantedBy=multi-user.target
 +</​sxh>​
 +
 +
 +Now let's create the sysconfig for barnyard2 like this
 +<sxh bash>
 +vim /​etc/​sysconfig/​barnyard2
 +# The following parameters are the most commonly needed to configure
 +# barnyard2. A full list can be seen by running ​ /​usr/​local/​bin/​barnyard2 --help
 +
 +# Add options to be passed to the daemon
 +OPTIONS="​ "
 +</​sxh>​
 +
 +Now we need to enable the barnyard2 service like this
 +<sxh bash>
 +systemctl enable barnyard2.service
 +</​sxh>​
 +
 +Let's start the barnyard2 service like this
 +<sxh bash>
 +systemctl start barnyard2.service
 +</​sxh>​
 +
 +Let's display its status like this
 +<sxh bash>
 +systemctl status barnyard2.service
 +</​sxh>​
 +
 +Now we need to create the firewall service script like this
 +<sxh bash>
 +vim /​usr/​lib/​systemd/​system/​firewall.service
 +[Unit]
 +Description=Firewall ConfiServ
 +After=barnyard2.service
 +
 +[Service]
 +Type=oneshot
 +RemainAfterExit=yes
 +ExecStart=/​etc/​firewall/​firewall-start
 +ExecStop=/​etc/​firewall/​firewall-stop
 +
 +[Install]
 +WantedBy=multi-user.target
 +</​sxh>​
 +
 +Now we need to create the directory that will store all the scripts files like this
 +<sxh bash>
 +mkdir /​etc/​firewall
 +</​sxh>​
 +
 +Now let's create the firewall-start script file
 +<sxh bash>
 +vim /​etc/​firewall/​firewall-start
 +#!/bin/bash
 +
 +### Loading some modules
 +modprobe ip_conntrack
 +modprobe ip_conntrack_ftp
 +modprobe ip_nat_ftp
 +
 +### Adjusting some variables
 +echo 1000000 > /​sys/​module/​nf_conntrack/​parameters/​hashsize
 +echo 1 > /​proc/​sys/​net/​ipv4/​tcp_syncookies
 +echo 1 > /​proc/​sys/​net/​ipv4/​tcp_timestamps
 +echo 1 > /​proc/​sys/​net/​ipv4/​ip_forward
 +echo 0 > /​proc/​sys/​net/​netfilter/​nf_conntrack_tcp_loose
 +echo 2000000 > /​proc/​sys/​net/​netfilter/​nf_conntrack_max
 +PSNI=/​proc/​sys/​net/​ipv4
 +for END in $PSNI/​conf/​*/​rp_filter ; do echo 1 > $END ; done
 +echo 0 > /​proc/​sys/​net/​ipv4/​icmp_echo_ignore_all
 +echo 1 > /​proc/​sys/​net/​ipv4/​icmp_echo_ignore_broadcasts
 +PSNI=/​proc/​sys/​net/​ipv6
 +for END in $PSNI/​conf/​*/​disable_ipv6 ; do echo 1 > $END ; done
 +echo 0 > /​proc/​sys/​net/​netfilter/​nf_conntrack_helper
 +
 +### Cleaning up the interface
 +ethtool -K enp0s3 tx off
 +ethtool -K enp0s3 tso off
 +ethtool -K enp0s3 gro off
 +ethtool -K enp0s3 rxvlan off
 +ethtool -K enp0s3 txvlan off
 +
 +### Cleaning up
 +iptables -t filter -F
 +iptables -t filter -X
 +iptables -t nat -F
 +iptables -t nat -X
 +iptables -t raw -F
 +iptables -t raw -X
 +
 +### INPUT
 +iptables -P INPUT DROP
 +iptables -t filter -A INPUT -m state --state INVALID -j DROP
 +iptables -A INPUT -f -j DROP
 +iptables -t filter -A INPUT -p tcp --dport 22022 -j NFQUEUE --queue-num 0
 +iptables -t filter -A INPUT -p tcp --sport 22022 -j NFQUEUE --queue-num 0
 +iptables -t filter -A INPUT -p all -s 192.168.1.0/​24 -j ACCEPT
 +
 +### NAT
 +iptables -t nat -A PREROUTING -d 192.168.1.252 -p tcp --dport 80 -j DNAT --to 192.168.1.250
 +iptables -t nat -A POSTROUTING -s 192.168.1.0/​24 -j MASQUERADE
 +
 +
 +### FORWARD
 +iptables -P FORWARD DROP
 +iptables -t filter -A FORWARD -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 0
 +iptables -t filter -A FORWARD -p tcp -m tcp --sport 80 -j NFQUEUE --queue-num 0
 +</​sxh>​
 +
 +Now we need to create the firewall-stop script like this
 +<sxh bash>
 +vim /​etc/​firewall/​firewall-stop ​
 +#!/bin/bash
 +
 +iptables -t filter -F
 +iptables -t filter -X
 +iptables -t raw -F
 +iptables -t raw -X
 +iptables -P INPUT ACCEPT
 +iptables -P FORWARD ACCEPT
 +</​sxh>​
 +
 +Now we need to set up the execution permission to our script like this
 +<sxh bash>
 +chmod +x /​etc/​firewall/​firewall*
 +</​sxh>​
 +
 +Now we need to enable our new service like this
 +<sxh bash>
 +systemctl enable firewall.service
 +</​sxh>​
 +
 +**Note:** Be aware that when you start the service yours sshd connection will be shutdown because we need to make sure that all connection on this port pass by suricata.
 +
 +Now we need to start the service like this
 +<sxh bash>
 +systemctl start firewall.service
 +</​sxh>​
 +
 +To check the status of the script we can use the following command
 +<sxh bash>
 +systemctl status firewall.service
 +</​sxh>​
 +
 +====== Sample FW ======
 +
 +Here let's get one sample of production
 +
 +Let's take a look at variables
 +
 +<sxh bash>
 +vim /​etc/​firewall/​variables
 +### VARIABLES
 +
 +### PATH
 +PSNI="/​proc/​sys/​net/​ipv4"​
 +PSNN="/​proc/​sys/​net/​netfilter"​
 +
 +### COMMANDS
 +MODPROBE="/​sbin/​modprobe"​
 +ETHTOOL="/​sbin/​ethtool"​
 +IPTABLES="/​sbin/​iptables"​
 +
 +### NETWORKS
 +LAN_NETWORK="​10.23.0.0/​24"​
 +
 +### SERVERS
 +ZABBIX="​10.23.0.117"​
 +BACULA="​10.23.0.198"​
 +WAPP01="​10.23.0.247"​
 +KACE_INT="​172.33.0.194"​
 +KACE_EXT="​200.200.200.34"​
 +EXT_FTP01="​200.200.200.46"​
 +DMZ_FTP01="​10.23.0.147"​
 +DMZ_FTP02="​10.23.0.246"​
 +DMZ_HTTP02="​10.23.0.143"​
 +DMZ_HTTP01="​10.23.0.247"​
 +
 +## EXTERNAL IP
 +EXT_F10="​177.177.177.10"​
 +EXT_F14="​177.177.177.14"​
 +
 +### PORTS
 +BACULA_PORT="​9102"​
 +ZABBIX_PORT="​10050"​
 +DEV_PORT="​2000"​
 +WTS_PORT="​3389"​
 +SSH_PORT="​22022"​
 +VOIP_TCP_PORTS="​5060:​5061"​
 +VOIP_UDP_PORTS="​5040:​5081,​10000:​20000"​
 +KACE_PORTS="​80,​139,​443,​445,​52230"​
 +FTP_PORTS="​20,​21,​12000:​12100"​
 +HTTP_PORT="​80"​
 +HTTP_PORTS="​80,​443"​
 +HTTPS_PORT="​443"​
 +WEB_PORTS="​80,​443,​3306"​
 +DNS_PORT="​53"​
 +
 +### ALIAS
 +PRE_EXT="​${IPTABLES} -t nat -A PREROUTING -i eno2 "
 +POS_EXT="​${IPTABLES} -t nat -A POSTROUTING -o eno2 "
 +COM="​-m comment --comment"​
 +TCP="​-p tcp -m tcp"
 +UDP="​-p udp -m udp"
 +ICMP="​-p icmp --icmp-type"​
 +LIMIT="​-m limit --limit"​
 +DMULTIPORT="​-m multiport --dports"​
 +SMULTIPORT="​-m multiport --sports"​
 +LOG="​LOG --log-prefix"​
 +LOG_LEV="​--log-level info"
 +SURICATA="​--queue-num 0"
 +</​sxh>​
 +
 +Let's take a look at firewall-start
 +
 +<sxh bash>
 +vim /​etc/​firewall/​firewall-start
 +#!/bin/bash
 +### Loading variables
 +. /​etc/​firewall/​variables
 +
 +### Loading some modules
 +${MODPROBE} ip_conntrack
 +${MODPROBE} ip_conntrack_ftp
 +${MODPROBE} ip_nat_ftp
 +
 +### Adjusting some variables
 +echo 1000000 > /​sys/​module/​nf_conntrack/​parameters/​hashsize
 +echo 1 > ${PSNI}/​tcp_syncookies
 +echo 1 > ${PSNI}/​tcp_timestamps
 +echo 1 > ${PSNI}/​ip_forward
 +echo 0 > ${PSNN}/​nf_conntrack_tcp_loose
 +echo 2000000 > ${PSNN}/​nf_conntrack_max
 +for END in ${PSNI}/​conf/​*/​rp_filter ; do echo 1 > ${END} ; done
 +echo 0 > ${PSNI}/​icmp_echo_ignore_all
 +echo 1 > ${PSNI}/​icmp_echo_ignore_broadcasts
 +PSNI=/​proc/​sys/​net/​ipv6
 +for END in ${PSNI}/​conf/​*/​disable_ipv6 ; do echo 1 > ${END} ; done
 +## IF ENABLE THE VARIABLE BELOW THE NAT DOES NOT WORK PROPERLY AND FTP DOESNT WORK IN EXPLORER OR NAUTILUS
 +#echo 0> ${PSNN}/​nf_conntrack_helper
 +
 +### Cleaning up the interface
 +${ETHTOOL} -K eno1 tx off
 +${ETHTOOL} -K eno1 tso off
 +${ETHTOOL} -K eno1 gro off
 +${ETHTOOL} -K eno1 rxvlan off
 +${ETHTOOL} -K eno1 txvlan off
 +
 +${ETHTOOL} -K eno2 tx off
 +${ETHTOOL} -K eno2 tso off
 +${ETHTOOL} -K eno2 gro off
 +${ETHTOOL} -K eno2 rxvlan off
 +${ETHTOOL} -K eno2 txvlan off
 +
 +### Cleaning up
 +${IPTABLES} -t filter -F
 +${IPTABLES} -t filter -X
 +${IPTABLES} -t nat -F
 +${IPTABLES} -t nat -X
 +${IPTABLES} -t raw -F
 +${IPTABLES} -t raw -X
 +
 +### ALLOWING LOOPBACK
 +${IPTABLES} -A INPUT -s 127.0.0.1/​32 -j ACCEPT
 +
 +## Given more priority to VOIP
 +${IPTABLES} -t mangle -A OUTPUT -p udp -j DSCP --set-dscp-class EF
 +${IPTABLES} -t mangle -A FORWARD -p udp -j DSCP --set-dscp-class EF
 +
 +### INPUT
 +${IPTABLES} -P INPUT DROP
 +${IPTABLES} -t filter -A INPUT -m state --state INVALID -j DROP
 +${IPTABLES} -A INPUT -f -j DROP
 +${IPTABLES} -A INPUT -p tcp -m state --state ESTABLISHED,​RELATED -j NFQUEUE ${SURICATA}
 +
 +### FORWARD
 +${IPTABLES} -P FORWARD DROP
 +${IPTABLES} -t filter -A FORWARD -m state --state INVALID -j DROP
 +${IPTABLES} -A FORWARD -f -j DROP
 +${IPTABLES} -A FORWARD -p tcp -m state --state ESTABLISHED,​RELATED -j NFQUEUE ${SURICATA}
 +
 +### Allowing access to SSH
 +${IPTABLES} -t filter -A INPUT -p tcp --dport ${SSH_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -t filter -A INPUT -p tcp --sport ${SSH_PORT} -j NFQUEUE ${SURICATA}
 +
 +### DEV ACCESS TO WTS
 +${PRE_EXT} -d ${EXT_F10} -p tcp --dport ${DEV_PORT} -j DNAT --to ${WAPP01}:​${WTS_PORT} ${COM} "DEV access to WTS"
 +${POS_EXT} -d ${WAPP01} ${TCP} --dport ${WTS_PORT} -j SNAT --to ${EXT_F10}:​${DEV_PORT} ${COM} "DEV access to WTS"
 +${IPTABLES} -t filter -A FORWARD ${TCP} ${SMULTIPORT} ${DEV_PORT},​${WTS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -t filter -A FORWARD ${TCP} ${DMULTIPORT} ${DEV_PORT},​${WTS_PORT} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING VOIP
 +${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} ${DMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} ${SMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING KACE
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_INT} ${TCP} ${DMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_INT} ${TCP} ${SMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_EXT} ${TCP} ${DMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_EXT} ${TCP} ${SMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING ZABBIX
 +${IPTABLES} -A INPUT  ${TCP} --dport ${ZABBIX_PORT} -s ${ZABBIX} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A OUTPUT ​ ${TCP} --sport ${ZABBIX_PORT} -d ${ZABBIX} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING BACULA
 +${IPTABLES} -A INPUT ${TCP} --dport ${BACULA_PORT} -s ${BACULA} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A OUTPUT ${TCP} --sport ${BACULA_PORT} -d ${BACULA} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING FTP 
 +${IPTABLES} -A FORWARD -d ${EXT_FTP01} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${EXT_FTP01} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING FTP 02
 +${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to ${DMZ_FTP01} ${COM} "FTP 01"
 +${IPTABLES} -A FORWARD -s ${DMZ_FTP01} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -d ${DMZ_FTP01} -j NFQUEUE ${SURICATA}
 +${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "FTP 01"
 +${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "FTP 01"
 +
 +### ALLOWING FTP 02
 +${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to ${DMZ_FTP02} ${COM} "FTP 02"
 +${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA}
 +${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "FTP 02"
 +${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "FTP 02"
 +
 +### ALLOWING HTTP
 +${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to ${DMZ_HTTP01} ${COM} "HTTP SERVER 01"
 +${POS_EXT} -s ${DMZ_HTTP01} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "HTTP SERVER 01"
 +${IPTABLES} -A FORWARD -s ${DMZ_HTTP01} ​ ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -d ${DMZ_HTTP01} ​ ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING HTTP2
 +${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to ${DMZ_HTTP02} ${COM} "HTTP SERVER 02"
 +${POS_EXT} -s ${DMZ_HTTP02} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "HTTP SERVER 02"
 +${IPTABLES} -A FORWARD -s ${DMZ_HTTP02} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -d ${DMZ_HTTP02} ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING ACCESS FROM LAN
 +${IPTABLES} -A INPUT -s ${LAN_NETWORK} -j ACCEPT ${COM} "​ACCESS FROM LAN"
 +${IPTABLES} -A OUTPUT -d ${LAN_NETWORK} -j ACCEPT ${COM} "​ACCESS FROM LAN"
 +
 +### ALLOWING DNS QUERY
 +${IPTABLES} -A INPUT ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING HTTP AND FTP ACCESS
 +${IPTABLES} -A INPUT ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING ICMP
 +${IPTABLES} -A INPUT ${ICMP} 0 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${ICMP} 8 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${ICMP} 0 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${ICMP} 8 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +
 +### MASQUERADE
 +${IPTABLES} -t nat -A POSTROUTING -s ${LAN_NETWORK} -j MASQUERADE
 +</​sxh>​
 +
 +Let's take a look at firewall-stop
 +
 +<sxh bash>
 +cat /​etc/​firewall/​firewall-stop
 +#!/bin/bash
 +### Loading variables
 +. /​etc/​firewall/​variables
 +
 +### Cleaning up the rules
 +${IPTABLES} -t filter -F
 +${IPTABLES} -t filter -X
 +${IPTABLES} -t raw -F
 +${IPTABLES} -t raw -X
 +${IPTABLES} -P INPUT ACCEPT
 +${IPTABLES} -P FORWARD ACCEPT
 +</​sxh>​
 +
 +Here we have the rules with some fixes: [[http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​rules.tar.xz|http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​rules.tar.xz]]
 +
 +====== References ======
 +  - http://​techminded.net/​blog/​using-snort-as-service-ips.html
 +  - http://​www.symantec.com/​connect/​articles/​detection-sql-injection-and-cross-site-scripting-attacks
 +  - http://​repo.hackerzvoice.net/​depot_madchat/​reseau/​ids|nids/​snort_rules.html
 +  - http://​books.gigatux.nl/​mirror/​snortids/​0596006616/​snortids-CHP-7-SECT-3.html
 +  - http://​manual.snort.org/​node27.html
 +  - https://​redmine.openinfosecfoundation.org/​projects/​suricata/​wiki/​Suricatayaml
 +  - https://​access.redhat.com/​documentation/​en-US/​Red_Hat_Enterprise_Linux/​5/​html/​Tuning_and_Optimizing_Red_Hat_Enterprise_Linux_for_Oracle_9i_and_10g_Databases/​sect-Oracle_9i_and_10g_Tuning_Guide-Adjusting_Network_Settings-Flow_Control_for_e1000_Network_Interface_Cards.html
 +  - http://​docs.oracle.com/​cd/​E24290_01/​coh.371/​e22838/​tune_perftune.htm#​COHAG5263
 +  - https://​redmine.openinfosecfoundation.org/​projects/​suricata/​wiki/​CentOS_7_Installation
 +  - http://​www.darknet.org.uk/​
 +  - http://​www.spamhaus.org/​drop/​
 +  - http://​myip.ms/​browse/​blacklist/​Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time
 +  - http://​myip.ms/​files/​blacklist/​csf/​latest_blacklist.txt
 +  - http://​www10.org/​cdrom/​papers/​409/​
 +  - https://​r00t-services.net/​knowledgebase/​14/​Homemade-DDoS-Protection-Using-IPTables-SYNPROXY.html
 +  - http://​hackerzelite.blogspot.com.br/​2014/​01/​top-10-ddos-and-dos-attacking-tools.html
 +  - http://​ddoshackingarticles.blogspot.com.br/​2014/​07/​how-to-use-metagoofil-on-kali-linux.html
 +  - http://​www.kalitutorials.net/​2014/​03/​denial-of-service-attacks-explained-for.html
 +  - http://​www.darkmoreops.com/​2014/​08/​21/​dos-using-hping3-spoofed-ip-kali-linux/​
 +  - http://​null-byte.wonderhowto.com/​how-to/​become-elite-hacker-part-3-easy-ddos-0147212/​
 +  - http://​ha.ckers.org/​slowloris/​
 +  - http://​www.r00tsec.com/​2012/​02/​ddos-tool-list-from-anonymous.html
 +  - https://​www.frozentux.net/​iptables-tutorial/​iptables-tutorial.htmlhttps://​www.frozentux.net/​iptables-tutorial/​iptables-tutorial.html
 +  - https://​www.frozentux.net/​iptables-tutorial/​iptables-tutorial.html#​NETFILTERHACKINGHOWTO
 +  - http://​www.ibm.com/​developerworks/​library/​se-intrusion/​index.html
 +  - http://​rules.emergingthreats.net/​open/​