UniFi IDS/IPS
UniFi Gateway uses the Suricata rules engine
IDS does not use iptables, uses live pcap on a Unix socket
IPS adds chains to the forward chain
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TOR all -- anywhere anywhere
ALIEN all -- anywhere anywhere
IPS all -- anywhere anywhere
IPS Rule
Chain IPS (1 references)
target prot opt source destination
IPSLOGNDROP all -- anywhere anywhere match-set ips dst,dst (Port),src
IPSLOGNDROP all -- anywhere anywhere match-set ips src,src (Port),dst
Rules are stored in *.rules files in the directory /usr/share/ubios-udapi-server/ips/rules/
category_list.json In the config folder, there is an array called open that lists the free rules, and there is also an array called pro that contains the rules that require a CyberSecure subscription
Rules come from EmergingThreats, maintained by Proofpoint.
IP Reputation
- Malicious Hosts adds the ALIEN chains to iptables
- Dark Web Block List adds the TOR chains to iptables
Notify Only (IDS) will also drop if these detections are enabled
Chain ALIEN (2 references)
target prot opt source destination
ALIENLOGNDROP all -- anywhere anywhere match-set ALIEN src
Chain ALIENLOGNDROP (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere match-set ALIEN_WHITELIST_SRC src
RETURN all -- anywhere anywhere match-set ALIEN_WHITELIST_DST dst
NFLOG all -- anywhere anywhere limit: avg 1/min burst 5 nflog-prefix "[IGNORE LOGGING]" nflog-group 3 nflog-threshold 16
DROP all -- anywhere anywhere
alien.list and tor.list containing the IP address to drop are in the /usr/share/ubios-udapi-server/ips/rules/ directory
Logs of dropped connections containing interfaces, MAC Addresses, and IP Addresses are stored in /var/log/ulog/alien_block.log and /var/log/ulog/tor_block.log
