feat(suricata): v1.92 — enforcement hardening + scope removal + policy layer + CI gates#440
Closed
feat(suricata): v1.92 — enforcement hardening + scope removal + policy layer + CI gates#440
Conversation
…ion structure v1.92 Wave 1: Safety foundation before any code removal. New files: - invariants.go: INV-S-001..013 constants + authority labels - verify.go: `nftban suricata verify` — IDS deployment checks (suricata installed, active, EVE valid, IDS-only mode) - inline.go: Inline Exception Mode config structure + validation (allowlist, double-gate, SID cap, kill switch, dry-run) - inline_exceptions.conf: Default config (disabled, empty allowlist) Architecture: V192_FINAL_ARCHITECTURE_DECISION.md - Default: Suricata IDS → NFTBan decides → kernel enforces - Exception: approved SIDs may inline-drop → NFTBan audits → kernel bans All invariants machine-verifiable via CI gates GS-001..GS-014. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Delete Suricata ecosystem tooling that is not needed for NFTBan to produce a correct ban. NFTBan manages deployment correctness; it does not become a Suricata rule management platform. Deleted Go packages (4 directories): - customrules/ (manager + validator, 1,160 LOC) — rule authoring - recommendations/ (analyzer, 481 LOC) — "which rules to enable" - scanner/ (detector + probes, 967 LOC) — overlaps native portscan - rules/ (generator, 279 LOC) — SID management Deleted CLI commands (6 files): - cmd_suricata_custom.go (353 LOC) — custom rules CLI - cmd_suricata_sid.go (305 LOC) — SID management CLI - cmd_suricata_recommend.go (210 LOC) — recommendations CLI - cmd_suricata_profile.go (190 LOC) — complex profile CLI - cmd_suricata_rules.go (127 LOC) — rules CLI - cmd_suricata_scan.go (103 LOC) — scanner CLI Deleted shell scripts (6 files): - cmd_suricata_rules.sh (733 LOC) — rules shell CLI - cmd_suricata_tools.sh (789 LOC) — benchmarking tools - cmd_suricata_advanced.sh (565 LOC) — advanced config - cmd_suricata_iface.sh (1,052 LOC) — interface management - helpers/suricata_rules.sh (962 LOC) — rules helpers - setup_suricata_rules.sh (165 LOC) — rules setup Fixed: removed GenerateAutoConf() from config/generator.go (depended on deleted scanner package) and scanner import. Rule: "Does NFTBan need this to produce a correct ban?" → NO → deleted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The dispatcher still referenced functions from deleted CLI files (profile-*, scan*, rules-*, sid-*, custom-*, recommend*). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
….conf) User-facing policy controls for Suricata alert processing (INV-S-006). New files: - detection.conf: category toggles (which alerts NFTBan processes) - actions.conf: response mapping per category (observe/ban_short/ban_long/ban_permanent) - policy.go: Go loader with .local override support + defaults These control NFTBan's response, NOT Suricata's detection behavior. Suricata always runs its full ruleset. NFTBan filters based on policy. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
itcmsgr
changed the title
Replace source-build installer with package-manager-only deployment. NFTBan manages Suricata via apt/dnf — no more ./configure && make. Changes: - install_suricata.sh: 636 LOC → 190 LOC (package install + IDS config + service) - suricata_managed_install(): single entry point for `nftban suricata enable` - suricata_managed_disable(): stop service, keep package - suricata_managed_status(): deployment status report - SURICATA_UNMANAGED=true: skip managed install, read EVE only Removed: source download, build deps, compile, custom prefix, Rust/cargo deps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CI enforcement for v1.92 Suricata architecture invariants: - GS-003: ban_handler.go uses IPC only (no direct nft calls) - GS-004: deleted scope-creep packages don't reappear - GS-008: inline exception disabled in default config - GS-014: rule engine/policy cannot trigger inline enforcement Source: V192_FINAL_ARCHITECTURE_DECISION.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
itcmsgr
changed the title
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Owner
Author
|
Recreating to clear stale gosec code scanning comments |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary — v1.92 Suricata Integration
Net change: -8,133 LOC (1,015 added, 9,148 deleted across 32 files)
Wave 1: Safety Foundation (+524 LOC)
invariants.go— INV-S-001..013 constants + authority labelsverify.go—nftban suricata verifydeployment checksinline.go— Inline Exception Mode config + validation + SID capinline_exceptions.conf— default config (disabled, empty allowlist)Wave 2: Scope Creep Removal (-8,589 LOC)
Wave 3: Simplified Deployment (-446 LOC)
install_suricata.sh: 636→190 LOC (package-only, no source build)suricata_managed_install()/disable()/status()entry pointsSURICATA_UNMANAGED=trueescape hatchWave 4: User Policy Layer (+297 LOC)
detection.conf— category togglesactions.conf— response mapping per categorypolicy.go— Go loader with .local override supportWave 5: CI Gates (+45 LOC)
Lab verification
go build(nftband + nftban-core + nftban-validate) +go vet— ALL PASS🤖 Generated with Claude Code