• Great Site for Helping Write Custom Suricata Rules

    Pinned
    1
    3 Votes
    1 Posts
    635 Views
    No one has replied
  • This topic is deleted!

    Pinned
    1
    6 Votes
    1 Posts
    2k Views
    No one has replied
  • 8 Votes
    74 Posts
    47k Views
    bmeeksB

    @Snailkhan:
    It is not possible in pfSense to tie IDS/IPS rules or policies to the pf firewall engine. Thus it is impossible to tie IDS/IPS rules to IP source or destination pairs as evaluated by the firewall engine. That's just not how pfSense is designed. If you need this level of granularity, then pfSense is not the product for you. The best you could do is write your own custom IDS/IPS rules where you customize the Source/Destination fields of each IDS/IPS rule. I seriously doubt you want to get into that level of maintainence.

    Snort is an add-on volunteer-maintained package for pfSense. It is not baked into the operating system nor into the design of the firewall. Therefore its capabilities will be nowhere near as flexible as say a customized Cisco hardware/software solution might be.

    Later Edit: but compare the price you pay for pfSense and its Snort package to what the Cisco solution costs you 😁. Many times compromises are necessary when taking advantage of the "free" option.

  • 7 Votes
    4 Posts
    16k Views
    bmeeksB

    @gwaitsi said in Configuring pfSense/netmap for Suricata Inline IPS mode on em/igb interfaces:

    is it necessary to have on all interfaces, or just the ones assigned to suricata?

    Just the ones assigned to Suricata. But the general consensus these days with the super fast multicore CPUs most users have is that you should just disable all hardware offloading on all interfaces. It was helpful back in the days of Pentiums struggling to achieve line rate packet processing, but today's multicore CPUs generally don't break a sweat until you get to the 10 Gig area. There are several things (including some third-party packages) that can be negatively impacted by hardware offloading.

  • Quick Snort Setup Instructions for New Users

    Pinned
    147
    5 Votes
    147 Posts
    268k Views
    bmeeksB

    @qinn, it depends totally on which precise rules are enabled and what the traffic on your network actually consists of. The goal in IDS/IPS is to get no or very few alerts and blocks. That means your network is relatively secure and clients are following the rules ... ☺ .

    I don't mean that to say you should never get alerts, though. Just that you don't want to be receiving hundreds per hour. Once blocking is enabled that might drive you crazy as an admin. Within the IPS Polices, the Snort team has selected rules that provide security without a ton of false positive alerts.

  • 8 Votes
    4 Posts
    15k Views
    bmeeksB

    @cyberzeus said in How Automatic SID Management and User Rule Overrides Work in Snort and Suricata:

    bmeeks - I found the following link that describes what is included in each of the 3 IPS policies.Ā  Note there is a 4th policy - MaxDetect.Ā  Do you know if there are any plans to implement this in the Snort package for pfSense?

    https://www.snort.org/documents/215

    Replying to an old thread, but the answer is "yes". The new MaxDetect policy is now present and selectable in the Snort and Suricata packages. Just remember that the Snort folks recommend enabling that only for testing purposes! It is most definitely not recommended for a production network. It will generate a lot of false positives!

  • Important Info About Passlists with Suricata Inline IPS Mode

    Pinned
    2
    1 Votes
    2 Posts
    6k Views
    S

    For those looking to create their own rules, the "sid:1000006;" part of the example is NOT a reference to an existing SID. It needs to be a unique number otherwise Suricata won't load the rule.

    To whitelist for a rule for an IP, search for the SID in /usr/local/etc/suricata/suricata_(interface)/rules/suricata.rules. Duplicate the conditions like "flow:from_server,established; content:"403"; http_stat_code;" into the custom rule so it matches, like

    pass ip 192.168.1.22/32 80 <- any any (msg: "Pass List Entry - allow all traffic to/from 192.168.1.22/32"; flow:from_server,established; content:"403"; http_stat_code;sid:1000006;)

    Otherwise with only the IP address, port, and unique SID it will allow all traffic for that IP.

    Also note the directional (<-) only allows for two directions..."both" or "left."

  • About the New Block-on-Drops Only Option in Suricata 4.0.0

    Pinned
    12
    3 Votes
    12 Posts
    10k Views
    bmeeksB

    @JasonAU:

    You put a lot of effort into this forum & Pfsense thank you! Seriously a lot of people would be lost without somebody doing the answering on the forum

    I’m having a lot of fun toying with this after work in my lab the only thing that I don’t currently understand is can I make some rules drop rather than block when I’m configured with:

    *Legacy mode not inline

    *Block on DROP only enabled

    *IPS Policy Security with ā€˜policy’ mode

    Snort Subscriber + ET

    Let’s say I like one of the rules FILE tracking GIF (1x1 pixel) from the files.rules category sounds like a good thing to help with privacy but the blocking action causes problems as often the IP that gets blocked is hosting other legitimate images in the page, Can I use SID Management to modify this rule to drop even when I have block on drop enabled?

    Your question leads me to believe you are misunderstanding a key piece of the puzzle.Ā  There is no difference between DROP and BLOCK in Legacy Mode.Ā  They are the same thing.Ā  Both lead to the exact same result:Ā  traffic from the offending IP address (the one that triggered the rule) is blocked by placing the SRC, DST or BOTH IP addresses from the offending packet into the snort2c pf firewall table.Ā  After that, all further traffic from those IP addresses is blocked until the IP addresses are removed from the snort2c table.Ā  Legacy Mode can't do what you want.

    The whole reason I created the new "Block-on-drops-only" option was so you can tailor rules actions to get the results you desire.Ā  See, all rules by default from the rule set vendors come with the action set to ALERT.Ā  With Legacy Mode Blocking, and before the new "Block-on-drops-only" option was added, any alert also generated a corresponding block.Ā  It was an all or nothing arrangement.Ā  When you enabled blocking, any rule that generated an alert would also cause a block.Ā  With the new "Block-on-drops-only" option, I added some extra intelligence within the custom blocking module so that it could look at the rule action (ALERT or DROP) of the triggered rule and take the action specified.Ā  So if the rule says ALERT, then only an alert is generated but no block is created.Ā  If the rule says DROP, then both an alert and a block are generated.

    SID MGMT has options that allow you to alter rule actions from the default value of ALERT.Ā  So now you can pick and choose which rules you want to just alert and which you want to drop (or block traffic).Ā  This new "Block-on-drops-only" option was born out of the way the Inline IPS mode operates.Ā  With Inline IPS Mode, you must specifically change rule actions to DROP in order to drop or block traffic.Ā  You could also leave some rules with the default ALERT action and those rules would generate alerts but would not block or drop traffic.Ā  That's the way most commercial proprietary Intrusion Prevention Systems operate.Ā  So I thought it would be useful to port that same functionality (the choice of ALERT or DROP) over to Legacy Mode operation.Ā  Hence the new "Block-on-drops-only" option.

    I still don't want folks to confuse Legacy Mode's use of DROP with the way IPS Mode works, though.Ā  In Legacy Mode, even though I'm using the term "drop", the actual blocking of traffic is done the old way using libpcap to get copies of every packet traversing the interface, and when a rule fires to create a block, the IP addresses from the offending packet are copied to the snort2c table in pf to implement a firewall block.Ā  So when I say "drop" in the context of Legacy Mode and the new "Block-on-drops-only" option, I really mean that only rules with DROP as the action will add the offender's IP address to the snort2c table.Ā  The "drop" is really still the old fashioned block.Ā  With Inline IPS Mode, the snort2c table is not used at all.Ā  There is another Sticky Post here on the forum that describes the difference between Legacy Mode and Inline IPS Mode.

    Read both of the Sticky Posts in this forum about Passlists and Suricata.Ā  Each of them also contains some key points about blocks, drops and Legacy vs Inline IPS modes.

    Bill

  • Using Snort VRT Rules With Suricata and Keeping Them Updated

    Pinned
    11
    3 Votes
    11 Posts
    27k Views
    M

    @bmeeks said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

    @MxcZXAKM said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

    @bmeeks So is this the best release to reference for now?

    snortrules-snapshot-29160.tar.gz

    Yes. You want to use the most current version of the Snort 2.9.x rules with Suricata. Since Snort 2.9.16 is the current release, then the snortrules-snapshot-29160.tar.gz rules archive contains the latest ones.

    Very helpful, Thank you!

  • Snort and GIF0 for HE tunnel broker

    9
    0 Votes
    9 Posts
    98 Views
    JonathanLeeJ

    @SteveITS It looks like it is detecting ipv6 better

    already is showing alerts

    Screenshot 2025-07-12 at 10.39.56.png

    It sees some ipv6 going to my interface. Again snort also would spot stuff every once a a while. My son got a bad bug on his tablet and it had a Russian email server running I checked it on virus total and it was spot on as malware known abuses so I reported it

  • Cant remove SNORT Suppression List

    2
    0 Votes
    2 Posts
    30 Views
    S

    @1-21Gigawatts Should be similar to Suricata, at the bottom of the Suricata > (interface) settings page. By default it has/creates a name though, so that seems odd.

    If nothing else you can edit the list and make it blank.

  • Security Onion

    1
    0 Votes
    1 Posts
    74 Views
    No one has replied
  • Suricata Inline on various hardware?

    16
    0 Votes
    16 Posts
    5k Views
    ETechBuyE

    @certifiable Thanks for gathering and sharing all this detail—super helpful.

    Yeah, I’m inclined to agree about the 8111. It probably is supported via the re(4) driver, and like you said, the ā€œEā€ just denotes PCIe. Unless there were big changes to the Realtek driver between 2011 and 2015, it should still work with Netmap. Of course, without a definitive confirmation, there’s always some uncertainty, but it seems like a solid bet.

    On the Intel side, it’s interesting (and a bit frustrating) that inline Suricata doesn’t work even though the i211 is listed as supported in both the FreeBSD hardware notes and the Netmap man page. I did check the ifconfig output—my i211 shows up as igb0, not igp. From what I understand, igb is the correct driver family for the i210/i211 series. igp might be a typo or confusion with something else (maybe the older PRO/1000 series?).

    I’ve been using the i211 exclusively for testing because I’ve read in several threads (and you confirmed) that the i219LM can be more problematic, especially with netmap/pf_ring compatibility. If you haven’t already, I’d definitely try binding Suricata only to the i211 to rule out issues from the onboard i219.

    Also appreciate the fallback suggestion on the dual-port 1000e NIC—good to know there are reliable options if the built-ins keep acting up. And yeah, if it comes to that, maybe a direct appeal to Luigi Rizzo himself will be in order.

    Thanks again—like you said, this stuff can start feeling like work real fast, but having all these specifics in one place makes troubleshooting a lot easier. I’ll keep digging, and if I get it working, I’ll post back with the exact configuration.

  • Suricata on Pfsense

    5
    0 Votes
    5 Posts
    321 Views
    S

    oh ok. Thanks again

  • 0 Votes
    1 Posts
    78 Views
    No one has replied
  • Snort and system tunable net.inet.tcp.tso=0

    1
    0 Votes
    1 Posts
    253 Views
    No one has replied
  • error on snort with if_pppoe

    9
    0 Votes
    9 Posts
    882 Views
    bmeeksB

    Looks like Suricata's binary part will have the same issue as Snort. It is missing a match for the LINKTYPE_PPP_ETHER link type as well --

    The relevant code is within src/decode.h starting at line 1122,

    static inline void DecodeLinkLayer(ThreadVars *tv, DecodeThreadVars *dtv, const int datalink, Packet *p, const uint8_t *data, const uint32_t len) { /* call the decoder */ switch (datalink) { case LINKTYPE_ETHERNET: DecodeEthernet(tv, dtv, p, data, len); break; case LINKTYPE_LINUX_SLL: DecodeSll(tv, dtv, p, data, len); break; case LINKTYPE_PPP: DecodePPP(tv, dtv, p, data, len); break; case LINKTYPE_RAW: case LINKTYPE_GRE_OVER_IP: DecodeRaw(tv, dtv, p, data, len); break; case LINKTYPE_NULL: DecodeNull(tv, dtv, p, data, len); break; case LINKTYPE_CISCO_HDLC: DecodeCHDLC(tv, dtv, p, data, len); break; default: SCLogError("datalink type " "%" PRId32 " not yet supported", datalink); break; } }

    An edit like the one below will probably work (again, as with Snort, if the raw PPP data is the same in the two link types) --

    static inline void DecodeLinkLayer(ThreadVars *tv, DecodeThreadVars *dtv, const int datalink, Packet *p, const uint8_t *data, const uint32_t len) { /* call the decoder */ switch (datalink) { case LINKTYPE_ETHERNET: DecodeEthernet(tv, dtv, p, data, len); break; case LINKTYPE_LINUX_SLL: DecodeSll(tv, dtv, p, data, len); break; case LINKTYPE_PPP: case LINKTYPE_PPP_ETHER: DecodePPP(tv, dtv, p, data, len); break; case LINKTYPE_RAW: case LINKTYPE_GRE_OVER_IP: DecodeRaw(tv, dtv, p, data, len); break; case LINKTYPE_NULL: DecodeNull(tv, dtv, p, data, len); break; case LINKTYPE_CISCO_HDLC: DecodeCHDLC(tv, dtv, p, data, len); break; default: SCLogError("datalink type " "%" PRId32 " not yet supported", datalink); break; } }
  • Project ssl bumping for suricata

    1
    0 Votes
    1 Posts
    142 Views
    No one has replied
  • 12 Votes
    29 Posts
    7k Views
    JonathanLeeJ

    @bmeeks your code is epic !!

  • How to get Suricata Alert logs to display correctly in Graylog Dashboard?

    4
    0 Votes
    4 Posts
    518 Views
    bmeeksB

    I do not personally use either, although I did once, several years ago, toy with an ELK setup. It was installed on a separate VM in my case.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.