IDS/IPS

• B

  Configuring pfSense/netmap for Suricata Inline IPS mode on em/igb interfaces
  • boobletins  

  1
  4
  Votes
  1
  Posts
  894
  Views

  No one has replied

• 

  Quick Snort Setup Instructions for New Users
  • bmeeks  

  147
  1
  Votes
  147
  Posts
  194542
  Views

  

  @qinn, it depends totally on which precise rules are enabled and what the traffic on your network actually consists of. The goal in IDS/IPS is to get no or very few alerts and blocks. That means your network is relatively secure and clients are following the rules ... . I don't mean that to say you should never get alerts, though. Just that you don't want to be receiving hundreds per hour. Once blocking is enabled that might drive you crazy as an admin. Within the IPS Polices, the Snort team has selected rules that provide security without a ton of false positive alerts.
• 

  How Automatic SID Management and User Rule Overrides Work in Snort and Suricata
  • bmeeks  

  4
  2
  Votes
  4
  Posts
  2756
  Views

  

  @cyberzeus said in How Automatic SID Management and User Rule Overrides Work in Snort and Suricata: bmeeks - I found the following link that describes what is included in each of the 3 IPS policies.  Note there is a 4th policy - MaxDetect.  Do you know if there are any plans to implement this in the Snort package for pfSense? https://www.snort.org/documents/215 Replying to an old thread, but the answer is "yes". The new MaxDetect policy is now present and selectable in the Snort and Suricata packages. Just remember that the Snort folks recommend enabling that only for testing purposes! It is most definitely not recommended for a production network. It will generate a lot of false positives!
• 

  About Pass Lists in Suricata
  • bmeeks  

  3
  0
  Votes
  3
  Posts
  4014
  Views

  

  @dcol: Great post, thanks. Using Inline Suricata 4.0.0_1. Works Great Can you, or someone, please post an example of a pass rule that would always pass an IP in Inline mode. I want to use it for my remote IP when I make changes to rules so I do not inadvertently block myself. How about this example? pass tcp 1.2.3.4 any -> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:100000;) Would this rule allow IP 1.2.3.4 to not ever be dropped by Suricata using Inline mode? Yes, this would let traffic pass without blocking whenever the SOURCE IP was 1.2.3.4.  It would not prevent a block from happening if the IP 1.2.3.4 was the DESTINATION IP.  If you want to prevent IP 1.2.3.4 from getting blocked no matter the flow direction, use this rule instead: pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:100000;) Notice the direction symbol is "<>" which stands for "any" as opposed to "->" which signifies a specific direction (from 1.2.3.4 to any other IP).  So the version I posted using "<>" would mimic the old Legacy Mode Pass List operation whereby IP address 1.2.3.4 would never get blocked.
• 

  Important Info About Passlists with Suricata Inline IPS Mode
  • bmeeks  

  2
  0
  Votes
  2
  Posts
  1110
  Views

  T

  For those looking to create their own rules, the "sid:1000006;" part of the example is NOT a reference to an existing SID. It needs to be a unique number otherwise Suricata won't load the rule. To whitelist for a rule for an IP, search for the SID in /usr/local/etc/suricata/suricata_(interface)/rules/suricata.rules. Duplicate the conditions like "flow:from_server,established; content:"403"; http_stat_code;" into the custom rule so it matches, like pass ip 192.168.1.22/32 80 <- any any (msg: "Pass List Entry - allow all traffic to/from 192.168.1.22/32"; flow:from_server,established; content:"403"; http_stat_code;sid:1000006;) Otherwise with only the IP address, port, and unique SID it will allow all traffic for that IP. Also note the directional (<-) only allows for two directions..."both" or "left."
• 

  About the New Block-on-Drops Only Option in Suricata 4.0.0
  • bmeeks  

  12
  0
  Votes
  12
  Posts
  3261
  Views

  

  @JasonAU: You put a lot of effort into this forum & Pfsense thank you! Seriously a lot of people would be lost without somebody doing the answering on the forum I’m having a lot of fun toying with this after work in my lab the only thing that I don’t currently understand is can I make some rules drop rather than block when I’m configured with: *Legacy mode not inline *Block on DROP only enabled *IPS Policy Security with ‘policy’ mode Snort Subscriber + ET Let’s say I like one of the rules FILE tracking GIF (1x1 pixel) from the files.rules category sounds like a good thing to help with privacy but the blocking action causes problems as often the IP that gets blocked is hosting other legitimate images in the page, Can I use SID Management to modify this rule to drop even when I have block on drop enabled? Your question leads me to believe you are misunderstanding a key piece of the puzzle.  There is no difference between DROP and BLOCK in Legacy Mode.  They are the same thing.  Both lead to the exact same result:  traffic from the offending IP address (the one that triggered the rule) is blocked by placing the SRC, DST or BOTH IP addresses from the offending packet into the snort2c pf firewall table.  After that, all further traffic from those IP addresses is blocked until the IP addresses are removed from the snort2c table.  Legacy Mode can't do what you want. The whole reason I created the new "Block-on-drops-only" option was so you can tailor rules actions to get the results you desire.  See, all rules by default from the rule set vendors come with the action set to ALERT.  With Legacy Mode Blocking, and before the new "Block-on-drops-only" option was added, any alert also generated a corresponding block.  It was an all or nothing arrangement.  When you enabled blocking, any rule that generated an alert would also cause a block.  With the new "Block-on-drops-only" option, I added some extra intelligence within the custom blocking module so that it could look at the rule action (ALERT or DROP) of the triggered rule and take the action specified.  So if the rule says ALERT, then only an alert is generated but no block is created.  If the rule says DROP, then both an alert and a block are generated. SID MGMT has options that allow you alter rule actions from the default value of ALERT.  So now you can pick and choose which rules you want to just alert and which you want to drop (or block traffic).  This new "Block-on-drops-only" option was born out of the way the Inline IPS mode operates.  With Inline IPS Mode, you must specifically change rule actions to DROP in order to drop or block traffic.  You could also leave some rules with the default ALERT action and those rules would generate alerts but would not block or drop traffic.  That's the way most commercial proprietary Intrusion Prevention Systems operate.  So I thought it would be useful to port that same functionality (the choice of ALERT or DROP) over to Legacy Mode operation.  Hence the new "Block-on-drops-only" option. I still don't won't folks to confuse Legacy Mode's use of DROP with the way IPS Mode works, though.  In Legacy Mode, even though I'm using the term "drop", the actual blocking of traffic is done the old way using libpcap to get copies of every packet traversing the interface, and when a rule fires to create a block, the IP addresses from the offending packet are copied to the snort2c table in pf to implement a firewall block.  So when I say "drop" in the context of Legacy Mode and the new "Block-on-drops-only" option, I really mean that only rules with DROP as the action will add the offender's IP address to the snort2c table.  The "drop" is really still the old fashioned block.  With Inline IPS Mode, the snort2c table is not used at all.  There is another Sticky Post here on the forum that describes the difference between Legacy Mode and Inline IPS Mode. Read both of the Sticky Posts in this forum about Passlists and Suricata.  Each of them also contains some key points about blocks, drops and Legacy vs Inline IPS modes. Bill
• 

  Using Snort VRT Rules With Suricata and Keeping Them Updated
  • bmeeks  

  6
  1
  Votes
  6
  Posts
  10241
  Views

  B

  @osrron said in Using Snort VRT Rules With Suricata and Keeping Them Updated: Question for you Bill. Can Suricata use the Snort 3.0 rules? Thanks in advance. Thank you for all of you hard work on these packages. In case someone else stumbles on this pinned post. You can enable Snort3 rules with Suricata and it may seem like they are enabled, but a look at the logs will reveal that almost none of the Snort3 rules are valid for Suricata: With Snort3 (+ET) rules file: 3/12/2018 -- 18:54:14 - <Info> -- 2 rule files processed. 16107 rules successfully loaded, 12873 rules failed With Snort2 (+ET) rules file: 3/12/2018 -- 18:59:44 - <Info> -- 2 rule files processed. 26848 rules successfully loaded, 2132 rules failed With just ET Suricata rules: 3/12/2018 -- 19:01:22 - <Info> -- 2 rule files processed. 16087 rules successfully loaded, 2077 rules failed Most of the failures come from ET's Suricata rules. Most of the failures are a result of missing references (eg "md5") which are in the ET rules but not in the reference files after processing by pfSense's Suricata package.
• K

  Best rules to best protection in WAN and LAN Interface
  • koko_adams  

  2
  0
  Votes
  2
  Posts
  36
  Views

  

  For someone new to an IDS/IPS, here is my recommendation. Configure Snort on your LAN interface only. There is generally no extra security obtained by putting an instance on your WAN as the WAN, by default in pfSense, drops all unsolicited inbound traffic anyway. Do NOT configure blocking at first. Just use the default IDS (detection-only) mode for at least two weeks and potentially a month so you can see what alerts happen on your network. This lets you investigate and weed out false positives without getting frustrated because things get blocked. Register for either a free or paid ($29.99/year for paid) Snort Subscriber Rules Oinkcode. There is link for that on the GLOBAL SETTINGS tab when you click the checkbox to enable the Snort Subscriber Rules. For convenience, here is another copy of the link: https://www.snort.org/products#rule_subscriptions. Edit the LAN interface in Snort and go to the CATEGORIES tab. Check the box to use an IPS Policy and then choose IPS-Connectivity in the drop-down selector. This is an excellent starter policy that offers very good protection with hardly any false positives. Save the change then start Snort on the LAN interface (or restart it if it was already running). Sit back and study the alerts you receive by periodically reviewing the ALERTS tab. It is likely you will get some false positive alerts from the HTTP_INSPECT preprocessor rules. Here is a link to an older thread about Suppression Lists and using the SID MGMT tab to control false positives: https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf. After you get the rule set tuned up, you can go back and enable blocking mode. If things are smooth, then you can bump up your IPS Policy to IPS-Balanced and see how that works for you. I do not recommend folks use the IPS-Security policy as that one enables a bunch of extra rules that are highly prone to false positives (especially in home networks). You can also choose to start using some of the free Emerging Threats rule categories by going back to the GLOBAL SETTINGS tab and enabling the Emerging Threats Open rules. You would then add those rule categories to your ruleset back on the CATEGORIES tab for your LAN interface.
• K

  'SURICATA STREAM pkt seen on wrong thread' when using workers run mode
  • karel  

  2
  0
  Votes
  2
  Posts
  24
  Views

  

  Hmm... that sounds like something you might want to ask the upstream Suricata team. I'm not sure of its significance. The Suricata bug reporting/issues site is here: https://redmine.openinfosecfoundation.org/projects/suricata. When giving them your configuration, tell them you are using inline IPS mode with netmap on FreeBSD. If you are on pfSense 2.4.x, then the FreeBSD version is 11.2; if you are using pfSense-2.5-DEVEL, then the FreeBSD version is 12.0.
• 

  Snort v3.2.9.8_5 - Release Notes
  • bmeeks  

  1
  0
  Votes
  1
  Posts
  34
  Views

  No one has replied

• N

  Suricata 4.1.3 is available at freshports
  • NRgia  

  3
  0
  Votes
  3
  Posts
  35
  Views

  N

  @bmeeks Thank you for the info and support
• P

  snort does not block
  • pooperman  

  5
  0
  Votes
  5
  Posts
  24
  Views

  P

  @bmeeks thanks a lot!
• K

  False Positive?
  • kiekar  

  4
  0
  Votes
  4
  Posts
  46
  Views

  K

  Thank you both for your input. Yes this will be a huge learning curve for me. I will keep on analyzing.
• P

  Snort could not resolve host
  • phantonuser  

  2
  0
  Votes
  2
  Posts
  40
  Views

  

  Did you try to force the rules update again manually? This is likely a temporary error on your end with DNS name resolution. My Snort rules updated just fine on March 13th. If it is still failing to update for you, then you need to investigate the DNS settings on your firewall.
• R

  Limit what Snort listens to
  • realityman_  

  5
  0
  Votes
  5
  Posts
  97
  Views

  R

  I'll probably just run anti-malware then and front everything in the DMZ with a WAF. I already have it behind NGINX and cloudflare. Thanks for the help!
• L

  Still seeing suricata stop an interface due to .pid error
  • lohphat  

  38
  0
  Votes
  38
  Posts
  1760
  Views

  V

  @bmeeks said in Still seeing suricata stop an interface due to .pid error: @val said in Still seeing suricata stop an interface due to .pid error: @bmeeks PM you the log file....it's way to big to post here. Thanks bmeeks. I looked through you log file. What version of the Snort Rules Snapshot file are you using? You should be using only rules packages for Snort 2.9.x if you are running Snort rules with Suricata. Your file name should be snortrules-snapshot-29120.tar.gz. Do not use the Snort3 rules (that means do not use any Snort rules file with 3 in the name). You should not be seeing those "unknown reference" error messages. The only time I've noticed those is when the user has downloaded the rules meant for use only with the new Snort3 beta package from the Snort team. Hi bmeeks I have since moved away from suricata backon Snort for now, my internet connection it's through an PPPoE connection so from my understanding suricata doesn't play well with PPPoE. I have tried few difference thing all result the same suricata still kill it self and wouldn't start again til I delete the pid file. Thanks for all the help.
• P

  Snort intermittently seems to crash, trying to find why
  • pftdm007  

  2
  0
  Votes
  2
  Posts
  30
  Views

  

  pfSense uses a circular logging package (clog) that automatically overwrites old entries. You can configure a length for the clog, but once the circle starts over again you can't recover overwritten entries. If Snort is crashing, then something will get written to the system log. I've run Snort continuously for years on my firewall with no crash of any kind. In fact, the only time it stops is during a firewall software upgrade. One issue that can happen is a rule update might contain a syntax error. This has happened in the past with some rules. When restarting after a rules archive update, if Snort encounters a rule syntax error, it will abort startup. So if you use a ton of rules, then you could get hit with this issue. But something like that would be logged in the firewall's system log. How often do you check on your firewall and the logs? I would recommend at least once per day if your network security is important. I don't enable and use every single Snort rule, so I've never been bitten by the "bad syntax" thing I described. My guess for you, is that you were bitten by one of the bad syntax rules and you just didn't notice until after a significant amount of time had passed that Snort had failed to start back up after the rules update. Unless your firewall is logging a ton of stuff to the system log, I would expect events to stay visible for at least two days. I have my log set for 250 GUI entries and I am currently seeing events from 3 days ago.
• S

  Snort not starting on pfsense 2.4.4 release p1
  • smrehan00  

  5
  0
  Votes
  5
  Posts
  82
  Views

  N

  If you can't figure out how !any got there, i'd be tempted to remove snort after unticking Keep Snort Settings After Deinstal then do a re install. I'd follow these steps to configure snort as written by @bmeeks who maintains the snort package. https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/147
• I

  Suricata Inline Mode Not Blocking
  • iamnos  

  2
  0
  Votes
  2
  Posts
  94
  Views

  

  Netmap is not likely to play very well with a transparent firewall bridge setup, especially with the way netmap is currently implemented within Suricata. Some improvements are planned upstream for netmap, but there is not yet a timetable for their release. Also note that Suricata will not work properly with a PPPoE type interface. I mention that because that is a popular type of setup for a WAN. The most popular is DHCP, but there are lots of PPPoE connections. The least popular setup is a static IP on the WAN. If you want to continue with the transparent firewall arrangement, I recommend you use Legacy Mode blocking.
• A

  How to grant a snort port permission?
  • AYKUTYILDIZ  

  2
  0
  Votes
  2
  Posts
  54
  Views

  

  I am a little confused with this part of your question: the people I get support do not use static ip so I can ignore the requests coming to the port as I choose where and how to write a rule. I suspect English is perhaps a second language for you, and as a native English speaker, I'm having trouble following your chain of thought. Do you mean that your VoIP provider's endpoint server has a dynamic IP address or do you mean your end of the connection has a dynamic IP address? If you are dealing with a dynamic IP address, then preventing a block by IP is not possible. Snort can't deal with changing IP addresses within a Pass List. Why don't you just disable the Snort rule that is causing the block? You can do that on the ALERTS tab.
• P

  Snort showing date in wrong format
  • phantonuser  

  1
  0
  Votes
  1
  Posts
  45
  Views

  No one has replied

• M

  Cant enable Suricata on all interfaces
  • msf2000  

  4
  0
  Votes
  4
  Posts
  128
  Views

  

  @msf2000 said in Cant enable Suricata on all interfaces: That is so ridiculous. Snort listens on a physical interface, irrespective of VLANs. Why can't Suricata? So run Snort instead of Suricata if it works better for your situation. The two are fundamentally the same thing.
• F

  DNS queries redirect to pfSense for Snort blocking
  • francescocarza  

  20
  0
  Votes
  20
  Posts
  299
  Views

  F

  Thanks everybody for the replies! I understand it's not Snort's job to resolve the domain and I don't have any problem with seeing these kinds of alerts. However I would have at least expected it would be able to show me which domain is being looked up, moreover once the communication is established (e.g. someone visits the website or downloads something from it) Snort would kill that state and put the IP in the blacklist.
• K

  How to send Snort alert logs to Graylog without Barnyard2?
  • karel  

  11
  0
  Votes
  11
  Posts
  670
  Views

  P

  @bmeeks said in How to send Snort alert logs to Graylog without Barnyard2?: @rlrobs said in How to send Snort alert logs to Graylog without Barnyard2?: Filebeat is the best option... but.. how to install the filebeats in pfsense? https://www.elastic.co/downloads/beats/filebeat Convert packet .deb/rmp in pkg? Use .tar.gz? No, it is not likely that things compiled for Linux will work 100% correctly within FreeBSD due to shared library issues. It is my understanding that Beats in FreeBSD is a new and better (but still compatible) version of Filebeat. So FreeBSD's Beats is the same as Filebeat (at least that's my understanding). @bmeeks There is an official beats package for pfsense. http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/
• M

  Suricata restart after failure
  • mind12  

  12
  0
  Votes
  12
  Posts
  261
  Views

  M

  Ok, I'm fine with this netmap setup. I have been using it since you had posted that Inline mode is available.
• T

  Problems disabling payload in suricata json.eve alert logs?
  • tc  

  2
  0
  Votes
  2
  Posts
  85
  Views

  

  @tc said in Problems disabling payload in suricata json.eve alert logs?: Hi. I'm sending Suricata logs over syslog to an ELK-stack, but I get some truncated lines in the syslog stream. One of the loglines that get truncated are unfortunately the alert-message, so I tried to disable the payload part of the message to shorten it. But the payload is still in the output even if I uncheck the Log a packet dump with alerts checkbox. Looking at the suricata.yaml payload: yes is set in the alert section regardless of the checkbox. Is this a bug in the config generator from the GUI, or have I misunderstood what the checkbox is used for? Btw. has anyone looked at extending the syslog message limit? I'm running Suricata 4.1.2_3. /TC Yes, this is a bug in the code that generates the YAML configuration file. I have logged it to be fixed in my internal tracker, but feel free to also log a bug on the Redmine Bug site for pfSense if you wish.
• T

  Suppress List is defined for this interface, but it could not be found!
  • tnedor  

  3
  0
  Votes
  3
  Posts
  1637
  Views

  T

  This worked for me, but I had to go through the additional step of assigning my new list to the interface that was generating the error (LAN in my case). I went to Services, Snort, Interfaces, edited the interface, scrolled down to "Choose a Suppression or Filter List (Optional) and added my newly created list then clicked Save.
• S

  Inline IPS to block students from using VPN in educational subnet
  • swmspam  

  6
  0
  Votes
  6
  Posts
  171
  Views

  

  @swmspam said in Inline IPS to block students from using VPN in educational subnet: bmeeks, I agree that writing some new rules for purposefully sneaky VPN clients would be useful to the community at large, especially for administrators struggling with middle schoolers and educational subnets. I'm starting by reading up on forum posts of detecting OpenVPN using Snort (including posts on this forum). It doesn't look very promising because OpenVPN can wrap itself in HTTPS or other legitimate protocols. This is why I seldom favor or recommend using technical solutions to police what is fundamentally a problem of discipline and personal responsibility when it comes to Internet usage policy. As you see with this VPN client, the technical challenges are tough if you depend solely on technically preventing the software from functioning. On the disciplinary side, though, you generally only have to cut off one person's head in order to get the full attention of the rest of the crowd --- LOL. Okay, just a little bit of hyperbole there, and I'm certainly not suggesting cutting off the head of a middle schooler; but some strong disciplinary action on a few can many times convince the remainder that it's not worth taking a chance participating with the banned activity.
• A

  Suricata log files are filling the disk.
  • Assar  

  8
  0
  Votes
  8
  Posts
  183
  Views

  A

  Contrary to my last answer. As time flies away, it might have been before Jan 18 so this issue may be fixed. I'll test again later.
• R

  Are Xeon chips (example 5160 3GHz) good for IDS/IPS vs I3 or i5
  • rcmpayne  

  4
  0
  Votes
  4
  Posts
  118
  Views

  

  CPU clock speed is going to be most important. Snort 2.9.x is single-threaded, thus it can't do much with multiple cores. Suricata is multi-threaded and supports multiple cores, but a number of independent tests of its multi-core multi-thread performance don't indicate huge gains across the board (at least not what most folks would expect). One thing to consider with high core count processors (if you use Suricata) is the need for larger amounts of RAM. Suricata bases its initial TCP Stream memory buffer setups on the number of CPU cores. So, for example, with an 8-core CPU, Suricata will usually fail to start and throw a Stream Memcap memory error with the default package configuration. You have to greatly increase the Stream Memcap settings with high core count CPUs. There are some threads about that here in the IDS/IPS sub-forum. For home use, any dual-core or quad-core CPU is plenty of horsepower. I would suggest 2.5 GHz or higher for the clock speed. Higher is better of course better.
• V

  Suricata Barnyard2 Remote Syslog. Broken?
  • vbman213  

  2
  0
  Votes
  2
  Posts
  95
  Views

  

  @vbman213 said in Suricata Barnyard2 Remote Syslog. Broken?: I'm trying to push Suricata alert logs to a remote syslog server. Barnyard2 doesn't seem to be working. The only way I can get Suricata alerts to the remote server is to configure Suricata to write to the local system log and then forward the local system log to the remote syslog server. Any ideas? Is Barnyard2 broken? Barnyard2 is slowly dying on the vine as the FreeBSD port has not been materially updated in several years. However, it should still run with Suricata and pfSense. Are you sure Barnyard2 is actually starting on the interface? Are there any messages in the pfSense system log relating to Barnyard2?
• A

  Finding internal IP causing block
  • andrewhancock91  

  14
  0
  Votes
  14
  Posts
  287
  Views

  N

  pfBlocker trying to resolve a host that i've blocked
• D

  Pfsense 1100 and Suricata Does not work.
  • darkzero99  

  2
  0
  Votes
  2
  Posts
  109
  Views

  

  @darkzero99 said in Pfsense 1100 and Suricata Does not work.: Suricata does not start on the Pfsense 1100. I used pfsense with suricata before. on other systems. I just can't get it to work on the 1100. Any help would be great. There is no useful troubleshooting information in your post. Have you checked both the pfSense system log and the suricata.log (available via the LOGS VIEW tab) to see if any error messages have been recorded? Your post is the equivalent of me telling you "I got in my car and it won't go. Any help would be great". To help you, we need some tangible information about any error messages being logged and what exact configuration you are trying to use.
• H

  Snort - Whitelist IP from specific rules?
  • Hossius  

  8
  0
  Votes
  8
  Posts
  129
  Views

  

  You also have multiple options for using a Suppress List entry. You can suppress a rule entirely for all IP addresses, or you can selectively suppress the rule based on either SOURCE or DESTINATION IP address in the packet. Hover over the little plus sign (+) icons by each alert on the ALERTS tab to see the options (they will appear in a tooltip pop-up).
• K

  Snort too old for the latest rule sets, fails to run
  • KimmoJ  

  1
  0
  Votes
  1
  Posts
  74
  Views

  No one has replied

• I

  disabled and suppressed alerts to not show in the log tab view
  • itsupport1212121  

  6
  0
  Votes
  6
  Posts
  179
  Views

  

  @itsupport1212121 I don't currently have an open Suricata session in front of me, but from memory the settings let you select a maximum size for the packet log in megabytes and a limit on the number of captured packets. So the actual disk consumption is determined by the size of each packet (typically 1500 bytes) and how many packets you save. The log size limit is like an override that prevents the log from growing too large. All log data lives in /var/log/suricata and then in a sub-directory underneath for each configured interface. The sub-directory will be named with the physical interface name combined with a random GUID.
• Z

  WAN interface keeps dropping out of snort
  • Zermus  

  6
  0
  Votes
  6
  Posts
  142
  Views

  

  @zermus said in WAN interface keeps dropping out of snort: Years of using pfSense I would normally tend to agree with you, but that's the case. Under Snort Interfaces, if I use a heavy ruleset, it just somehow deletes itself out. There is no HA/Sync in this setup, it's a standalone box. The interface doesn't PHYSICALLY DISAPPEAR of course (I'm literally imagining a ghost going in and stealing my Intel NIC out of the box here), but it's dropping out of Snort Interfaces, exactly like someone goes in and deletes the WAN interface from Snort where I have to re-set it all back up again. The only correlation I can find is using a heavy rulset, which in the past was never a problem up until recently. I'm not sure how recent because I just noticed my WAN interface was missing about a week ago when I normally never had a need to go in there and check it. I'm not sure how it would resort to a previous config, because when I set this box up about 2 years ago, setting up Snort on the WAN/LAN was one of the first things I did. I'm not disputing what you are seeing, but I see absolutely no failure mechanism of any kind within the GUI PHP code that could result in a Snort interface being deleted. Deleting an interface requires a manual action. Go to DIAGNOSTICS > BACKUP AND RESTORE in the pfSense menu and then click the Config History tab. Examine the history closely to see what you find. When Snort deletes an interface via user action, it logs a message in the config history. The only part of the PHP GUI code that can delete an interface resides within the INTERFACE SETTINGS tab, and that code will always log a config history message as well as log a message in the pfSense system log when it removes an interface.
• 

  Snort Blocking Host No Matter What
  • davetheriault  

  4
  0
  Votes
  4
  Posts
  137
  Views

  

  @davetheriault said in Snort Blocking Host No Matter What: Ya. I've tried 'removing' the individual entry in Blocked Hosts. And I have also tried the 'Clear - All blocked hosts will be removed' option each time I try to fix the issue. After I clear it from the Blocked Hosts table, I am able to visit the host with one successful page load, but it immediately get's re-added to the Blocked Hosts table by snort, and I can't continue or reload the page from that host, no matter what rules I have suppressed or pass lists I have created. I know of only two ways what you describe can physically happen. You are disabling the wrong rule (i.e., you are not disabling the rule that is actually firing) or else multiple rules are firing and you still haven't found them all; There is another duplicate Snort process running on the interface that is not responding to your rule changes. That can happen in rare circumstances. To see, run this command from a shell prompt on the firewall: ps -ax |grep snort You should see only a single Snort process listed for each configured interface. If you see more than one per interface, stop Snort in the GUI and then kill any remaining Snort processes from the command line shell. As for the Pass List "Snort_Pass_List" shown in your screen capture, do you have that list assigned to the Snort interface on the INTERFACE SETTINGS tab? There is a drop-down selector on that tab where you select the Pass List you want to use for the interface. Make sure "Snort_Pass_List" is selected, save the change, and then restart Snort on the interface. Using a custom Pass List is a two step process: (1) first create the list; and then (2) go to the INTERFACES SETTINGS tab and assign the list to the desired Snort interface.
• V

  Adding Suricata custom rules from external tools
  rules suricata dfir misp the hive • • vlabmichl  

  2
  0
  Votes
  2
  Posts
  130
  Views

  

  The Suricata GUI package on pfSense is designed to make the deployment of an IDS/IPS somewhat simpler for users new to such technology. If you are at an advanced level where you want to integrate with multiple other systems and construct on-the-fly rules using script tools, then you really should abandon the GUI part of the package and simply use the Suricata binary itself. You can do that by simply installing Suricata from FreeBSD ports. You are going to have to install all of the other scripting language dependencies from there anyway. I am not in favor of loading up the Suricata package with a ton of new dependencies when the vast majority of users would likely not need them for a basic IDS/IPS. I'm talking about things like Python, Go, (and heaven forbid one old suggestion even needed Java! Can you imagine the security holes your firewall would have with Java installed on it?). There is a Github site for all of the pfSense packages here. You are free to submit pull requests there. I usally am asked for my opinion, but the pfSense developers have final say in what is accepted into the package.
• L

  Numerous ET SCAN Potential SSH Scan OUTBOUND alerts. Is Pfsense infected?
  • lambro690  

  24
  0
  Votes
  24
  Posts
  1152
  Views

  S

  I'm having same issue with ntop .. .. seems to try ip's like 0.106.219.157... installed, reinstalled several times. ... anyone might know what is the issue?