@bmeeks One more thing I want to share: I found the way to cross compiling rather than emulation. I saw 6x faster speed up in build time. See my notes here.

@bmeeks said in I am confusion...IDS inline on single WAN running an OpenVPN server which is LAN: Go Googe "FreeBSD netmap device" and that should begin to answer your questions. You can also research in detail how OpenVPN creates its hooks into the FreeBSD networking kernel stack. pfSense is your "origination" and "endpoint" for VPN connections to/from your LAN. Traffic flowing in and out of the physical LAN interface is unencrypted, so the IDS can inspect it. @NollipfSense said in I am confusion...IDS inline on single WAN running an OpenVPN server which is LAN: https://www.unix.com/man-page/freebsd/4/netmap/ thank you guys so much for pointing me towards the right direction, netmap is what I needed to dig a bit into to really understand this. I did not understand what it was doing in the system and you guys sent me through a very very interesting rabbit hole. let me add a couple of links in this thread (which is already popping in my google bubble for the search "freebsd netmap device openvpn"), this is the original paper from the guy who wrote netmap, Luigi Rizzo, an Italian IT professor, it goes into details about how it works and how it does it's pipes and answered a lot of my questions. netmap: a novel framework for fast packet I/O At a very high level, when a program requests to put an interface in netmap mode, the NIC is partially dis-connected (see Figure 3) from the host protocol stack.The program gains the ability to exchange packets withthe NIC and (separately) with the host stack, through circular queues of buffers (netmap rings) implemented in shared memory. figure 3 [image: figure%2B1.png] so specifically about suricata it does support netmap devices. So out of the box in inline mode, if your network device has netmap capabilities packets are gonna get from the NIC to suricata via the netmap magic (TX and RX rings, operating in shared memory). Am I getting this right? Specifically about OpenVPN another chapter should be opened because it comes with it's own way to implement things, it should be noted here that OpenVPN does stuff in user-mode and has its own hooks to get the encrypted packets coming in from the stack, authenticate/decrypt/(de)compress and then give em back to the stack, I haven't dug deep into it (yet), so thank you for clearing the air for me and allowing me to go further, much appreciated. If we were to consider the other main VPN implementation, IPsec/IKE then IPsec is already happening in kernel and only IKE is happening in user mode, so it's got different piping to encrypt/decrypt the packets while talking with the stack/netmap, so the two probably will end up having the packets follow very different routes in a netmap system. I'm also a linux guy and the tools to observe your own system are slightly different so doing this on BSD is extremely difficult for me, I've got an added learning curve, but exactly the learning experience I want because I'm really liking pfsense. plus, my VPS pfsese box deployed in the wild is working like a charm, the IDS rules are easier to tackle than I expected, given my setup I only really block scans and known bad hosts since all my potentially vulnerable services are accessible only via VPN, so that's probably why, monitoring an actual active webserver is probably a very different task.

@seantree said in My suppress list and Sid mgmt are not working: Hi Bmeeks, You are right! There is a duplicated process. I have killed that Zombie and everything is good so far. Thank you very much! Glad you got it sorted out. That duplicate process thing happens occasionally to some folks. Both me and the package maintainer before me have tried to stop it from happening, but neither of us have had 100% success. It has to do with the mechanism inside the pfSense plumbing that sends a "restart all packages" command every time certain things occur on interfaces. When these triggers occur multiple times in quick succession, multiple copies of Snort can get started.

@shred yup, I've been there, I also got confuse about that. but that rule is to block other interface to access management port. some of the link or pictures of this guide did not retrieve when netgate upgrade their forum. [image: 1565052185679-02268e4d-4c47-4b6c-b5ed-0cdbe7ee2a20-image.png]

Running Suricata with Inline IPS Mode automatically activates the FreeBSD netmap device. Using the netmap device seems to break things like traffic shaping and bandwidth recording. These are all issues within FreeBSD itself and are not directly related to pfSense nor Suricata. Unfortunately netmap is not a 100% mature technology on FreeBSD and thus has some warts. If shaping and bandwith monitoring are important to you, you should switch over to Legacy Mode blocking. On the other hand, if those things are something you can do without, then Inline IPS Mode offers several benefits when compared to Legacy Mode blocking.

I see. I will stop using Barnyard2.

I was bitten by this bug as well: https://forum.netgate.com/topic/145455/barnyard2-can-t-connect-to-remote-mysql What database do you use? Maria DB or MySQL? I tried both in my Fedora box (outside of pfsense). They both failed.

@bmeeks Thanks! I will try some of your suggestions. I think I am going to adjust the IPS policy to Connectivity. I am very happy with the SG-1100. It's perfect for a home firewall application. Another observation. I rebooted my firewall this morning and noticed the mem usage drop from 66% down to 31%. I am going to monitor it see if it creeps backup.

Are you sure you have connectivity to the AWS infrastructure where the Snort rules are hosted? Are you running any other package such as pfBlockerNG with DNSBL? Sometimes in the past the IP space where the Snort rules are hosted has wound up on somebody's "bad IP space" list. How long have you waited for the download to compete? Depending on your Internet connectivity and how busy the pathway is between you and the site, it could take several minutes for the rules to download. Finally, are you using a RAM Disk? If so, you need at least 256 MB of free space in /tmp for rules downloads to succeed.

@NollipfSense said in Suricata Getting Updates: @bmeeks Hi Bill, just a note to update you that I had gotten the Akitio thunderbolt 2 PCie enclosure and added the Intel i350NIC I had...now running Suricata inline mode on the Mac Mini server converted to pfSense box, no problem...persistency is the key to success! During this process, I learned that it was Intel in collaboration with Apple who had created the thunderbolt interface; so, intuitively, the interface would work with Intel's NIC. I am one happy camper here! I confess to be rather surprised the Intel NIC in the Thunderbolt interface worked. Apple is not known for being big on interoperability with other vendors.

@NollipfSense said in Suricata Parse Error: <Error> -- [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing defrag.memcap from conf file - <Error> -- [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing defrag.memcap from conf file - 33,554,432. Killing engine. Well, this is a little embarrassing however, I got the issue fixed and it's right here (33,554,432)...should have been 33554432. Suricata now runs in inline mode.

Like user @ekke mentioned, if you are sensible about the rules you enable then you can achieve your target throughput. If you enable every rule category, then "no", you won't achieve your target throughput. By "sensible" I mean things like not enabling rules that inspect for issues that will not be a threat to your environment. For example, if you do not have Internet-facing and public DNS and mail servers, then there is no need to run any rules that scan for threats targeting mail or DNS servers. If you do not have Internet-facing and public web servers, then you don't need any web server rules. There are other cases, too, where some threats may not be a problem in your network environment. One thing you will have to do with that many cores is bump up the Stream Memcap parameter. Here is a link to an older thread on the subject: https://forum.netgate.com/topic/124850/suricata-fails-to-start.

At the hypervisor level, running in promiscuous mode allows the VM to see traffic not destined for its MAC address. The most common use cases for this are: HA - It's required for CARP to function L2 Bridging - Otherwise traffic for non-firewall hosts will be dropped as they have different MAC addresses. It's not necessary for packet captures or an IDS. That's promiscuous mode of the interface at the OS level, not in the hypervisor.

Hi, A little hammering on a mail server isn't necessarily a bad thing. It helps to keep you, and itself, in shape. I'm not running myself a mail server behind pfSense, I hide it behind an empty iptables firewall (really : true, it's empty when the machine starts). I'm using world's famous fail2ban to scan the mail server log file, and when fail2ban finds suspicious actions like rejected mail connections then it will load the IP into the firewall for some time. This is the result. Blocking some 5k IP's right now, and counting. It will be holiday soon, so some new scores will be reached in a week or so. fail2ban scans all log files of all server type applications, from SSH to mail to web server and some others. Blocking suspicious IP's was solved a decade or two ago. Just let the tools work for you ^^ Btw : setting up the tools is one thing. You, as an admin, has to read => yep, read ! - the logs to see for new behavior, and if found one, add new filters for it. It's a never ending story. Live is hard when you don't (know how to) script.

@bmeeks Thanks for the insight.

@oldrik said in Setup and configure snort on pfsense to detect an intrusion detection attemps within a LAN: @kiokoman pls if i understand well, does it mean that snort can't actually alert and block an attack such as a portscan performed by a user on a LAN network to another user on the same LAN ???? if that is the case, how can snort be configure to alert and block a user on a LAN from another user on the same LAN who perform an attack such as a portscan ??? Thanks in advanced Snort runs on the firewall. The firewall is not in the traffic path if two machines on the same LAN talk to each other. Only the LAN switch is in that pathway. The only time the firewall can see traffic from a LAN client is when that client is communicating with an IP address that is NOT part of the LAN. That would be a different LAN subnet where the firewall is the route to the different subnet, or some host out on the Internet (which means the traffic is traversing the WAN interface). So since Snort would not see one LAN client port scanning another LAN client (in the same subnet), it can't do anything about it. If you wanted to monitor traffic between LAN hosts on the same network, then you will need a managed switch that provides a span port (or port mirroring). You would then configure mirroring on the switch and set up a separate installation of Snort on say a Linux host on the LAN and connect that host to the span port on the switch. Only then could Snort on the Linux host see traffic between other LAN hosts.

@karel said in Suricata - Block on drop not being respected for certain rules: I was able to reproduce this every time. I've just suppressed those alerts for now. Thanks for the feedback. I will see about reproducing this in my test virtual machines and look for a cause. Might be something within the binary itself. It will be a few days before I have time for the testing, though.