All of them should be showing there, but it is possible the Suricata GUI code for displaying that tab option has the same bug I fixed earlier in the Snort GUI. I will need to check it out and see. The two packages share a ton of the same PHP GUI code. UPDATE: This was indeed the same bug as existed in the Snort code. I have submitted a fix for the pfSense developer team to approve and merge. Look for a new Suricata GUI package update to version 4.0.13_9 in the near future.

Here is an additional comment on Snort3 multithreading with ipfw. I copied this from the Snort Developer mailing list. The author is one of the Snort3 developers -- "I need to correct myself. There is a way to configure DAQ for multiple threads. Please refer to snort3 documentation section – DAQ Configuration and Modules. You will need to configure a separate port for each thread. Also, please note that snort3 doesn’t yet support load balancing internally."

It depends. Suricata would still be able to help police traffic going over established states. However, it is better to run an IDS/IPS such as Suricata or Snort on the firewall's internal interfaces (such as the LAN) rather than the WAN. This is especially true when NAT is being used. If you run the IDS/IPS on the WAN, all of your local addresses such as those on your LAN will show up in the alerts as having the firewall's public WAN IP address. That's not very helpful when trying to figure out which internal host is compromised or is the target of an external attack. Running the IDS/IPS on the LAN means the displayed addresses in alerts are the actual native local IP addresses (pre-NAT).

@logboss said in Suricata not generating alerts for PPPOE interface: Is there anyway i can get around this? I need netmap. I've got a spare ethernet port, can i use 1 interface for PPPOE, DMZ an interface and put everything behind that? Something else? I suggest running Suricata on your LAN interface and not on the WAN interface (which I assume is the one using PPPoE). In the vast majority of situations, running the IDS/IPS on the LAN is actually better because that way all the IP addresses you see in alerts have already been NAT translated back to their actual LAN IP address space. This is useful when you are using NAT, which most folks do. The only time running Suricata on the WAN might be useful is if you have several open ports on the Internet-facing side. Again, most folks do not have open ports on their WAN. So running Suricata on the WAN provides no meaningful extra security. So in your case I recommend moving your Suricata instance over to your LAN interface and any other local interface like a DMZ and abandon running it on the WAN.

That "3" in the output is the Priority. The Snort implementation on pfSense uses the CSV output logging option of Snort to produce the alert log. The code within the GUI knows which CSV field is which in the alert log output. You can't add any additional text to the CSV output.

Yep, you will find that OpenAppID generates a lot of noise. I would suggest carefully pruning the rule categories so that you are seeing only the specific traffic types you want to eliminate. For example, maybe Facebook stuff in a corporate network. OpenAppID will generate a lot of log alerts and will tend to completely dominate the info on the ALERTS tab. Unfortunately there is no way within the Snort binary at present to have OpenAppID log to a separate log file so those alerts could be isolated from all the others.

Glad you figured out a novel solution. I am surprised that Suricata does not complain about the duplicate output sections in the suricata.yaml file, though. I've never investigated the parsing portion of the YAML code in the binary, so maybe it's the case that the last value read from the file is the one stored in the in-memory configuration array (overwriting any previous value for the same parameter). I would expect the ALERTS tab in your custom configuration to be blank and not showing any alerts. As I said in my earlier reply, the alerts.log file is how that tab gets populated in the GUI. You will still see any alerts in the other configured output logs, though, such as EVE.

Thanks.

Hi, I am able to implement Suricata-Redis architecture. Please let me know whether we can use Redis-sentinel feature at Suricata Config block. Because my application will be required redis failover support so if I can also configure Suricata with Redis Sentinel then it would be the best for me. Shubham

It seems that the changes I made via the web/browser wasn't taking despite it saying so; however, when I made the changes (sysctl dev.netmap.buf_size:4096) at the shell on the machine itself, I haven't seen any more alert. I'll keep my fingers cross!

Solved upgrading to pfSense 2.4.4 Thank you

@bmeeks Thank bmeeks. I agree that the alerts can be overwhelming. To that effect, I have a rule set up to put alert e-mails into a particular folder so they don't pummel my Inbox. This is something I wanted to set-up for a few days, more of an observation than anything else. Thanks for taking the time to reply, your answer gave me a little better understanding of the architecture of pfSense.

At least, enable signature logging in Snort. Then, you'll see what blocking signatures (if any) are being blocked and could ignore/suppress those.

@siil-it So the Snort SO rules are the only ones that don't survive the SAVE operation? Do you have the latest Snort package version? That would be 3.2.9.7_2 if my memory serves me correctly. Might be a bug in the GUI code. Several changes have had to be made to the GUI source code in order to accomodate the move to PHP 7.2 in pfSense.

@teamits is correct. The ALERTS tab will list SRC and DST addresses for detected alerts. He is also correct on which IP will show depending on the chosen interface on which to run Snort. I recommend running Snort on the LAN interface. That way you can see internal addresses before NAT rules are applied (in the case of outbound traffic) and after NAT rules are removed (in the case of inbound traffic from the Internet). On the WAN, all local IP addresses behind NAT will just show up as having your public WAN IP. That's not useful for tracking down which internal host has a problem. You should pretty much always let Snort block both SRC and DST IP addresses to be confident the bad traffic is stopped. Anti-virus software has no bearing on this. It detects different things and misses other things. For example, anti-virus software won't detect buffer overflows in your web browser or services. Basic anti-virus software examines executables as they run (or right before), but it does not examine network flows/streams like a true IDS/IPS such as Snort or Suricata.

Thank you, Bill.