@huskerdu Possibly you have multiple Suricata processes running. Check for that or restart.

@sgnoc said in Recovery help with suricata sid management:

@bmeeks Worked like a charm. Minimal to have to do once everything came back up. Even easier with the reinstall feature where the installer can grab the old config and reinstall it after the software is installed. I checked and all of the sid management back back where it needed to be. Thanks again.

You are welcome. Glad you got everything going again.

The IDS/IPS packages save all of their configuration information in the XML file, so all previous settings can be restored upon reinstallation of the package (or from a restore/recovery procedure).

@gpinzone said in Snort won't start up after pfSense upgrade:

@gpinzone Just to follow up, the GeoIP Top Spammers block list has some false positives.

It is almost a given if you are outside of the US.

@jonrusk said in snort install - rules md5 checksum failed:

@bmeeks Yes and that appeared to be the issue. I increased the size of /tmp on RAM disk and Snort installed successfully. Thank you!

Note that I don't recommend using RAM disks with either of the two IDS packages (Snort or Suricata). Most especially for /var where the log files are written. And not having enough free space on /tmp, as you experienced, leads to problems as well. Those two packages were not created with RAM disk usage in mind. They really want a spinning disk (or conventional SSD) with a fair amount of space for logging.

@michmoor I'm exporting logs to it, but not netflow..

Using these extractors to parse the data: https://github.com/loganmarchione/Graylog_Extractors_pfSense

I'm still waiting around to update Suricata. The Netgate team pulled in the latest 6.0.5 Suricata version in the pfSense CE 2.7 DEVEL branch. The pfSense CE and Plus RELEASE branch is still running the 6.0.4 Suricata version.

There is really not a ton of changes between those two that would impact typical pfSense users. I'm monitoring the progress on 7.0rc1 and 6.0.6 from the upstream GitHub repo.

@bmeeks
Hi bmeeks,
Thanks for your answer.
Greats, I have changed the category name into my Sid file and it perfectly works.
Appreciate.

BR

L.

@ezvink May be so, however, you had WAN in host-only Adapter mode so you shouldn't have any DNS issue...good luck!

@bawoodruff said in Odd Suricata Inline IPS behavior:

This may be an issue with the firmware version of the card.

dev.ixl.0.fw_version: fw 5.0.40043 api 1.5 nvm 5.05 etid 80002899 oem 17.4352.12

I wouldn't think that it would be the driver, since it's one that is explicitly documented as one being compatible with Inline mode unless it's some new bug that I haven't been able to find any documentation on... But if the card's firmware is too far out of date, it could cause issues for the driver I suppose.

The driver names in FreeBSD can be thought of as somewhat generic. They refer to a class of NICs, but within the class there can be subtle hardware/firmware variations. I suspect that's what is going on in your case, since moving to a different interface with a different physical NIC eliminates the problem. The same Suricata and configuration is running in both cases, so that would eliminate Suricata as the source of the problem.

@bmeeks In my case, VLANs are mandatory. In the end only an implementation that allows VLANs to work fits my needs. Hope at least on pfSense, they will still work in future releases too. Thanks for the hint.

@le_bleu said in Suricata memory usage very high:

Pfsense 2.4.5.r.20200318.0600

This is a beta release of 2.4.5 and more than 2 years old. You should upgrade to 2.5.2 at this point or at least the RELEASE version of 2.4.5.

@juniper said in snort and span interface:

@bmeeks said in snort and span interface:

@juniper said in snort and span interface:

Hi,

is it possible to use pfsense snort with a span interface as sensor?

thanks in advance

No, that configuration is not supported. If you want to do something like that, I recommend a dedicated FreeBSD or Linux machine running the base Snort package from whichever distro you choose the OS from. There would be no GUI, though.

Thank you!

Just to clarify,

I have a pfsense firewall with snort on a wan bridge (but in this way i can't check https traffico), my needing is to analyze http traffic over a reverse proxy (reverse to private network, reverse https to private network http), if i undestrand the only way is to create another bridge?

Bridges can get very messy, and Snort really does not understand those (meaning the Snort package on pfSense) as it's not designed and plumbed up operate with that configuration on the interface. It expects a traditional single network interface. Not saying you might not could get it to somewhat work with duct tape, baling wire, and glue, but it's not a setup I would recommend.

For your setup, I would lean more toward the span port option using a separate and dedicated Unix-type distro to run Snort. And I mean Snort as a package from that Unix distro and NOT the GUI package used on pfSense. That would mean interacting with Snort via the CLI.

@bmeeks perfect, very very very thanks

@bmeeks Thanks for the reply, if I see this issue again I will definitely look for additional snort processes running.

This is a harmless error. It means there is a mismatch between the name of an AppID entry as used in a text rule compared to the name in the OpenAppID stub detectors.

This is a consequence of the fact the OpenAppID text rules have not been maintained by the original developer. You can manually grep through the various configuration files in the OpenAppID subsystem to identify the problem areas and fix them if desired.

Sorry to say that more and more problems like this are going to crop up in OpenAppID for the Snort 2.9.x branch as the upstream Snort folks have concentrated all their efforts on the Snort3 branch. There is no Snort3 package for pfSense, and currently there is no plan to produce one. You may want to consider Suricata at some point, but there is no equivalent of OpenAppID in Suricata yet.

@jonathanlee the baseline has about 3 every morning that show and about 2 in the day time.

Screen Shot 2022-05-10 at 7.22.09 AM.png

Image: I use to see a lot more nmap scans caught during the night

@bmeeks Its not working in 2.5.2 but I havent tested 2.6.0 yet since its unstable and lack VLAN performance.

I don't typically recommend an IDS/IPS for a home network for two reasons.

First, the required skills and knowledge for properly choosing what rules to enable and how to interpret alerts is quite high. It is a skill set the typical home network enthusiast does not have.

Second reason is there are lots of things typically used in home networking (streaming, social media, etc.) that frequently generate false positive alerts and/or blocks. This gets back to reason #1 listed earlier where the skills of the admin are critical for carefully choosing rules that are suitable for the normal network traffic.

If you want to learn how to administer an IDS/IPS, and have some of the necessary background knowledge of programming and especially TCP/IP networking, then Snort or Suricata on pfSense can be a great learning platform. Just be prepared for lots of bumps in the road as you learn the ropes. That means expect stuff you want to work to instead get blocked via false positives. You have to learn to read these and weed them out by removing rules that are not appropriate for your network environment.

If all you want to do is block some IP addresses using some third-party lists, or if you want to use something like DNS blacklisting, then pfBlockerNG-devel is probably a better fit.

@bmeeks said in Suricata Update Plans:

The Suricata team recently released version 6.0.5. Details about this latest release can be found here.

I plan to update Suricata on pfSense in the near future. Currently we are running the 6.0.4 version compiled with the multiple host rings netmap code from version 7.0. I want to wait a few days, or perhaps even a couple of weeks, to see how things look in the new 6.0.5 release. If no major issues are reported upstream, then I will update the binary portion of the pfSense Suricata package to 6.0.5.

Just wanted to post this info to let Suricata users know I am aware of the recent release of 6.0.5, and I plan to update the pfSense package soon. Just don't want to immediately jump out there yet having gotten burned with the initial 6.0 release that had the FreeBSD flow manager bug.

Please take your time, better safe than sorry.

@bmeeks
see the commit [1], thank you.

[1] https://github.com/pfsense/FreeBSD-ports/commit/b48f7bee696c7b9a3ad811b8a85f4aa3dfeb9a22

Pull Requests have been submitted to correct this issue in both the DEVEL and RELENG_2_6_0 branches of pfSense. I attempted to make the code a little more tolerant of any future path name changes in the Snort Rules update archive file. Look for a Snort package update to version 4.1.5_3 in the near future. The requests are here:

https://github.com/pfsense/FreeBSD-ports/pull/1161
https://github.com/pfsense/FreeBSD-ports/pull/1162

In the meantime, if you hit this bug before the package update is posted, the quick fix is shown in an earlier post of mine above.

UPDATE: the pull requests listed above have been merged into their respective pfSense branches.

@pfgate Not sure offhand what emerging-icmp_info.rules is. In most cases for our clients ICMP is not enabled through the router anyway so no need to look for that. I was referring to the other two.

The other category is stream-events.rules.

You have at least three different packages installed on your firewall that all can, to varying degrees, result in blocked network traffic (SquidGuard, Snort, and pfBlockerNG).

Do you know how to check which of these packages are producing alerts/blocks and what IP addresses they might be impacting? If so, then do the research in your alert logs for the installed packages and find out which package (or packages) is doing the blocking and which IP is being blocked. You very likely are the victim of false positives. Once you trace the true source of the block, you can make a determination if it is a false positive (or not) and proceed accordingly.

@steveits Yeah but its running in a loaded datacenter with a shitload of terminalservers accessing all kinds of sites.

You cant keep up and even if you witelist it, it blocks.

@enesas said in Snort Application and site blocking Problem!:

@bmeeks I reviewed what you said. However, I couldn't quite figure it out.
For example, is there an example list of blocked drops for Youtube or another site? Also, when you add this list to SID MGMT, will it work directly, is a different setting required?

When the communication problem due to language is added, it becomes a little difficult to understand.

I'm sorry for making you tired.

An IPS Policy is a pre-defined collection of rules designed to provide a given base level of security. There are four defined policies, but only three of them are useful in a production setup. The fourth policy (max-detect) is an extreme security policy designed primarily for testing only. It will block all manner of likely desired traffic.

Here are the three IPS Policies (ordered by increasing protection):

These are created by the Snort rule authors (also known as the Snort Vulnerability Research Team, or VRT). The policies exist via metadata tags included within each Snort text rule (but excluding OpenAppID; those rules are NOT part of any IPS Policy directly). When creating rules, the Snort VRT will tag each rule with one or more IPS Policy tags. That allows an automated rule selection algorithm to pick the rules tagged with a chosen policy tag.

For IDS beginners, it is best to start with the IPS Policy Connectivity policy as that one provides reasonable protection from common threats without generating too many false positives. I strongly recommend you never go higher than IPS Policy Balanced unless you are protecting military secrets or something. The "Security" policy will block a ton of desirable stuff -- meaning lots of "normal" network traffic will get blocked and cause you headaches and frustration.

However, if new to an IDS/IPS, you should start with NO blocking enabled. Choose rules but do NOT enable blocking at first. You need to let your choice of rules run in your network environment for several days or even weeks. Check the ALERTS tab often in Snort to see what alerts have triggered. Research them and determine if they might actually be false positives in your network. That is highly likely these days due to the way modern web sites work to serve adds and due to the encryption of lots of other traffic. For false-positive triggering rules, you should probably disable them.

Now lets talk about OpenAppID. For that to work you must have two different kinds of rules downloaded (or else custom created by you, the admin). One requirement is the OpenAppID rule stubs that come from the Snort VRT. That set of stubs defines the applications that Snort OpenAppID can detect and gives Snort the internal "how-to" instructions for detection. The other required piece of OpenAppID is a set of text rules that leverage those detector stubs to actually scan traffic and produce alerts. This latter set of text rules tells Snort which applications you want to look for. You must either write these text rules yourself, or you can take advantage of a starter-set of OpenAppID text rules created by a group at a University in Brazil. You can enable the download of these starter rules on the GLOBAL SETTINGS tab of Snort where you enable the download of the OpenAppID stub rules. Then on the CATEGORIES tab you can enable one or more categories of OpenAppID rules. But be aware these categories were created by a team of volunteers (University students, actually), so they may not be complete. Additionally, they have not been updated in several years. Thus many more modern applications are missing detection rules and thus won't be detected by Snort using these OpenAppID starter rules. So for any missing applications in the starter rules package, you would need to create your own Custom Rules containing the necessary syntax. You can find out more about writing OpenAppID rules here:

https://blog.snort.org/2014/04/openappid-application-rules.html

You can search on Google for other OpenAppID tutorials. Be aware that most of the recent effort with OpenAppID has been targeted for Snort3 and not legacy Snort as used on pfSense. The pfSense package is based on Snort 2.9.x and is NOT compatible with Snort3 rules! Do not attempt to use any Snort3 rules on pfSense. Doing so will totally break the Snort package on pfSense.

@spacey said in Suricata V3.0 Inline Mode:

@bmeeks Get go* the sample.conf files shouldn't have #comments and should just be enabled

The comments are there to be instructive so the admin can see how to customize their rules. The whole purpose of that tab is to allow customization of rules depending upon the network environment.

I am still not understanding what you are asking for. With an IDS/IPS, there is no one-size-fits-all setup. That's why a lot of experience and knowledge about threats and exposures is required in order to be a qualified IDS/IPS administrator. You pick and choose the rules using knowledge of the specific exposures/vulnerabilities present in your individual network.

You may be hitting this bug I found posted over on the upstream Suricata Redmine site: https://redmine.openinfosecfoundation.org/issues/5247. Suricata is a multithreaded application, and thus has some special logic for handling flows in a multithreaded environment. Sometimes that special logic fails, though, at assigning a flow to the correct thread. So if the logic gets confused and assigns part of the flow conversation to one thread, but the other part of the flow conversation to another thread, you could then see this error.

But remember those applayer rules are just informational. One triggering does not automatically mean "malware" is present. They are finding and alerting on abnormalities in traffic flow. However, the rules can misfire or may even be buggy sometimes.

@steveits Thank you so much for you advice!! I tracked the location of that IP and just emailed the company, explaining what's happening. The most intriguing part is that the IP is from the agency that registers and maintains all".br" websites here in Brazil, maybe they were victims of some kind of attack.