@bmeeks said in Snort - Unable to Select Subscriber Ruleset:

I am the volunteer package maintainer for Snort and the creator/maintainer for Suricata on pfSense. I tried on two different occasions to create a Snort3 package and gave up in frustation because of the massive amount of rewrite required for essentially very little gain compared to Suricata.

Oh wow, I am even more humbled now. Thank you for your contributions to the Snort and Suricata projects!

@PalisadesTahoe said in Suricata & P2P Blocking - Working but would like to fine tune.:

@bmeeks Thanks. We're kind of stuck on fBSD since it's the backend of pfSense at the moment.

I don't think you will get anywhere near 10G performance using IDS/IPS with pfSense right now. The use of the host rings interface with netmap is just not capable of that.

What I'm talking about is a completely separate box sitting between your LAN and the pfSense interface, or between pfSense and your WAN connection. A true dual-port NIC hardware device similar to the old Sourcefire IPS appliance.

Something similar to this, but built with your own hardware: https://www.cisco.com/c/en/us/support/security/firepower-8000-series-appliances/series.html. The network traffic goes in one NIC port and comes out of another (matching NIC port pairs for each traffic path) similar to a bridge. With enough CPU and RAM, that type of arrangement can easily hit 10G throughput.

@bmeeks said in Is there a rule set similar to Snort Open App ID in Suricata?:

The problem with UTM is that someone must maintain the list of threats and distribute it.

wait wait...I have to pay for the cool NGFW experience?!

@enesas I would recommend Suricata. The package maintainer for both has said he will probably not develop a package for Snort v3.

You uninstall from the Installed Packages tab.

@bmeeks Thanks for this... I will see if Snort works after having one interface inline and the other legacy.

Otherwise i may switch to Suricata..

@bmeeks it took me years of fine tuning and finesse to get mine to work the way I want, and ohhh does it work beautifully now.

Thank you bmeeks

@michmoor
necro post, did this get resolved? In the GUI I do not see any files saved.

In the /var/log/suricata/suricata<interface>/filestore path I have the 90 something folders that look like hex code but I guess are the first two digits of a hash to organize the files collected by hash. In those folders I have tons of 1-4kb some 1xx kb 'junk' files but no actual jpeg files I've been testing with.

I have ensured to have file-store enabled, hashing enabled (tried MD5 then SHA-1) and upped memory in a lot of non-related settings. In the eve.json logs it shows file-storing=true but file-stored=false.

I don't see in the GUI nor the resultant .yaml file the stream-depth setting mentioned in some suricata documentation. In the tutorial this is set to 10MB to catch decent sized files, pictures etc.

All is see in the pfsense .yaml file generated for suricata in regards to file-store is:

file-store:
version: 2
enabled: yes
length: 0
dir: /var/log/suricata/suricata_em036559/filestore

Additional context, I have the files.rules enabled and have successful alerts of "File Found over SMB and stored" but within that log shows file-stored=false.

I'm tempted to increase the length to some arbitrary large number but it wouldn't survive a service restart to make it valid anyhow- kind of a check-mate here.

@bmeeks
I've had a go at adding custom variables, PR: https://github.com/pfsense/FreeBSD-ports/pull/1380

@bmeeks Upgrading did not help.

What did help was disable the Extra Rules I had configured. 48 hours with no increased swap sofar.

Using https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz as extra ruleset will eat all swap.

@bmeeks
👍 Thanks for help.

@5p9 said in Suricata PHP Error:

hi @bmeeks
thank you. i had wondered why suricata suddenly couldn't cope with the resources. okay, i have now set my php to 768 as a test (suricata.inc back to default) and set up all interfaces as usual. looks very good so far. thanks for the hint.

Could have been that you were sitting on the ragged edge of "just enough" free RAM for PHP, and then a rule update added something that pushed things over the edge. The GUI code does quite a bit of processing when building a new rules file for the Suricata binary portion to consume.

Remember that the rules package vendors are constantly adding, removing, and modifying the rules within their packages. That's why we update them in Suricata - to get their latest changes 🙂. Sometimes those updates by the rules package vendors can result in a new issue surfacing.

IDS/IPS administration requires very frequent (and some would say almost constant) attention. It is a admin-intensive package. Most large enterprises, for example, have persons whose sole job is watching and administering only the IDS/IPS. It takes lot of monitoring to review alerts, to review rules updates to see if changes are needed in the IDS/IPS configuration, and to review the IDS/IPS operational logs to look for any anomalies there (various error or warning messages, for example).

@bmeeks I think you are providing wise council, but at the same time I can understand the OP's desire. We've painted ourselves into a bit of a corner with the move to run everything through the web port and then encrypt it. In days gone by we had a lot more options to inspect and mediate risks, but now the firewall's role is mostly just coarse filtering and enforcing good traffic behavior; any hope for deeper inspection is left to the endpoint scanners. Bugs me of course that for the most part we are unable to see/know much about what the endpoint scanners actually do.

--Larry

@luckman212 +1. I would love to see this in pfSense+. I would consider moving to OPNsense that does support it, but I already own Netgate hardware.

The updates for the binary and GUI have been merged and the new v7.0.6 package is available.

@SteveITS

Thank you for reply.
I was running Snort on WAN but I can't see any portscan detection alerts ?
We issued a few port scans over different outsides IPs but there were no alerts under Snort ?
Are we doing something wrong ?

I just purchase the Snort subscription rules, it’s not that much for private use. You get tons of good stuff with it. Is it ethical to use this rule set for other devices … no so I wouldn’t do it, just purchase a business subscription if you are attempting to do that.

Again there are rule sets for other security providers that I would love to add URLs for.

https://rules.emergingthreats.net/blockrules/3coresec.rules

https://forum.netgate.com/topic/177538/is-it-possible-to-use-a-cron-job-to-update-custom-snort-rules

So I get the appeal for wanting custom URLs but understand why it’s not included, if it was anyone could reuse subscriptions rules on other devices.

I wonder if there is a way to get the best of both custom url and rules and give Snort security for their subscription rules too for no free riders.

@MichaelRMO when you see the Ip address you want in the alert area click suppress for that IP it will no longer block that one in snort. Try to suppress that IP address. If it’s many look at the suppress list and manually add to it and or write a quick Java program to create a new list based on a text file you have. Hope that helps. I use appID with custom lists so I have a massive suppress list.

Thanks @bmeeks for the info.
This is... quite fundamental. Basically it would be like a new IDS system, will take some time to figure out :)