@dooley said in Transparent IPS/IDS: @bmeeks said in Transparent IPS/IDS: If you went the bare metal way with inline IPS as I recommend, you would get full line rate with no sweat. Do you have any suggestions where I can get a start on sourcing info to head in this direction? I appreciate your input @bmeeks and you taking the time out of your day to give me guidance on this matter. First, you will need to get comfortable working with either FreeBSD or Linux at the command line interface. Both are more or less the same. I would tilt towards FreeBSD simply because that is what pfSense is based on, and FreeBSD is said to have the better network stack. Install FreeBSD (or Linux) on suitable hardware. As I mentioned, you will need three NICs to make things easy. One is your managment interface and should get an IP address from your LAN. The other two get no address assigned. They are simply going to be input and output ports running in promiscuous mode. Next you install Suricata on the machine. On FreeBSD, there is a package in the ports tree. For Linux, there are also suitable packages available for installation. Here is the official Suricata documentation: https://suricata.readthedocs.io/en/suricata-6.0.4/. Here is the subsection for configuring IPS Inline Mode on Linux: https://suricata.readthedocs.io/en/suricata-6.0.4/setting-up-ipsinline-for-linux.html. And here is a link showing how to install Suricata in IPS mode on Ubuntu Linux: https://www.digitalocean.com/community/tutorials/how-to-configure-suricata-as-an-intrusion-prevention-system-ips-on-ubuntu-20-04. One last thing I will mention is that administering an IPS is a big challenge and requires quite a bit of knowledge and experience. If you are new to this, prepare to be very frustrated initially by false positive blocks. For that reason, you really should run a setup in IDS mode for a month to see what alerts get triggered on your network. You then selectively "tune" your rule set to get rid of false positives. Only then should you turn on the blocking of traffic using IPS mode.

No, Suricata has no feature to allow that. The closest you can get is to create your own cron tasks (two of them) that stop Suricata for the duration of your scan, and then start it again when the scan is complete. You can stop and start Suricata using the shell script /usr/local/etc/rc.d/suricata.sh. The commands would be: /usr/local/etc/rc.d/suricata.sh stop /usr/local/etc/rc.d/suricata.sh start Those commands will stop and start Suricata on all configured interfaces. It goes without saying that with the Suricata processes stopped, all hosts are unprotected for the duration of your scan.

@bmeeks Thank you so much for your answers and you too @Cool_Corona Yeah I have a server (unRAID) with docker containers. I have a domain name that forwards to my public IP of my WAN. Then pfSense picks up the domain and provides SSL and allows access to my services behind pfSense. Normal proxy stuff, nothing really distinct about this setup. When I rebuild my pfSense I will probably setup VPN and kill publicly accessible stuff and just VPN in instead.

@bmeeks Yes. and I found where to set it. It fixed the drop issue. still getting the message though

That's how it appears. Or at least it "thinks" it can't see the Internet. The connection attempts on port 443 (HTTPS, or SSL connection) is timing out. That means either the remote site is down, or your personal connection is unable to reach the remote site. Since this is happening for both Snort and Emerging Threats rules, I would think it unlikely for BOTH remote sites to be down at the same time. Thus that would point the finger over to your end of the connection as where the problem is likely to reside.

@jonathanlee [image: 1642214385780-cabfile.jpg] Once cab file is open it has a text file inside. What can cause this type of issue ?

Your post is not entirely clear. Perhaps it is a language translation issue ??? Are you saying that now your pfSense box is behind some kind of double-NAT? You must eventually have a public IP in order to route traffic (not an RFC 1918 address). However, if your pfSense box now communicates with some upstream host that in turn provides a NAT to some type of public routable IP, then your Snort rules update should still work. I assume other Internet traffic through the pfSense box works?? Or do you really mean to say you have isolated this pfSense box from the Internet? If that is the case, then there is no method for an offline update in the Snort package. It requires Internet access to update its rules.

If you are 100% certain the origin of the traffic is from a device running the Signal app, and the captured session is from an active Signal session, then I would tend towards ruling it "false positive". But if there is any doubt, then a thorough virus/malware scan of the machine would be in order to make sure there is no infection. That is an old worm, though. And so far as I know, there never was a mobile app variation of it -- only PC.

You need to learn to use the features on the SID MGMT tab. Go to that tab, enable the feature by checking the box, then read through all the provided sample conf files for hints on how to use the feature. Be advised, though, that wholesale changes of the rules is not supported. The feature is mainly for selecting which rules to enable or disable using regex matching, and for altering certain rules actions from say "alert" to "drop". If you want to create your own rules, then use the Custom Rules option on the RULES tab for an interface. On that tab, choose "Custom Rules" in the Category dropdown, and then type (or paste) your own custom rule (or rules) into the text box. Once done, save the change. Those rules will survive any rules update.

This is a limitation of the Suricata binary itself. See the thread here from the upstream Suricata forum: https://forum.suricata.io/t/suricata-behind-proxy-server/419/. So far as I know, this limitation still exists. Suricata can log the XFF in the EVE output, but XFF cannot be used in detection rules, and thus cannot trigger alerts (which would be required to initiate a block).

Here also. My problem was that I had unchecked that box before so I lost all my setting because I had to un- and reinstall, it wouldn't run anymore. Anyways, I will have another look if suricata will block my LAN again. So far so good, although to early to say something definite. What has changed other then the Suricata version is that I don't run any snort rules anymore.

@bmeeks yes you're correct. sorry about that

@darcey said in Turn on logging for select built-in rules only: @bmeeks I've taken your advice and switched to inline mode. Thank you for the help. log4j is still hitting suricata but I no longer see any log4j traffic in the nginx log. So it would seem to have been leakage under legacy mode. Under inline mode, I'm targetting rules in my dropsid.conf largely by classtype attributes. This seems to be a good compromise between granularity and not having too much config. What is the significance of the caret in interface names (eve logs and suricata.log)? 26/12/2021 -- 15:10:00 - <Info> -- Using 2 live device(s). 26/12/2021 -- 15:10:00 - <Notice> -- opened netmap:vtnet2/R from vtnet2: 0x81c606000 26/12/2021 -- 15:10:00 - <Notice> -- opened netmap:vtnet2^ from vtnet2^: 0x81c606300 26/12/2021 -- 15:10:00 - <Notice> -- opened netmap:vtnet2^ from vtnet2^: 0x8345fd000 26/12/2021 -- 15:10:00 - <Notice> -- opened netmap:vtnet2/T from vtnet2: 0x8345fd300 The caret interface suffix denotes the OS endpoint of a netmap pipe. In order for Inline IPS Mode to function, two netmap pipes are created- one to send traffic, and one to receive traffic. Each pipe has an OS endpoint (called the host stack endpoint) and a NIC endpoint. Additionally, if your NIC supports multiple queues, you will see more netmap connections created for each supported queue. So those lines in your log snippet show one netmap connection from host stack to NIC, and another from NIC to host stack. The "R" and "T" values indicate "receive" and "transmit", respectively.

That fixed it — thanks everyone & happy holidays!

In terms of protocol decoders and logging options, Suricata wins hands down. The one feature Snort has that Suricata lacks is the OpenAppID Layer 7 capability. But that feature is really only of use in certain business environments where there is a desire to either prohibit, or severely limit, social media and streaming content access for employees during working hours. OpenAppID really has no valid application in home networks the way I see it. The threading features net out a wash (or dead heat, if you prefer). But don't put too much faith in multithreading itself when talking about network traffic. There is the reality that a given flow must be processed by the same thread. And to really take advantage of threading with multiple flows, you need an OS stack and NIC driver combination that is very good at implementing RSS in order to actually spread the traffic load over available CPU cores. Having a multithreaded application is only the beginning of what is required to actually realize substantial performance boosts. Any IDS/IPS package is really running on borrowed time in terms of the future unless you are willing to implement a full man-in-the-middle scheme to break the end-to-end encryption that is so common with all traffic these days. Even DNS traffic is becoming encrypted more and more often. Email has been encrypted for quite a long time now. And nearly 100% of web traffic is HTTPS (so encrypted as well). Without MITM, an IDS/IPS has practically zero visibility into packet payloads. The best it can do is examine the unencrypted header sections (source and destination IP addresses and ports), and maybe catch a glimpse of the initial cert info exchange between server and client to see what domain is being visited. That's pretty much how OpenAppID works. It's not actually looking at the raw data - just some header stuff. I am not a fan of Snort3. The complete change in how you configure it sort of soured me on it because porting 2.9.x installations over to Snort3 is a large pain (I'm talking here from the point of view of auto-migrating someone's pfSense installation, for example). I also think the Snort team took way too long to get Snort3 out. I'm afraid they may have missed the boat as Suricata adoption increased during that long drought of Snort3's alpha and beta development time.

@bmeeks This fine tuned it. The issue was with SQUID and SSL use. I needed to just add in the aliasis inside of squid's general setting to pass the traffic to the firewall and not proxy it for Disney plus. It fixed it, no more random issues, and I still have the proxy for the desktop and laptops. [image: 1639943581990-screenshot_20211219-114824.png]

Yeah, this bug is fixed in the DEVEL snapshot branch. To be honest I was thinking that fixed version had been merged over to RELEASE, but it has not. I will ask the Netgate team to merge the new Suricata package over into RELEASE. In the meantime, making the edit suggested by @SteveITS will correct the issue.

@jonathanlee And, if they move to make this reply as a DOS move it to HTTP get requests at that point and disable this reply for a pre set timer.

@jc1976 said in Suricata - Snort IPS Policy selection: they seem to be just templates exactly, templates created by Bill (do you know that he is the package maintainer here? Suricata and Snort :)) and pls. take a look for example at one of my home configurations that I uploaded and you'll find out everything dropsid.conf.txt (in TXT, but TXT does not read, I just put it up in this format because of the forum software) ++++edit: rename it simply this: dropsid.conf +++edit2: or if you want to preserve the original template file (would be a good idea) then, for example: mydropsid.conf or etc.

@jdeloach said in Snort on LAN, WAN or DMZ?: @bmeeks Bill, I agree with you that LAN is the interface that Snort should be run on for the reasons that you state. It would save a lot of confusion for new users if YOU ALL (not sure who YOU ALL is) would update the documentation, help tips in the package and defaults to state this. Right now, all the documentation, help tips and defaults state to configure Snort to run on the WAN interface. The same should be updated for the Suricata package as well. You can open Redmine requests to have the documentation updated if desired.