@bmeeks Hello, that's exactly what I did. I ran Snort on the parent interface and not on the VLAN. However, as you suggested, there must be an issue with the Broadcom network card drivers.

Here is the Redmine Issue for this bug: https://redmine.pfsense.org/issues/15744.

Thank you for reporting it.

@magician-balmy-stainable said in Enabled Suricata on LAN interface, now can't access pfSense browser interface?:

How can I regain access and/or fix this?

You are going to need to access the console interface directly to fix this. You did not tell us anything about your hardware, so I'm giving the suggestions below based on the two most likely possibilities:

Assuming you have whitebox hardware, get to the keyboard and monitor attached to the pfSense machine and login to the CLI (command line interface). After logging in to the firewall, choose Option "8" to exit to a shell prompt and type this command to stop all Suricata instances: /usr/local/etc/rc.d/suricata.sh stop If you have a Netgate hardware appliance, you will need to find and attach the USB serial console cable to access the CLI. After getting that connected and working (just like you did when you first configured the device), exit to a shell prompt and follow the same directions as given above for logging in and stopping Suricata.

If you are using Inline IPS Mode, stopping the service should restore GUI access. If you are using Legacy Blocking Mode, then you will need to also clear out the snort2c table to remove any lingering IP blocks. Do that with this command from the shell prompt:

/sbin/pfctl -t snort2c -T flush

At this point you should be able to access the web GUI login. I would immediately navigate to Suricata under the SERVICES menu and edit the LAN interface where you have Suricata enabled and either disable it on that interface or turn off the blocking mode by unchecking the Block Offenders checkbox. Save the change. If you fail to do this, then Suricata will get automatically restarted at some point and you will likely find yourself locked out again.

I am fairly certain you have a misconfiguration problem because Suricata has several built-in options to prevent locking you out. Either you have a fundamental hardware compatibility issue, or you have a significant misconfiguration of the package.

@magician-balmy-stainable said in Enabled Suricata on LAN interface, now can't access pfSense browser interface?:

Why did this happen?

Can't really say with certainty because you gave us very little information to go on.

What hardware are you using? What version of pfSense and what version of the Suricata package? What is your network topology? (what's connected to what?). Are you using Legacy Mode Blocking or Inline IPS Mode?

Note that if you are a first time Suricata user, then I highly recommend that you NOT enable blocking when first installing the package. Instead, install it, choose the rules to enable, then let it run on your network for a few days or weeks and regularly monitor the alerts received on the ALERTS tab. See what things are generating alerts and deteremine whether they are legitimate alerts or false positives. Tune the enabled rules and create appropriate Pass Lists (if you intend to use Legacy Mode Blocking) or custom PASS rules (if you intend to use Inline IPS Mode).

@Tantamount said in inline custom pass rule no workie?:

I wonder, if you are still able to edit that 2018 post and correct the examples,

I should be able to. Will give it a whirl.

Update: fixed it!

@bmeeks said in Snort - Unable to Select Subscriber Ruleset:

I am the volunteer package maintainer for Snort and the creator/maintainer for Suricata on pfSense. I tried on two different occasions to create a Snort3 package and gave up in frustation because of the massive amount of rewrite required for essentially very little gain compared to Suricata.

Oh wow, I am even more humbled now. Thank you for your contributions to the Snort and Suricata projects!

@bmeeks said in Is there a rule set similar to Snort Open App ID in Suricata?:

The problem with UTM is that someone must maintain the list of threats and distribute it.

wait wait...I have to pay for the cool NGFW experience?!

@enesas I would recommend Suricata. The package maintainer for both has said he will probably not develop a package for Snort v3.

You uninstall from the Installed Packages tab.

@bmeeks Thanks for this... I will see if Snort works after having one interface inline and the other legacy.

Otherwise i may switch to Suricata..

@bmeeks it took me years of fine tuning and finesse to get mine to work the way I want, and ohhh does it work beautifully now.

Thank you bmeeks

@michmoor
necro post, did this get resolved? In the GUI I do not see any files saved.

In the /var/log/suricata/suricata<interface>/filestore path I have the 90 something folders that look like hex code but I guess are the first two digits of a hash to organize the files collected by hash. In those folders I have tons of 1-4kb some 1xx kb 'junk' files but no actual jpeg files I've been testing with.

I have ensured to have file-store enabled, hashing enabled (tried MD5 then SHA-1) and upped memory in a lot of non-related settings. In the eve.json logs it shows file-storing=true but file-stored=false.

I don't see in the GUI nor the resultant .yaml file the stream-depth setting mentioned in some suricata documentation. In the tutorial this is set to 10MB to catch decent sized files, pictures etc.

All is see in the pfsense .yaml file generated for suricata in regards to file-store is:

file-store:
version: 2
enabled: yes
length: 0
dir: /var/log/suricata/suricata_em036559/filestore

Additional context, I have the files.rules enabled and have successful alerts of "File Found over SMB and stored" but within that log shows file-stored=false.

I'm tempted to increase the length to some arbitrary large number but it wouldn't survive a service restart to make it valid anyhow- kind of a check-mate here.

@bmeeks
I've had a go at adding custom variables, PR: https://github.com/pfsense/FreeBSD-ports/pull/1380

@bmeeks Upgrading did not help.

What did help was disable the Extra Rules I had configured. 48 hours with no increased swap sofar.

Using https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz as extra ruleset will eat all swap.

@bmeeks
👍 Thanks for help.

@5p9 said in Suricata PHP Error:

hi @bmeeks
thank you. i had wondered why suricata suddenly couldn't cope with the resources. okay, i have now set my php to 768 as a test (suricata.inc back to default) and set up all interfaces as usual. looks very good so far. thanks for the hint.

Could have been that you were sitting on the ragged edge of "just enough" free RAM for PHP, and then a rule update added something that pushed things over the edge. The GUI code does quite a bit of processing when building a new rules file for the Suricata binary portion to consume.

Remember that the rules package vendors are constantly adding, removing, and modifying the rules within their packages. That's why we update them in Suricata - to get their latest changes 🙂. Sometimes those updates by the rules package vendors can result in a new issue surfacing.

IDS/IPS administration requires very frequent (and some would say almost constant) attention. It is a admin-intensive package. Most large enterprises, for example, have persons whose sole job is watching and administering only the IDS/IPS. It takes lot of monitoring to review alerts, to review rules updates to see if changes are needed in the IDS/IPS configuration, and to review the IDS/IPS operational logs to look for any anomalies there (various error or warning messages, for example).

@bmeeks I think you are providing wise council, but at the same time I can understand the OP's desire. We've painted ourselves into a bit of a corner with the move to run everything through the web port and then encrypt it. In days gone by we had a lot more options to inspect and mediate risks, but now the firewall's role is mostly just coarse filtering and enforcing good traffic behavior; any hope for deeper inspection is left to the endpoint scanners. Bugs me of course that for the most part we are unable to see/know much about what the endpoint scanners actually do.

--Larry

@luckman212 +1. I would love to see this in pfSense+. I would consider moving to OPNsense that does support it, but I already own Netgate hardware.

The updates for the binary and GUI have been merged and the new v7.0.6 package is available.