@bmeeks thank you again. Appreciate the response and detailed explanation

@bmeeks Dear bmeeks, thank you for this info. I will wait for the update. Greetings, Arti.

See my reply in this thread (to a similar post of yours): https://forum.netgate.com/topic/183539/suricata-alerts-logs-view-broken-due-to-advanced-configuration-pass-through/6.

@michmoor said in Suricata Alerts/Logs View broken due to Advanced Configuration Pass-Through: @cyberconsultants I wonder if this is related to my other forum post i put up today. I got no logging for a rule. I know its working but nothing is in the alerts tab. There was a bug report upstream in Suricata some time back about certain circumstances where the logic would drop a packet but not log the reason (alert). I was thinking that was addressed, but maybe it was not fully fixed ??? It's also possible that a rule may have a noalert tag in it. That suppresses alerts. Not sure how that impacts a DROP action, but I would expect such a rule to also not drop the traffic. I have never tested that, though. The noalert tag is part of the flowbits logic for rules, and allows a given rule to trigger a flowbit state without generating a corresponding alert for that trigger. If you are using SID MGMT to change all the rules in a given category to DROP, then perhaps you are also changing some flowbits noalert rules to DROP when typically they are set for ALERT. Just a guess as I have not investigated this, but perhaps that results in an unanticipated situation in the Suricata binary.

@jpgpi250 said in Newly Registered Domain Threat Intel Feeds for Suricata: @bmeeks I'm looking at this youtube, about datasets. on 21:58, the dataset source is added. I've been looking at the pgfsense/suricata interface, but can't find where a dataset file (source) is added. I assume this is possible, just need to know where... thanks suricata version is 6.0.13 on pfsense 2.7.0-RELEASE (amd64) Currently dataset source files are not supported within the GUI. Datasets are a relatively new feature in Suricata and support for them has not been added to the GUI. When I first saw your post and quickly reviewed the link you provided, I assumed it was regular text rules.

@Euman said in suricata (core dumped) after GeoLite2-Country database update: I think this is the issue and am waiting for results: I had "Live Swap" enabled Enable "Live Swap" reload of rules after downloading an update. Default is Not Checked When enabled, Suricata will perform a live load of the new rules following an update instead of a hard restart. If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update. While everything is possible, I'm not sure how this setting would contribute to a Signal 10 Bus Error. Maybe there is an outside change the extra RAM use when this feature is enabled causes the use of a particularly problematic physical chip address ???

@bmeeks Thanks for the clarification. I'm guessing something happened during the unusual (I'm calling it that since it's not standard Linux behaviour to uninstall and reinstall in order to update a package) process. Knowing that and ensuring I have a config backup before any package update I'm not too worried. Lots to learn (and unlearn) as always getting into a new system. Really appreciate the help from the forum.

@bmeeks Thanks Bill. Ill reach out to them on their forum and on Twitter.

@bmeeks I agree I actually reported this IP and the .31 to IC3 because of this blanket type HID door discovery enumeration within my IP blocks. That attack one is new to me. I admit I do like to watch the WAN as you can monitor what's going on very well with the IPS/IDS. Again it takes some time to get it useable so you can see and have it no disable your internet access as you have seen with my many reports :)

@bmeeks said in Short question about Suricata in cooperation with pfblocker: @Trust9 said in Short question about Suricata in cooperation with pfblocker: I have a lot of open ports. Web server, Voip, and other services. Don't you think it makes sense to enable IPS on the wan interface as well? No, I would not put Suricata on the WAN and here is why. Nothing can reach your internal services (web server, VoIP box, etc.) without the traffic passing through either a LAN or DMZ interface on the firewall. pfSense is a router and a firewall. It takes incoming traffic on the WAN from the Internet, applies the firewall rules to the traffic, then routes the traffic to the appropriate internal interface. You do not run an IDS/IPS to protect your firewall. If you have a firewall that needs an IDS/IPS in front of it for protection, then you need to find a new and more secure firewall . The firewall should be more than capable of protecting itself and should not need an IDS/IPS in front of it for protection. In light of the above two points, what is the point of putting Suricata on the WAN? When running on the WAN, it will see and have to process all of the Internet "noise" on the WAN interface, but then your firewall rules are going to drop the vast majority of that traffic anyway. So, why waste CPU cycles having Suricata scan that stuff? Refer to the two diagrams I linked earlier. See how Suricata will always be the first thing traffic coming into an interface hits. Suricata running on say a LAN or DMZ interface will still see and be able to scan all traffic traversing that interface (both inbound and outbound). That interface is the only way something from the Internet (via a port forward on the WAN, for example) can reach your internal host (a web server or VoIP box). Suricata sitting on the interface will see and police the traffic. But it will only have to deal with traffic that the firewall rules have already filtered thus saving CPU cycles. In my view, the only time putting Suricata on the WAN makes any sense is if you have very limited RAM in the box, an anemic CPU, and you have several interfaces you want to protect with the same rules on all. Maybe then for overall conservation of RAM and CPU you compromise with a single WAN instance of Suricata. But at that point it may also be time to replace the firewall hardware with something with more capability. Your explanations are really awesome. You really take a lot of time to share your knowledge. Thank you very much. I will activate Suricata only on the lan interface and see how it goes.

@bmeeks I created a list that matches the current rule stub. Attached here. It works with custom area. Sorcerer's code file -->> textrules2.txt

Try updating to the latest pfSense version and the latest Suricata package. pfSense CE is now on version 2.7.0 and the Suricata package is at version 6.0.13. There have been several changes in Suricata since the version you have. You can't update to the latest Suricata package without first updating pfSenses to 2.7.0.

Maybe (if this is still an issue for you) you want to join this discussion The discussion is quite old but I've added my concerns today anyway.

Never does not work any longer it changed overnight to 5 mins for some reason, memory use I suspect. [image: 1696917524646-screenshot-2023-10-09-at-10.57.43-pm-resized.png] Before [image: 1696917515159-screenshot-2023-10-09-at-10.58.08-pm-resized.png] After

Here is a link to the generic pfSense documentation for the IDS/IPS packages (Snort and Suricata): https://docs.netgate.com/pfsense/en/latest/packages/snort/index.html. Because those two packages share so much common GUI code, the way they operate is extraordinarily similar. That point is noted in the documentation linked above. Just be aware that Suricata (and Snort) on pfSense runs a customized binary with a special output plugin compiled in for Legacy Mode Blocking. Also, the GUI in pfSense does everything "behind the scenes" that a user would normally do via command-line editing of configuration files on other Linux or FreeBSD distros. So, many of the online guides you might find for configuring Suricata have limited usefulness on pfSense (at least in terms of providing specific steps to achieve some particular configuration) because they refer you to direct file edits. Those don't work on pfSense because the GUI code rewrites all the local configuration files each time you save a change in the GUI or start the binary. Thus any hand-edits you may have made will be immediately lost. At best these online generic Suricata guides can give you the overall concept, but then you need to find how some feature is implemented within the package GUI on pfSense. Posting specific questions back to this forum is a great way to get help and learn to use the package. There are quite a few Snort and Suricata users on pfSense. There are also some pinned Sticky Posts at the top of this sub-forum describing how to use certain features of both packages. Remember that anything you see posted for Snort operation likely applies about the same to Suricata. There are some differences, but the overall workflow of the GUI is the same in both IDS/IPS packages.

@bmeeks Verified that it's working perfectly on 4.1.6_11. Thanks again!

@bmeeks 4.1.6_11 sorry I had a mix up. I do not know if this has anything to do with the intermittent passlist block issue. I noticed this error shortly after the above screen shots. Thanks for all you do and also for sharing the code above. Fatal error: Uncaught TypeError: fgetcsv(): Argument #1 ($stream) must be of type resource, bool given in /usr/local/www/snort/snort_alerts.php:858 Stack trace: #0 /usr/local/www/snort/snort_alerts.php(858): fgetcsv(false, 1000, ',', '"') #1 {main} thrown in /usr/local/www/snort/snort_alerts.php on line 858 PHP ERROR: Type: 1, File: /usr/local/www/snort/snort_alerts.php, Line: 858, Message: Uncaught TypeError: fgetcsv(): Argument #1 ($stream) must be of type resource, bool given in /usr/local/www/snort/snort_alerts.php:858 Stack trace: #0 /usr/local/www/snort/snort_alerts.php(858): fgetcsv(false, 1000, ',', '"') #1 {main} thrown [image: 1696655723308-screenshot-2023-10-06-at-5.49.45-pm-resized.png] https://redmine.pfsense.org/issues/14850

@Bob-Dig said in [solved] Suricata resource consumption: It looks like vtnet is supported and proxmox is using that. Will try now. Had no luck with my weak VPS running pfSense in proxmox. I had random disconnects so I switched back to legacy mode.

@JonathanLee said in Snort LAN interface assignment: So should I move it to wan side because of no access to inline mode? No, not in my view. And Inline Mode or not Inline Mode has zero bearing on where you should run the IDS/IPS. @JonathanLee said in Snort LAN interface assignment: Do you know what official negate appliance supports inline mode? Any of their non-Marvel switched ports appliances. Examples include SG-5100, SG-6100, SG-8200, and a few others. Look at the list of netmap compatible devices I posted earlier.