@michmoor @bmeeks Here is, the fully converted appMapping.data to text file... [image: 1696468187507-screenshot-2023-10-04-at-5.58.46-pm-resized.jpg] The pfSense Snort AppID de-cipher sorcerer's code file: --> textrules.txt Sid range: 1000000 - 1003371 Total 3,371 AppID rules you can use with the custom option. I converted it with a Java program I just made. The message is the same as the appid match it makes it easier. Some of the ieee items are bigger but they seem to match.

@bmeeks said in Speed drops with snort in Inline Mode: @Amodin said in Speed drops with snort in Inline Mode: Snort is a multi-threaded application as of Snort3. Is that not running in the package? No, the Snort package on pfSense is based on the 2.9.x binary which is single threaded only. There are currently no plans to implement Snort3 on pfSense. Oof, good to know. I might have to try out some Suricata, as I was just reading about the differences in another thread you had posted about them.

Hello everyone, I have just reinstalled PFSENSE again. All the times I installed PFSENSE I used the UFS mode, I just redid an installation with the ZFS mode and I no longer have the problem ... I'll keep my fingers crossed and continue my tests. Thank you all for your participation. I'll check out the difference between these 2 partitioning modes later.

Had a few in-between other activities and came up with this. RE: bonus on ideas - "..things that make you go Hmmmmm....." lol Including if useful to anyone else - this appears to solve the riddle..... Not "pretty" but addresses the need with a few options that can be applied to satisfy some conditions. Could probably be augmented to enable specification of "interface" to further simplify. Spoiler #!/usr/local/bin/perl # use strict; use Getopt::Long; $| = 1; # GetOptions('debug'=>\$PROC::DEBUG,'include=s'=>\$PROC::INCLUDE,'severity=s'=>\$PROC::SEVERITY,'targetfile=s'=>\$PROC::TGTFILE,'mergefile=s'=>\$PROC::MRGFILE,); if (defined($PROC::DEBUG)) { $PROC::DEBUG=1; } else { $PROC::DEBUG=0; } %PROC::INCS=(); if (defined($PROC::INCLUDE)) { foreach(split(/,/,$PROC::INCLUDE)) { $PROC::INCS{$_}=0; } } # @PROC::DIRS=('/usr/local/share/suricata/rules','/usr/local/etc/snort/rules',); %PROC::HASH=(); # foreach(@PROC::DIRS) { my $RDIR=$_; opendir(DIR, "$RDIR"); rewinddir(DIR); while(my $FILE=readdir(DIR)) { if ($FILE=~/\.rules$/) { my $CHECK=$FILE; $CHECK=~s/\.rules$//; if ((keys(%PROC::INCS)>0) && (exists($PROC::INCS{$CHECK}))) { &procFile("$RDIR/$FILE"); } elsif (keys(%PROC::INCS)==0) { &procFile("$RDIR/$FILE"); } } } closedir(DIR); } # if (defined($PROC::MRGFILE)) { open(INF, "<$PROC::MRGFILE"); while(my $LINE=<INF>) { chomp($LINE); if (($LINE!~/^#/) && ($LINE!~/^[[:space:]]{0,}$/) && ($LINE=~/^suppress[[:space:]]{1,}/)) { my $GID=$LINE; $GID=~s/^.*gen_id[[:space:]]{1,}//; $GID=~s/,.*//; my $SID=$LINE; $SID=~s/^.*.sig_id[[:space:]]{1,}//; if ($SID=~/,/) { $SID=~s/,.*//; } if (exists($PROC::HASH{$GID}{$SID})) { delete($PROC::HASH{$GID}{$SID}); } } } close(INF); } my $FH; if (defined($PROC::TGTFILE)) { open $FH, ">", "$PROC::TGTFILE" || die("ERROR: $PROC::TGTFILE $!\n"); select($FH); } elsif (defined($PROC::MRGFILE)) { open $FH, ">>", "$PROC::MRGFILE" || die("ERROR: $PROC::MRGFILE $!\n"); select($FH); print $FH ("\n"); } foreach my $ID (keys %PROC::HASH) { foreach my $SID (sort {$a<=>$b} keys %{$PROC::HASH{$ID}}) { my $MSG=$PROC::HASH{$ID}{$SID}{msg}; my $FILE=$PROC::HASH{$ID}{$SID}{file}; print ("# ($FILE) $MSG\nsuppress gen_id $ID, sig_id $SID\n\n"); } } if (defined($PROC::TGTFILE) || defined($PROC::MRGFILE)) { close $FH; } # if (defined($PROC::MRGFILE)) { my $F = do { local $/ = undef; open my $FH, "<", "$PROC::MRGFILE"; <$FH>; }; $F=~s/\n//g; $F=~s/#/\n\n#/g; $F=~s/suppress[[:space:]]{1,}/\nsuppress /g; $F=~s/^\n{1,}//; open(OUF, ">$PROC::MRGFILE"); print OUF ("$F\n"); close(OUF); } # sub procFile { my ($FILE)=(shift); if ($PROC::DEBUG==1) { print ("\tFILE : $FILE\n"); } open(INF, "<$FILE"); while(my $LINE=<INF>) { chomp($LINE); if ($LINE=~/^alert ip \[/) { my $SID=$LINE; $SID=~s/^.*.sid://; $SID=~s/;.*//; my $MSG=$LINE; $MSG=~s/^.*.msg://; $MSG=~s/;.*//; $MSG=~s/"//g; my $SEV=$LINE; $SEV=~s/^.*.signature_severity //; $SEV=~s/,.*//; my $F=$FILE; $F=~s/\.rules$//; $F=~s/^.*.\///; if ($PROC::DEBUG==1) { print ("\t\t1 : $SID : $F : $SEV\n"); } if (defined($PROC::SEVERITY) && ($SEV eq $PROC::SEVERITY)) { $PROC::HASH{1}{$SID}{msg}=$MSG; $PROC::HASH{1}{$SID}{file}=$F; } elsif (!defined($PROC::SEVERITY)) { $PROC::HASH{1}{$SID}{msg}=$MSG; $PROC::HASH{1}{$SID}{file}=$F; } } } close(INF); return; } # __END__ ## ## Documentation ## =head1 NAME generate-suppress.pl =head1 SYNOPSIS generate-suppress.pl --debug --include=<include> --severity=<severity> --targetfile=<targetfile> --mergefile=<mergefile> =head1 DESCRIPTION Generates suppression data from source rules for "alert ip" style entries =head1 FUNCTION Insert or merge alert ip suppression data for SNORT/Suricata =head1 OPTIONS =over =item <debug> Enables debugging output. =item <include> Specifies which rule(s) to include in the resultant data. Comma separated - B<NO> spaces. =item <severity> Filter resultant rules to only those that match severity. (As of creation, appears to be either "Major" or "Minor") =item <targetfile> If the target file exists, it B<WILL> be overwritten with the results. =item <mergefile> If the mergefile already exists, it will be read and only [missing] deltas will be added. =item NOTE If neither targetfile nor mergefile are specified, the results are printed to STDOUT. =back =head1 COMMON USAGE perl generate-suppress.pl --mergefile=/usr/local/etc/suricata/suricata_<ID>_<interface>/threshold.config =cut

@NollipfSense hi, that would be a way, or like we mentioned, put it in another VLAN. Well, VLAN does not work as well as DMZ like you suggested, but that was the idea if going that route. However, we are trying to assess if the app that is running on the particular host can be safely released to the "general population". Or what will be the minimum suppression rules we can get away with in order for it to run properly? Or what kind of compromise we need to take in order to run the app on this host? The exercise will give us an idea on whether a new network/interface, like a DMZ, setup will be absolutely required. Along the way, I also learnt quite a bit on how Snort works and what are good practices. Cheers and thanks for the suggestion. W

@andersondeda said in Wan Down: I confess that I have difficulty finding supporting documentation, I feel the need to know the purpose of all these options. I agree that the documentation for many of Suricata's internal settings is a bit opaque at times. But the upstream team does have a goal of improving the documentation. The official docs site has a sub-section for each Suricata version. Here is the link to the version for 6.0.13 (which is current in pfSense 2.7.0 right now): https://docs.suricata.io/en/suricata-6.0.13/. Some details about the Stream Engine settings can be found here: https://docs.suricata.io/en/suricata-6.0.13/configuration/suricata-yaml.html#stream-engine. A quick and dirty explanation is TCP Stream Memory is used to buffer packets associated with a specific TCP flow and reassemble them into a contiguous block that the signature comparision engine can process to look for matches to rules. Because multiple CPU cores means multiple threads with each thread needing its own separate TCP stream reassembly area, the amount of needed RAM increases quickly as the CPU core count increases.

@bmeeks How did I miss that? Thanks very much.

You can't. Snort sits between the physical NIC and the kernel network stack before the firewall engine. So, when you run Snort (or Suricata for that matter) on the WAN, it only sees local traffic after NAT has been applied for outbound traffic, and before NAT is undone for inbound traffic. Here are two diagrams that show how the IDS/IPS packages are plumbed into the network. This is an operating system thing and not anything the packages can alter. [image: 1693708940727-ids-ips-network-flow-legacy-mode.png] [image: 1693708951447-ids-ips-network-flow-ips-mode.png] This is why I have been recommending for the last few years that users put the IDS/IPS on internal interfaces. You should do the same. There is no point in having it on the WAN. IDS/IPS is not for protecting the firewall. It's for protecting the hosts behind the firewall. If you need IDS/IPS for your firewall itself, then you really need a new firewall . Running it on the LAN would eliminate your issue of NAT hiding local IP addresses. When running on the LAN, all traffic going to or coming from local hosts would have to pass through the IDS/IPS. And one last note. Without MITM breaking of encryption, IDS/IPS on the firewall is severely limited in what it can accomplish these days because nearly 100% of network traffic is encrypted. The IDS/IPS can't peer into any of the payloads for SSL traffic. That means zero payload inspection of HTTPS, DoT, DoH, SMTPS, IMAPS, and POP3S for starters. That's nearly all of the web traffic, potentially all of the DNS traffic (if you use DoT), and pretty much all email traffic bypassing inspection. Intrusion Detection is rapidly becoming something best done on the local destination host itself and not on intermediate network devices.

Yup that^. Keep it civil please. I will add that if you're running Snort on WAN you're going to see a lot of hits. Generally unless you are forwarding traffic to internal services they are not really useful. Steve

Whatever log file you are trying to open and view has now grown too large. There is a finite system limit on RAM that is allocated to a PHP process. I believe that limit is current 512 MB. You will need to view that log using a tool outside of the Suricata GUI so that PHP is bypassed. You also need to verify that automatic log managment is enabled on the LOGS MGMT tab and that you have not configured any large log filesize limits.

@meocon At the console you can restore an earlier config: https://docs.netgate.com/pfsense/en/latest/backup/restore.html#console-configuration-history

I doubt negation is what you want. That means every other port EXCEPT 1521 would be considered an Oracle Port. Negation literally means "not 1521, so it is an Oracle Port". Usually that broad of a range is not desired. In your case, create a pfSense firewall alias containing the needed port or ports, and assign it to the ORACLE_PORTS variable on the VARS tab.

@michmoor said in Snort security issue bug within TCP/UDP scan detection blocking tool: @bmeeks what do the multiple preprocessors do? http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html. https://www.informit.com/articles/article.aspx?p=101148&seqNum=2. https://www.oreilly.com/library/view/snort-cookbook/0596007914/ch04.html. https://www.google.com/search?q=snort+preprocessors.

Did you have any other Rule Categories selected on the CATEGORIES tab when you chose the IPS Policy? The logic on that tab allows you to also choose any other enabled rules archives you have enabled such as Emerging Threats. I think it will also allow you to select OpenAppID rules. When you choose an IPS Policy, only additional Snort VRT rule categories are grayed-out. I can test again in the event the number of published Snort rules has grown considerably, but I believe it will successfully load up the Max Detect policy rules so long as no other categories are enabled at the same time. It could be the combination of the policy selected rules added to say Emerging Threats rules that pushes it over the limit. By the way, there is a Feature Request that has just been merged into the 2.8 CE snapshots branch (and Plus 23.09) to allow user selection of the PHP process memory limit. That Redmine request is here: https://redmine.pfsense.org/issues/13377. It will allow the admin to override the default PHP memory limit and increase it up to the limit of free RAM. Just to be sure you understand, Snort IPS Policies are created and published by the Snort developer team. They work by using special embedded metadata in the Snort VRT rules that assigns a given rule to one or more IPS policies. This metadata is not present in Emerging Threats nor any other rules package. The PHP code reads this metadata tag from Snort VRT rules and uses it to "pick" the rules to automatically enable for a chosen policy. Because the chosen IPS Policy is what selects the rules to enable, the Snort VRT rule categories are automatically grayed-out when a policy is selected.

@bmeeks thanks for point me to right direction!

@Bob-Dig It was an example of how it could been done.

Something is wrong with the alerts.log file for that interface. There should never be a NULL value in that file. It is impossible to have an alert line generated in that file without a corresponding timestamp entry for that alert. The file has gotten corrupted. You will need to delete that corrupt file. A reinstall will not fix the issue unless you check the option to remove all logs when uninstalling/reinstalling.

Hi @bmeeks !! Thank you for the comment, I have a better understanding on how snort works on pfSense. I could review a bit my traffic and I have my stuff to work perfectly now :) Thanks for all your reply