@bmeeks Yah, was running version 6.0.4_1 but I'll dig some more into the NIC and iflib stuff and see if there is a known incompatibility or other issue that I might have missed. Just for posterity currently running the following firmware on the X710 NIC: sysctl dev.ixl.1.fw_version dev.ixl.1.fw_version: fw 8.1.63299 api 1.12 nvm 8.10 etid 800093ea oem 1.267.0

@steveits I love multi threading, I have been researching this with Java for some time now with the university, but it's not fully taught, so I get hints from the Professor and book recommendations, and a lot of trial and error. I have a couple binary search methods that split the lists between different threads and cores to help aid in searching. It's amazing to see it work. The concurrent threads does cause confusion, again Class CyclicBarrier helps with making the threads run exactly at the same time or use of volatile variables helps for multi objects that pass in variables in the method headers. Again that is Java not Python. Python has to have something also. Thanks for the reply.

As a side note, I just tried to add a dropped entry into the Suppress list and when clicking the + button, it's not adding the entry. It used to work but now it doesn't. Odd. [image: 1668018125737-gid-sid.png]

Unless you have open and forwarded ports on your firewall, it is going to drop all unsolicited inbound traffic anyway. So, really Suricata is not doing anything worthwhile running on the WAN (unless you do have open and forwarded inbound ports on the WAN). One big issue when it runs on the WAN is that it sees outbound traffic after NAT has been applied, and it sees inbound traffic before NAT is unwound. So, you can never see what internal host (on the LAN, for example) is participating in the conversation. But when you run Suricata on the LAN, then it sees the real native host IP address and the alert logs will show both the local internal host's IP address as well as that of the external participant in the traffic. So, much easier to see what internal hosts may have issues when you run Suricata on the LAN. This diagram illustrates what I mean. This is how traffic flows with Suricata running in Legacy Blocking Mode. Suricata gets a copy of every packet, examines that packet, and then determines if it should signal a block. But notice the firewall gets the original packet. So, if the firewall drops it anyway due to the default rule dropping unsolicited inbound traffic, there is no point in having Suricata issue a second block for the same traffic. [image: 1667867146015-ids-ips-network-flow-legacy-mode.png]

@mrpete said in Suricata Home/External Net - HOW do you make the External list???: @bmeeks THANKS! I do want it to be an exact negation. HAH. THANK YOU. Bad assumption on my part (I assumed "default" meant "default Home Net" in both places!) Simple suggestion: modify the External Net dropdown... something like: from: "default" to: "default: negate selected Home Net" Just to be clear, when you set it to "default" that does in fact result in EXTERNAL_NET being an exact one-for-one negation of each entry in HOME_NET. So if you customize HOME_NET to something else other than the default values, then EXTERNAL_NET will follow automatically so long as it remains set for "default". But I can do a better job of explaining that in the help note underneath the drop-down selector.

Pure speculation here, but there was a patch submitted to FreeBSD upstream that fixed an issue where the traffic counters would not register at all when a netmap device was in use. That caused the counters to always show zero traffic. A fix for that was submitted to FreeBSD upstream by, I believe, the OPNSense team. That fix then made its way into pfSense with a recent base OS update. Maybe the fix has a side-effect for emulation mode operation ?? Might be something you want to report upstream in FreeBSD. But it may be specific to your particular setup with Proxmox. Maybe other Proxmox users with a pfSense VM can chime in here.

@bmeeks We do a lot of work for [unnamed] clients who highly value the security of their information. My consultants are very attuned to those requirements, so I have little concern about their device healthcare. We have very few other visitors, so I didn't pay much attention to who was on the wifi until I discovered that the janitorial service phones were connecting. Now we have a separate guest wifi, direct to Internet on a separate circuit. pfsense seems much happier since I took Snort off the Wan and cutback severely on the rulesets being used on the LANs. My wife works for one of those companies that provides the hardware and controls the software. They're still running Win7! They offered to put their access software on her phone, but she would have to sign a document that basically gave them ownership of the phone. Hah! I, too, think the current Windows Defender does a pretty good job. We happen to have a long term subscription for Malwarebytes, so we stick with it, at least for now. The Linux boxes run ClamAV. None of those are exposed outside the firewall. Thank you, again, and SteveITS. You saved me a lot of wasted time and a significant addition to my collection of gray hairs! Rog

@bmeeks I think I found it! So I waited until it blocked it again. Then I searched the snort2c list and found the remote IP of the server. So I confirmed it was getting blocked. Then I searched the alerts, but I increased the list count to 5000 instead of 500 and turned off auto-refresh. Then I found this new alert: #SURICATA HTTP URI terminated by non-compliant character suppress gen_id 1, sig_id 2221029 So I suppressed that one, removed the IP in the snort2c table, and the camera came back up! So now, I just have to see if it holds! I will set the firewall back up to allow that IP and see if it makes a difference since I don't think changing it to the alias with all their IPs made a difference. Thanks for the patient help on this! Here is the site with the camera: Lovington Weather

hola, necesito saber porque al utilizar suricata en pfsense y configurar el modo ips y cargarle reglas en una interfaz al iniciar suricata en dicha interfaz me bloquea el acceso web y me sale ERROR 502 Bad Gategay

There is an option to send Suricata alerts to syslog (the pfSense system log). There is no direct remote syslog option within Suricata itself. The upstream package does not support that either best I recall. But you can configure pfSense to send its logs to a remote syslog server. However, syslog on pfSense will- by default- truncate all messages to a max of 480 bytes. That is usually not big enough to fully capture payload info. Most users that are serious about obtaining logging data from Suricata stand up an ELK or Graylog setup on a third host. Then configure Suricata to log to EVE JSON format and use a third-party process to export those logs off the pfSense box to a remote host. Something like the filebeat package on FreeBSD. Here are some examples: https://www.diaryfolio.com/2020/07/elastic-beats-on-pfsense-installation.html. https://docs.logz.io/shipping/security-sources/pfsense.html. https://psychogun.github.io/docs/linux/ELK-stack-on-Ubuntu-with-pfSense/. There are many other examples available if you search Google with "filebeat pfSense" or "elk pfSense", etc.

@johnpoz , @bmeeks Update: Yesteay I replaced Realtec NIC`s with Dual NIC with Intel 82576 Chip PCI-E card, unchecked " Hardware Checksum Offloading" and rebooted the system as required. Overnight Snort downloaded and successfully updated Registered rules. So, I think this issue is resolved. I want to thank you both for your help.

On pfSense, NEVER directly edit anything at the command-line. All configuration files are recreated from scratch each time Suricata is started or restarted within the GUI. pfSense packages store all of their configuration information inside a custom XML file and then write it out to any required *.conf or *.yaml files when starting. So any edits you make will be immediately overwritten. You can easily add your own custom rules by going to the RULES tab for the interface, selecting Custom Rules in the Category drop-down, and then typing your rule in the text box. Click Save when done. SIDs (signature IDs) must never be duplicated. Most folks start their custom rule SIDs up around 1 million to be sure they are out of scope of any commercial rules. So, start your SIDs with 1000xxx and you should be good.

@ezvink Send the logs to a syslog server.

@ezvink Before attacking, finish first the basic setup. I mean, this : [image: 1664533710292-280752bf-fc28-46a5-9ebc-57bf45fe5329-image.png] is not done any more. http over port 80 is something of the past, as all traffic passes very visible over the internet. That the opposite of 'security'. Google, for example, won't index http sites any more. Browsers start to show warnings when http is used. The solution has been found a decade ago : use https over port 443. So, add a new NAT rules, same settings as the "port 80 rule", but now you use port 443. And do not forget to tell apache2 that it should listen port 443 also. And consider disabling port 80 (http) functionality all together - and if you do, ditch the port 80 pfSense NAT rule. When done, you can start thinking about 'security'. One of the best starting points would be : leave the /var/www/html/ folder empty, just keep the index.html file and don't edit it. Do not install "PHP" (Java, whatever) as this would open up a whole new set of angle of attacks.

@bmeeks Thanks for your help, this is very helpful, appreciate it!

Thank you. Have a nice weekend

Suricata can use a lot of RAM, but it usually does not give it back too readily. So, I'm a bit puzzled that you say the Dashboard shows 10% of RAM in use. I would expect that to be quite a bit higher -- and even more so with evidence of swap usage. You can increase the size of swap space, but when your box resorts to using any swap space your performance is totally in the toilet at that point. Swap is super slow. Using swap means there is not enough active RAM to hold everything that is executing, so areas of RAM associated with currently sleeping processes is written out to disk. Then, when the current process sleeps, its data is written out to disk and the previously written data is read back in to RAM for use by the former sleeping process when it becomes active. This is a highly inefficient (and very slow) process for multitasking and your performance tanks. So you almost never want to use swap.

For home usage you should split services; SquidGuard with Blacklists Blocks much more then I was expecting Snort with an Oink Code free Several books from Amazon are available to get in closer touch with it. pfBlocker-NG with I-Blocklist for ~10 € a year You might be really good sorted with many of them In short if you sort the things to do over more then one pfSense packet, often you will be getting a better service out for you or your company it self's! If you where reading something about IDS/IPS it makes more sense to come back and ask this or that function, about a problem and more points. You may think it is not really that books are outdated, old and whatever, but for getting an overview how it works and more makes you then also install only one rules, edit it and see for three month how many false positives you got and then you will starting the second rule once more for let us say three month and so on. What is the right mode for you, what is the most attacks you may be confronted with, what you want to secure and why. You may be also setting up Squid & SquidGuard as caching proxy in front of your LAN and lightSquid as an reserve proxy in front of your DMZ with the servers to get a better "not in contact directly with the internet" state of your network. Setting up public IPs directly on pfsense is one more point. Security is not one point and all is fine for you and IDS/IPS is not a set it up and forget it service. Book: (Amazon) IDS: Intrusion Detection (Trace search in the net) ~5 € Install TCPDump or WireShark and collect data and packets from your network, learn what is written in this packets, what are the meaning of the numbers and and and ....... Books: (Amazon) Network Intrusion Detection Snort 2.0 Intrusion Detection Snort Primer: A FAQ Based Introduction Managing Security with Snort and IDS Tools Then after you know this you will be setting up ids/ips and you only insert one rule after one rule and editing them that they match to you network and your situation. After you got a problem, @bmeeks might be better able to help you, without making an ids/ips basic course with you.

No, that feature is not available. One problem with implementing it is literal horizontal space on the web page. There is a finite amount of "width" available. So some compromises are needed to fit everything within the table without resorting to scrolling horizontally forever to see something. There has also not been a large demand for that feature. To the best of my recollection, you are the second user to ask about it in the history of the package.