• How to detect and block slow intensity attack

    1
    0 Votes
    1 Posts
    344 Views
    No one has replied
  • Suricata not blocking - in blocking mode

    2
    0 Votes
    2 Posts
    570 Views
    bmeeksB

    @michmoor:
    So these are the alerts from the scan?

    If you are using Inline IPS Mode, then the rule is set to ALERT only according to the screenshot.

    If using Legacy Blocking Mode, then most likely your LAN and DMZ are both in the default Pass List and won't be blocked. The default Pass List includes all locally-attached networks on the firewall (except the WAN).

  • AWS pfSense pfBlockerNG Suricata

    1
    0 Votes
    1 Posts
    451 Views
    No one has replied
  • Adding my own Snort rules to custom.rules via command line

    2
    0 Votes
    2 Posts
    706 Views
    bmeeksB

    There is nothing to do unless you want to modify the Snort section of the config.xml file on the firewall and stuff the custom rules in there as Baee64 encoded text. The package always rewrites its configuration files from scratch each time the binary is started or restarted. Any customizations you make at the OS level are overwritten as you observed.

    The package is not designed for CLI interoperability. It has a GUI interface. If you want a pure CLI interoperable Snort installation, then abandon the pfSense GUI package and install the binary Snort package and do all the configuration by hand via the command-line.

  • Snort/Suricata cannot detect alert

    5
    0 Votes
    5 Posts
    764 Views
    NogBadTheBadN

    Run the following from the pfSense command line:-

    logger -h 172.16.2.10 -P 514 TEST

    172.16.2.10 < syslog server

    514 < syslog server port

    Do the times match ?

  • snort ignoring VIP adresses

    6
    0 Votes
    6 Posts
    897 Views
    bmeeksB

    @batre said in snort ignoring VIP adresses:

    @bmeeks it add the ip and alert to the supress list, but there are endless different alerts, so that doesnt work

    something like that im looking for : suppress ip XXX.XXX.XXX.XXX

    That mode of operation is not available. Suppression is a per-rule thing. You can suppress by source or destination IP, but only for a given GID:SID rule signature. So if your VIP is triggering many different rules, you will have to suppress it in each triggered rule.

    Another option you can explore is creating a custom PASS rule that includes just that VIP (or VIP collection if it is several). PASS rules are evaluated first, and any traffic matching a PASS rule bypasses the rest of the rule signatures. So be careful if you choose to try a PASS rule. Make it too encompassing and you will completely neuter Snort.

  • Important Emerging Threats Rules False Positive Announcement

    1
    3 Votes
    1 Posts
    378 Views
    No one has replied
  • Suricata blocking hosts in the passlist (6.0.4)

    18
    0 Votes
    18 Posts
    1k Views
    bmeeksB

    @marc05 said in Suricata blocking hosts in the passlist (6.0.4):

    Something I've noticed is that my config.xml no longer contains <wanips>, and I don't see an option for that in the GUI. Looks like it was removed and never put back in, but there's still logic using it.

    https://github.com/pfsense/FreeBSD-ports/commit/22dc43fe8858ef0b724eb4bbcdd1a86b152b33c4

    https://github.com/pfsense/FreeBSD-ports/blob/1fd0a3eecbfc1626d76716fdf2869c1057cabe22/security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata.inc#L340

    That line is meaningless code now. It needs to be removed for cosmetics, but it has no impact on the real WAN IP getting into the Pass List. That is now pulled in automatically by code within the binary portion of the custom blocking module. It gets those by asking the operating system for local interface addresses.

    Here is a link to where this is handled now within the custom blocking module portion of the binary: https://github.com/pfsense/FreeBSD-ports/blob/devel/security/suricata/files/patch-alert-pf.diff#L515.

  • Suricata - interfaces

    6
    0 Votes
    6 Posts
    3k Views
    bmeeksB

    If you mix internal networks into EXTERNAL_NET, you very likely will increase the number of false positive alerts from routine traffic.

    If you have specific design goals, it is very easy to provide your own customized rules. You add them by choosing Custom Rules in the drop-down on the RULES tab and then typing in or pasting in the rules you need. They will be combined with any other rules from previously selected categories.

  • Suricata crash - PHP logging memory size

    2
    0 Votes
    2 Posts
    491 Views
    bmeeksB

    @lightingman117 said in Suricata crash - PHP logging memory size:

    Should I care about this kind of stuff?

    I turned Suricata on & off last night. I also looked at one log that didn't exist (blocks). I went to bed and woke up to this.

    Crash report begins. Anonymous machine information: amd64 12.3-STABLE FreeBSD 12.3-STABLE RELENG_2_6_0-n226742-1285d6d205f pfSense Crash report details: PHP Errors: [16-Jul-2022 08:21:47 CST6CDT] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 18419998560 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 54 No FreeBSD crash data found.

    That error happens when you try to view a log file that is too large to fit into available memory. Configure log rotation on the LOGS MGMT tab to keep your log sizes under control.

    This is a common error with several sub-systems on pfSense that must read text logs and display them. The log files need to be small enough to fit into the physical memory space allocated to PHP because they are processed into an in-memory string and then output via the web server of pfSense. If not, then the error you saw is thrown. It is harmless in that it will not crash your box, but obviously the large text file can't be read using the GUI tools.

  • can snort/suricata secure clients using VM?

    7
    0 Votes
    7 Posts
    818 Views
    bmeeksB

    @ezvink said in can snort/suricata secure clients using VM?:

    @steveits

    That's what I want to ask sir, right, the network used by VM Attacker is the same network as the VM Client, but it doesn't work, sir, to attack the client, it is not detected by snort/suricata

    Two hosts on the same network (meaning the same subnet and/or VLAN) will communicate with each other directly point-to-point. They will NOT send their traffic through any gateway or firewall on a third host. So the pfSense machine in the scenario you described will never "see" the traffic between those two hosts (your VM Attacker and VM Client) and therefore cannot generate alerts. pfSense and any IDS/IPS running on it is blind to the traffic.

    The only time hosts will send traffic through a gateway or firewall is when the destination of the traffic is on a completely different network.

    In your other posts here, you seem to lack basic knowledge of networking and the set up of Hypervisors. Before you try experiments with an IDS/IPS, you should first really study and learn fundamental networking theory. Even a cursory knowledge of how routing works in the OSI model would have allowed you to immediately see why your current setup will not work.

  • Odd Suricata Inline IPS behavior

    12
    0 Votes
    12 Posts
    1k Views
    B

    @bmeeks said in Odd Suricata Inline IPS behavior:

    pfBlockerNG-devel and DNSBL

    I can access Anydesk with these 2 plug-ins

    I disabled all in individual rules on Snort and start Snort

    Anydesk was blocked right away and there was no alert at all

  • Impossible to stop Suricata after 22.05 update

    3
    0 Votes
    3 Posts
    599 Views
    S

    @huskerdu Possibly you have multiple Suricata processes running. Check for that or restart.

  • Recovery help with suricata sid management

    5
    0 Votes
    5 Posts
    669 Views
    bmeeksB

    @sgnoc said in Recovery help with suricata sid management:

    @bmeeks Worked like a charm. Minimal to have to do once everything came back up. Even easier with the reinstall feature where the installer can grab the old config and reinstall it after the software is installed. I checked and all of the sid management back back where it needed to be. Thanks again.

    You are welcome. Glad you got everything going again.

    The IDS/IPS packages save all of their configuration information in the XML file, so all previous settings can be restored upon reinstallation of the package (or from a restore/recovery procedure).

  • Snort won't start up after pfSense upgrade

    12
    1 Votes
    12 Posts
    1k Views
    Bob.DigB

    @gpinzone said in Snort won't start up after pfSense upgrade:

    @gpinzone Just to follow up, the GeoIP Top Spammers block list has some false positives.

    It is almost a given if you are outside of the US.

  • snort install - rules md5 checksum failed

    4
    0 Votes
    4 Posts
    599 Views
    bmeeksB

    @jonrusk said in snort install - rules md5 checksum failed:

    @bmeeks Yes and that appeared to be the issue. I increased the size of /tmp on RAM disk and Snort installed successfully. Thank you!

    Note that I don't recommend using RAM disks with either of the two IDS packages (Snort or Suricata). Most especially for /var where the log files are written. And not having enough free space on /tmp, as you experienced, leads to problems as well. Those two packages were not created with RAM disk usage in mind. They really want a spinning disk (or conventional SSD) with a fair amount of space for logging.

  • SG-3100: have all 32bit related issues been fixed?

    12
    0 Votes
    12 Posts
    1k Views
    M

    @michmoor I'm exporting logs to it, but not netflow..

    Using these extractors to parse the data: https://github.com/loganmarchione/Graylog_Extractors_pfSense

  • Snort and NMAP scans

    1
    0 Votes
    1 Posts
    271 Views
    No one has replied
  • 0 Votes
    1 Posts
    269 Views
    No one has replied
  • Snort-4.1.6 Package Update - Release Notes

    4
    5 Votes
    4 Posts
    1k Views
    bmeeksB

    I'm still waiting around to update Suricata. The Netgate team pulled in the latest 6.0.5 Suricata version in the pfSense CE 2.7 DEVEL branch. The pfSense CE and Plus RELEASE branch is still running the 6.0.4 Suricata version.

    There is really not a ton of changes between those two that would impact typical pfSense users. I'm monitoring the progress on 7.0rc1 and 6.0.6 from the upstream GitHub repo.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.