@stanwij1 said in Have a question on SIB Management Drop SID List:

@bmeeks thanks for your response, yes using Suricata. Issue is, using legacy mode, I went into individual interface rules, and clicked the Action and changed to Drop, but it isn't dropping, still showing in alerts, is that because need to check the box to Block on Drop?

Yes, you must check the box on the INTERFACE SETTINGS tab to enable "Block on DROP Only". That is a config logic flag the code checks in other places so it knows what options to offer the user in the GUI.

@bmeeks said in Recommended Snort rules to change from "Alert" to "Block"?:

@Enso_ said in Recommended Snort rules to change from "Alert" to "Block"?:

Looks like you are right once again. It was set to 'remove blocked host after 1 hour'. So I just never caught it in time.

I recommend leaving that setting alone, too. You generally don't want blocks hanging around forever. Not only do they consume resources, but if the block was due to a false positive you would like it to automatically clear in a reasonable time without requiring admin action.

If Snort blocked the traffic the first time, it will block it a subsequent time later on (if the blocked host is automatically periodically cleared).

One issue with Legacy Blocking Mode is that it is a big hammer. It blocks ALL traffic to a blocked IP for ALL internal hosts.

Inline IPS Mode, if you can use it (your NICs must support netmap natively), drops individual packets instead of blocking everything to/from the IP. That's much more granular. But with Inline IPS Mode, you must explicitly change rules you want to block traffic from ALERT to DROP using the features on the SID MGMT tab.

I'm leaving the setting to remove the blocked host after 1h.

As for inline mode; that is something I want to circle back to in the future. However, currently there are no resources that could configure inline mode in a timely fashion. Plus, I'm quite sure I'd have to upgrade the NICs to support netmap.

@bmeeks Thanks for the clarification. We have now added a "Disable SID List" conf file on all interfaces with the categories we want disabled which should solve it.

@pftdm007 said in Important Info: Inline IPS Mode with Suricata and VLANs:

@bmeeks

Just found out about this thread and am curious to ask...

If I understand correctly, neither Snort or Suricata are capable of differentiating traffic through VLAN's from their parent interface and therefore cant do inline filtering at the VLAN level...

I didnt know this, and created a Snort instance for each VLAN I have on my lan (parent interface) using different rulesets (some VLANs are more restrictive than others, etc etc...)

Unless I am wrong (and I need to do more testng) is that I noticed what you described (i.e. if something is blocked on a VLAN, it is blocked on all VLANs of the same parent interface). However, the advantage of having snort run on VLAN's instead of the parent interface is that in the reports tab, I can tell on which VLAN the block occured. I find it more straightforward to troubleshoot something that way.

IS there any drawback other than consuming more resources ? I didnt notice any instabilities at the firewall level so far.....

It should be fine to continue with your current configuration. As you observed, under the covers Snort is actually running on the physical parent interface and polices traffic at that level (meaning all VLANs on the same parent are treated as a single network). This is due to the how the netmap kernel device in FreeBSD is wired into the network stack. It does not see the VLAN tags. It's the netmap device that makes IPS mode possible, and since it can't see VLAN tags, then IPS mode can't use them to separate and treat the defined VLANs differently.

Snort will log a message to the pfSense system log as it starts. If it fails, generally the reason for the failure is also logged. The only exception to that is if a shared library is the wrong version or not present. That would only happen if you installed or updated some other package that shared a library with the Snort binary. That is very unlikely -- but not impossible.

The most common reason for Snort failing to start would be an error with a rule. It is not unheard of for the Snort VRT to release a rules update package with a syntax error in it. Snort will abort startup when it detects a syntax error. Rule syntax errors will be logged to the pfSense system log.

So, <TLDR;> check the pfSense system log immediately after trying to start Snort and see what is logged there. That will clue you in to the problem.

@bmeeks Thanks !

@bmeeks signed up. Thanks for the info.

@bmeeks said in packet log being generated?:

You will need to examine the existing PHP code files and learn by example

Thought so. @michmoor, you need the other book.

b702f6a8-9a39-444c-a837-b4f8cbe40540-9780470527580.jpg

Click the image.

edit : or this one.

@Enso_ said in SNORT stopped generating alerts:

@bmeeks

Thank you for all your help.
One last question, which I have edited in above.
Can I use the free Oinkcode for multiple instances? I'm reading different information about this.
I'm running a few pfsense boxes running Snort and have the same free Oinkcode on all three of them, which I will remove if this is not allowed.

Here are the actual Terms and Conditions from Snort: https://www.snort.org/snort_license.

They state your license is "per sensor" if using the paid license.

The license for Registered Users appears a bit more permissive. Here is the direct wording:

If You are a Registered User, then subject to the terms and conditions of this Agreement, Cisco grants You a world-wide and non-exclusive license to: (a) download, install and use the Rules on Sensors that You manage (or over which You have administrative control);

So, it appears from the above that Registered Users can use their Oinkcode on all sensors that they manage and have administrative control over. But Paid Subscribers can only use the Oinkcode on a single device (sensor). If you need to manage multiple devices on a Paid Subscriber plan you must purchase a license for each sensor.

And there are different rules (and a much higer cost) for commercial use of the Paid Subcriber rules.

@bmeeks

Thank you the symbolic link did just what I needed, great idea

This did the trick with the mount point I had to delete the old directory first /var/log/snort and recreate it after because at first it would say it is not empty

Updated my unofficial guide if anyone else wants to try this

https://forum.netgate.com/topic/195843/unofficial-guide-have-package-logs-record-to-a-secondary-ssd-drive-snort-syslog-squid-and-or-squid-cache-system

@Enso_: you are correct. Only the Snort VRT ruleset contains the proper metadata keywords for implementing an IPS Policy.

IPS Policy logic in the Snort package reads the policy metadata provided in the Snort VRT rules and uses that data to automatically select rules that have metadata tags matching the chosen IPS policy. Neither ET rules nor any other vendor ruleset contain IP policy metadata, therefore they can't be automatically screened and selected. That's why those rules remain "selectable" in the GUI but Snort VRT rules do not, when IPS Policy action is enabled.

Those are two independent things: File Store versus EVE JSON http logging. File Store captures all file transfers where appropriate flow bits are set by rules. EVE JSON logging is about capturing the packet metadata and payload (when enabled).

So, turning off HTTP logging in the EVE JSON logging options should remove logging of HTTP packet metadata, but that will not stop File Store activity related to HTTP. To the best of my recollection that is triggered by the rules you have enabled for file capture and the corresponding flowbits they may set.

It runs alongside pfSense as a package. The logs can be configured by way of the package.

@killmasta93 said in Question about thresholds:

hi @bmeeks quick question so i added the following

threshold gen_id 1, sig_id 2009244, type both, track by_src, count 10, seconds 10, priority 1 threshold gen_id 1, sig_id 2009245, type both, track by_src, count 10, seconds 10, priority 1 threshold gen_id 1, sig_id 2009246, type both, track by_src, count 10, seconds 10, priority 1

would the variable

type both

work for both ends?

Thanks

Here is a link to the official Suricata docs describing the type: keyword: https://docs.suricata.io/en/latest/rules/thresholding.html#type-both. both specifies both a rate limit and threshold value.

I have a 2100 and I use to have issues with memory on snort updates. I installed a swap partition on a dedicated external HDD drive that was designed for heavy use, and it fixed all my update resource issues. Long story short you have to free up memory or have a plan for when it is used the most. do not rely on swap all the time, but I admit I rely on it for ClamAV updates and snort updates should the happen at the same time, Murphys law when can go wrong will go wrong, some times my blacklist, snort and clamav all attempt to update at the same time it is very rare sometimes on reboots or package reinstalls but you got to plan for it. The 2100 should have an 8GBs ram option to function perfectly, again nothing is perfect so we got to roll with it. Do a flash drive and set it up as a swap.

“the SSD manufacture had this to say about me using it like this...
"Hi Jonathan,

This will damage the drive, it is not safe. Moreover, the response speed and read and write speed are far inferior to RAM. We recommend you not to use it this way, it will probably cause the SSD to become defective."

I really want to use something long term as I am limited on what I can do with this box it has hard set ram without any way to add or remove them. The NVMe drive is the only solution outside of a USB based HDD however that like you said is very slow.

The ZFS yes is a concern with the drive however it shows with gpart as FreeBSD

I triggered a panic and it works with crash dumps also. I had Netgate forum help me with this and FreeBSD forum. I am thinking I should use a actual USB based HDD in the long run to abuse it with swap use however with a firewall that would really slow it down.

Check out
ada0s3
Shell Output - gpart list -a”

Warning Do not use your internal SSD for swap.

Ref:

https://forums.freebsd.org/threads/resolved-usb-based-swap.93362/#post-654423

This FreeBSD research I did got me going also Netgate forum if you want to make a swap.

@Gblenn Thanks for the reply. Yes, I've tried that as well. The issue is that in our particular case, we only want/need Suricata to run on some of the vlans assigned to the parent interface. The others we need to remain wide open.

I was looking for this info @bmeeks,

Now I am sure that it is only an internal connection and that not everything is disabled.
Thank you very much!

Have a nice day and thanks for your work.

Hello @bmeeks,

This was indeed exactly what happened.
I have rebooted my pfsense server in the past, which I would expect create same results, but either it didn't work, or it spinned another ghost process afterwards.

Anyways, I will monitor to see if it keeps happening.
I have seen other posts where other people have similar issue indeed, and will investigate from there if duplication happens again.

In any case, thank you very much for your kind help here.

@bmeeks THank you so much will do thanks

Sorry I am late to this party. I had issues with STUN and the IPS blocking traffic. It was for my son’s Nintendo switch and Xbox for the chat feature. Once I suppressed the alarms the chat live voice feature worked perfectly. I also think that FaceTime requires you to suppress the STUN alarms. Long story short STUN is finally working on my system as of today.