• Webinar for Suricata File Extraction (if interested)

    2
    4 Votes
    2 Posts
    175 Views
    M

    @bmeeks signed up. Thanks for the info.

  • packet log being generated?

    11
    0 Votes
    11 Posts
    1k Views
    GertjanG

    @bmeeks said in packet log being generated?:

    You will need to examine the existing PHP code files and learn by example

    Thought so. @michmoor, you need the other book.

    b702f6a8-9a39-444c-a837-b4f8cbe40540-9780470527580.jpg

    Click the image.

    edit : or this one.

  • SNORT stopped generating alerts

    10
    0 Votes
    10 Posts
    719 Views
    bmeeksB

    @Enso_ said in SNORT stopped generating alerts:

    @bmeeks

    Thank you for all your help.
    One last question, which I have edited in above.
    Can I use the free Oinkcode for multiple instances? I'm reading different information about this.
    I'm running a few pfsense boxes running Snort and have the same free Oinkcode on all three of them, which I will remove if this is not allowed.

    Here are the actual Terms and Conditions from Snort: https://www.snort.org/snort_license.

    They state your license is "per sensor" if using the paid license.

    The license for Registered Users appears a bit more permissive. Here is the direct wording:

    If You are a Registered User, then subject to the terms and conditions of this Agreement, Cisco grants You a world-wide and non-exclusive license to: (a) download, install and use the Rules on Sensors that You manage (or over which You have administrative control);

    So, it appears from the above that Registered Users can use their Oinkcode on all sensors that they manage and have administrative control over. But Paid Subscribers can only use the Oinkcode on a single device (sensor). If you need to manage multiple devices on a Paid Subscriber plan you must purchase a license for each sensor.

    And there are different rules (and a much higer cost) for commercial use of the Paid Subcriber rules.

  • Snort Logs: log recording on a different drive

    3
    0 Votes
    3 Posts
    299 Views
    JonathanLeeJ

    @bmeeks

    Thank you the symbolic link did just what I needed, great idea

    ln -s -F /mnt/LOGS_Optane/snort /var/log/snort

    This did the trick with the mount point I had to delete the old directory first /var/log/snort and recreate it after because at first it would say it is not empty

    Updated my unofficial guide if anyone else wants to try this

    https://forum.netgate.com/topic/195843/unofficial-guide-have-package-logs-record-to-a-secondary-ssd-drive-snort-syslog-squid-and-or-squid-cache-system

  • Snort - IPS Policy Selection

    2
    0 Votes
    2 Posts
    601 Views
    bmeeksB

    @Enso_: you are correct. Only the Snort VRT ruleset contains the proper metadata keywords for implementing an IPS Policy.

    IPS Policy logic in the Snort package reads the policy metadata provided in the Snort VRT rules and uses that data to automatically select rules that have metadata tags matching the chosen IPS policy. Neither ET rules nor any other vendor ruleset contain IP policy metadata, therefore they can't be automatically screened and selected. That's why those rules remain "selectable" in the GUI but Snort VRT rules do not, when IPS Policy action is enabled.

  • Suricata Filestore - logging HTTP nonstop

    2
    0 Votes
    2 Posts
    692 Views
    bmeeksB

    Those are two independent things: File Store versus EVE JSON http logging. File Store captures all file transfers where appropriate flow bits are set by rules. EVE JSON logging is about capturing the packet metadata and payload (when enabled).

    So, turning off HTTP logging in the EVE JSON logging options should remove logging of HTTP packet metadata, but that will not stop File Store activity related to HTTP. To the best of my recollection that is triggered by the rules you have enabled for file capture and the corresponding flowbits they may set.

  • Need info about ids

    2
    0 Votes
    2 Posts
    175 Views
    JonathanLeeJ

    It runs alongside pfSense as a package. The logs can be configured by way of the package.

  • Question about thresholds

    7
    0 Votes
    7 Posts
    406 Views
    bmeeksB

    @killmasta93 said in Question about thresholds:

    hi @bmeeks quick question so i added the following

    threshold gen_id 1, sig_id 2009244, type both, track by_src, count 10, seconds 10, priority 1 threshold gen_id 1, sig_id 2009245, type both, track by_src, count 10, seconds 10, priority 1 threshold gen_id 1, sig_id 2009246, type both, track by_src, count 10, seconds 10, priority 1

    would the variable

    type both

    work for both ends?

    Thanks

    Here is a link to the official Suricata docs describing the type: keyword: https://docs.suricata.io/en/latest/rules/thresholding.html#type-both. both specifies both a rate limit and threshold value.

  • Suricata v7.0.7_5 abruptly stops

    42
    0 Votes
    42 Posts
    2k Views
    JonathanLeeJ

    I have a 2100 and I use to have issues with memory on snort updates. I installed a swap partition on a dedicated external HDD drive that was designed for heavy use, and it fixed all my update resource issues. Long story short you have to free up memory or have a plan for when it is used the most. do not rely on swap all the time, but I admit I rely on it for ClamAV updates and snort updates should the happen at the same time, Murphys law when can go wrong will go wrong, some times my blacklist, snort and clamav all attempt to update at the same time it is very rare sometimes on reboots or package reinstalls but you got to plan for it. The 2100 should have an 8GBs ram option to function perfectly, again nothing is perfect so we got to roll with it. Do a flash drive and set it up as a swap.

    “the SSD manufacture had this to say about me using it like this...
    "Hi Jonathan,

    This will damage the drive, it is not safe. Moreover, the response speed and read and write speed are far inferior to RAM. We recommend you not to use it this way, it will probably cause the SSD to become defective."

    I really want to use something long term as I am limited on what I can do with this box it has hard set ram without any way to add or remove them. The NVMe drive is the only solution outside of a USB based HDD however that like you said is very slow.

    The ZFS yes is a concern with the drive however it shows with gpart as FreeBSD

    I triggered a panic and it works with crash dumps also. I had Netgate forum help me with this and FreeBSD forum. I am thinking I should use a actual USB based HDD in the long run to abuse it with swap use however with a firewall that would really slow it down.

    Check out
    ada0s3
    Shell Output - gpart list -a”

    Warning Do not use your internal SSD for swap.

    Ref:

    https://forums.freebsd.org/threads/resolved-usb-based-swap.93362/#post-654423

    This FreeBSD research I did got me going also Netgate forum if you want to make a swap.

  • Suricata & P2P Blocking - Working but would like to fine tune.

    20
    0 Votes
    20 Posts
    2k Views
    P

    @Gblenn Thanks for the reply. Yes, I've tried that as well. The issue is that in our particular case, we only want/need Suricata to run on some of the vlans assigned to the parent interface. The others we need to remain wide open.

  • Understanding Suricata Listen / Net (Home / External)

    6
    0 Votes
    6 Posts
    627 Views
    D

    I was looking for this info @bmeeks,

    Now I am sure that it is only an internal connection and that not everything is disabled.
    Thank you very much!

    Have a nice day and thanks for your work.

  • Local hosts added in snort2c table, despite Suricata being turned off

    3
    0 Votes
    3 Posts
    466 Views
    T

    Hello @bmeeks,

    This was indeed exactly what happened.
    I have rebooted my pfsense server in the past, which I would expect create same results, but either it didn't work, or it spinned another ghost process afterwards.

    Anyways, I will monitor to see if it keeps happening.
    I have seen other posts where other people have similar issue indeed, and will investigate from there if duplication happens again.

    In any case, thank you very much for your kind help here.

  • Quesiton about the alert system on Suricata

    8
    0 Votes
    8 Posts
    420 Views
    K

    @bmeeks THank you so much will do thanks

  • Question on STUN traffic no ndefault ports

    9
    0 Votes
    9 Posts
    1k Views
    JonathanLeeJ

    Sorry I am late to this party. I had issues with STUN and the IPS blocking traffic. It was for my son’s Nintendo switch and Xbox for the chat feature. Once I suppressed the alarms the chat live voice feature worked perfectly. I also think that FaceTime requires you to suppress the STUN alarms. Long story short STUN is finally working on my system as of today.

  • Some questions from a beginner

    7
    0 Votes
    7 Posts
    486 Views
    bmeeksB

    @kiokoman said in Some questions from a beginner:

    @bmeeks
    what about suricata, is it the same file ? snortrules-snapshot-29200.tar.gz ?

    Suricata is not tied to any specific rules version. And in fact, Suricata is really not designed to be 100% compatible with Snort rules. Most of them work, but quite a few (several hundred) do not due to the differences in keyword syntax between Suricata and Snort.

    With the Suricata package, users are free to download and install any Snort rules version they desire so long as it is compatible with the 2.9.x branch of Snort. You cannot use any Snort3 rules with Suricata. That will break the installation of the package quite badly! But you can use the 29161, 29181, or 29200 Snort rules package with Suricata. It is only the Snort binary that is locked to specifically matching rules versions.

  • Regex pattern matching with large payloads for TCP port

    1
    0 Votes
    1 Posts
    150 Views
    No one has replied
  • No Snort Alerts after moving behind ISP Router

    3
    0 Votes
    3 Posts
    224 Views
    bmeeksB

    @DaHai8 said in No Snort Alerts after moving behind ISP Router:

    My ISP recently forced their crappy Router/Fibermodem combo on me and I had to move my pfSense CE (Current) behind it. Now I don't get any Snort alerts.
    Is this normal?

    You were seeing Snort alert on normal "Internet noise". That refers to the constant barrage of traffic from various nefarious sources that your pfSense firewall rules were going to block.

    As stated by @SteveITS, Snort sees traffic on pfSense before the firewall rules are applied. That means when run on the WAN it would have been alerting on that noise, but your pfSense WAN interface firewall rules would block that traffic anyway. So, in effect, you had Snort chewing up CPU resources and RAM for very little or no gain as the firewall is going to block nearly all of that traffic anyway. Much better to run Snort on the firewall's internal interfaces such as the LAN and/or DMZ.

    Now as to your question, "yes" Snort is still working, But the NAT feature of your ISP's router is probably hiding that traffic now as the router will have its own built-in stateful firewall.

  • 9 Votes
    10 Posts
    781 Views
    N

    @bmeeks Glad to hear that you're ok, thank you for the Suricata release, even in these conditions.

  • Suricata - alert on pdf files

    2
    0 Votes
    2 Posts
    190 Views
    V

    My guess would be that if you’re moving the file over SMB, it’s likely to be on the same network, so would never actually touch the firewall to be detected.

  • Modification rules Snort

    2
    0 Votes
    2 Posts
    251 Views
    bmeeksB

    If you want to specifically enable rules that are "default disabled" by the rule authors, then you can do that on the RULES tab by selecting the appropriate category, finding the rule by SID in the list, and clicking the "Force Enable" option for that specific rule.

    You can also use the SID MGMT tab features to do this. Examples are provided in the sample conf files on that tab.

    The rule authors will disable a number of rules in their rulesets. This is something many users do not realize. Rules that are prone to false positives in many environments or rules that address very old threats are frequently provided in a "default disabled" state.

    Also, when using IPS Policy for rule selection, you should be aware that ONLY the Snort VRT ruleset contains the IPS Policy metadata required to automatically select rules by policy. The Emerging Threats rules do not contain IPS Policy metadata and thus are excluded from IPS Policy management.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.