• Suricata Inline vs legacy performance.

    2
    0 Votes
    2 Posts
    586 Views
    GertjanG

    @cool_corona said in Suricata Inline vs legacy performance.:

    Inline performance

    5518cada-5472-4088-8cae-3f837598e668-billede.png

    Legacy performance

    8fe30928-fd59-4250-b7cd-517a3c2ea920-billede.png

    Significant difference in performance!!

    Way back, there were no images.
    There was only text :
    Like

    c94ea720-e2cd-435a-a578-8e4d7e6222b0-image.png

    Image => Words => answer ! 😊

    edit : click on the image.

  • Unable to access tls.log in Suricata after certain size

    4
    0 Votes
    4 Posts
    529 Views
    J

    @gertjan @bmeeks Thanks. I reduced the value to half size from default and I will grab using SFTP. cheers

  • Suricata and loss of internet traffic

    8
    0 Votes
    8 Posts
    1k Views
    N

    Thanks to those who've offered real help.

    It wasn't that difficult once I understood the issues. It turns out I was just enabling too many of the rules, and thus getting shut down.

    In the end, I found a site that had explanations of the key groups to block, and all is well.

    I'm surprised there are so few well described "how tos" for non networking guys, but there you have it.

  • anomaly traffic detection in suricata

    2
    0 Votes
    2 Posts
    561 Views
    NollipfSenseN

    @umm12 said in anomaly traffic detection in suricata:

    how i can use and configure suricata as Anomaly Traffic Detection IDS/IPS?

    The problem is there no standard anomaly traffic... what might be anomaly traffic to you might also be okay traffic for me. In other words, you have to define anomaly traffic for your network as the network administrator.

    So, I'll share this thread that has helped me and others setting up Suricata with a warning that it's a very long thread: https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint?_=1632087648731

    Good Luck.

  • Inline IPS : can't increase threads

    9
    0 Votes
    9 Posts
    1k Views
    V

    Thanks for adding the Netmap thread parameter on the latest release, I can confirm that I'm still limited to 1Gbps with auto, putting 2 fixes the bandwidth issue 👍

  • SNORT gone after Pfsense update

    23
    0 Votes
    23 Posts
    3k Views
    bmeeksB

    @mikej47 said in SNORT gone after Pfsense update:

    @bmeeks that is great news. I can just upgrade to that version and the patch is built in. What is Pfsense + ? How do I get the + version?

    pfSense+ is the new name for the old "Factory Edition" of pfSense that comes on Netgate appliances. When you upgrade to the latest 21.05.1 version, pfSense+ is what that will be.

  • Snort Custom RDP port

    2
    0 Votes
    2 Posts
    444 Views
    bmeeksB

    You will need to change the port (where specified) in the individual rules you have enabled. Using a modifysid.conf file on the SID MGMT tab is the best way to do this. The SID MGMT feature uses Perl regex. There are some examples of the syntax in the various *-sample.conf files included on the tab.

    There is no pre-defined RDP Port variable in the standard configuration. You could certainly define one, but still you would need to modify the appropriate rules in order to have them reference it.

  • Suricata behaviour after a fresh install

    2
    0 Votes
    2 Posts
    474 Views
    S

    @valir "No"...you need to configure it, enable rulesets, etc. There is a wizard that runs when adding an interface (suggest adding LAN, as WAN will look at packets that will end up being blocked by the firewall). There is a choice to block or not...suggest not blocking for a while and watching the Alerts tab to see what will be blocked. Also, it may be best to start in the default Legacy mode as there are a variety of small issues with Inline mode for instance depending on the NICs. You may want to add your IP to a Pass list so you're not blocked.

  • Suricata not passing alias with a /xx subnet

    2
    0 Votes
    2 Posts
    296 Views
    bmeeksB

    I assume you mean when you specify a complete IP address with the mask. If specifying a complete individual IP, the mask is not required, so just drop it and use the x.x.x.x variation. If you want to pass the entire subnet, then use x.x.x.0/24, and that should work.

  • 0 Votes
    16 Posts
    2k Views
    DaddyGoD

    @code4food23 said in Puzzled about the number of Suricata instances needed for LAN and VLANs due to device showing up on both alert logs:

    Also sorry for the dumb question, but the IPs help see which device made the traffic to trigger the alert right?

    Hello,

    Forgive me (pls.) for butting into the conversation here, but Bill is absolutely right that the management of IDS/IPS systems is a challenge for many well trained administrators too.

    To run them in your home, I don't think it's absolutely necessary....

    pfSense basically drops all unwanted traffic on the WAN interface +++++ if you use a well configured pfBlockerNG you are safe, this can be said.

    The Suricata, Snort can cause a lot of headaches, if you are not skilled enough to handle them, I would start with a VM install and practice before deploying it on my system.

    You can also get away with a lot of the abuse your family sends you when the internet isn't working in your home. 😉
    (and it can limit a lot of other things in the background if it's set up wrong, which you haven't even discovered yet, FTP, SFTP, Torrent, P2P other, streams, etc.)

    BTW:

    The physical interface is the "igb_" interface (Intel PHY) that physically connect to the port (RJ45) on your pfSense box, those IDS/IPS systems listen to the traffic on the physical interface, so if you create virtual things (VLAN) on that interface, their traffic will pass through it, but as written the VLAN handling is not really functional at the moment (because of the tags)

    ++++edit:

    Don't get me wrong, I'm not trying to dissuade you and welcome to the team, but at least run it in alert mode first to avoid a lot of unwanted problems.

  • Blocking OpenappID only on VLAN?

    9
    0 Votes
    9 Posts
    1k Views
    K

    @bmeeks
    Thanks for the reply, i believe i have vtnet
    but in theory its pointless to try it out because the VLAN i need to block social network would also block on my LAN

  • Suricata blocking networks in Pass List

    19
    0 Votes
    19 Posts
    1k Views
    R

    @bmeeks Thank you for looking at this. I appreciate it.
    The Realtek's have been squirrelly. But I have not been able to find a solution to my lack of expansion ports and no intel usb3 nics.

  • snort failing to start and stops itself sometimes

    7
    0 Votes
    7 Posts
    969 Views
    T

    @bmeeks Interesting I'm indeed running it on a vlan trunk, NUC only has one port.

  • 0 Votes
    3 Posts
    2k Views
    C

    @eveningstarnm Thanks a lot for your feedback!

  • Snort: Facebook and Portscan Blocking

    1
    0 Votes
    1 Posts
    269 Views
    No one has replied
  • suricata versus the latest version of snort

    7
    1 Votes
    7 Posts
    1k Views
    DaddyGoD

    @eveningstarnm said in suricata versus the latest version of snort:

    connect your test machine to a consumer Xfinity (Comcast) internet connection

    Yup 😉

    Yes you are right it is America over there, although nowadays the invasive presence is increasing everywhere.

    The idea is good :) - (Xfinity + Comcast ISP)

    What I'd rather push is that it's not enough to just increase the number of unwanted events, you also need to increase the traffic (PPS) to see how the processing processor behaves on say a 40 - 100 Gig - f.e.: Netflix network

    BTW:

    although if I am correct - Netflix also uses a lot of FreeBSD stuff, because of the high traffic and of course the "pf" benefits

  • surricata keeps shutting down

    33
    0 Votes
    33 Posts
    3k Views
    J

    about a day or so after I raised this, the issue was addressed and successfully fixed.
    I haven't had an issue since. it all works great

  • Suricata doesn't start automatically at boot

    16
    0 Votes
    16 Posts
    2k Views
    K

    @bmeeks You are probably right, wireguard is the last package to start... So I will import the aliases and see what happens.

  • Snort makes LAN interface disappear in graph.

    3
    0 Votes
    3 Posts
    443 Views
    willembW

    @bmeeks

    Thanks for the quick response, I'll just wait for the patch to be processed internally then.

  • PID Error on starting INline IPS latest Suricata update

    7
    0 Votes
    7 Posts
    1k Views
    bmeeksB

    @cool_corona said in PID Error on starting INline IPS latest Suricata update:

    @bmeeks Hi Bill

    Neither is there in the system logs. No crashes related to Suricata.

    The only possible way a PID file for a Suricata instance can exist in /var/run is if a running Suricata process created it. The only way it can exist when attempting to start that same Suricata instance is if the previous running instance failed to delete it at shutdown due to a crash.

    The Suricata binary itself creates and deletes that file as part of its startup and orderly shutdown process. So the only way for the file to persist, if Suricata is not running on that interface, is for the Suricata process that originally created it to have crashed. That crash should show in the pfSense system log unless your log maybe got rotated out.

    If this was a one-time occurrence, then don't sweat it.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.