@cool_corona said in Suricata Inline vs legacy performance.:

Inline performance

5518cada-5472-4088-8cae-3f837598e668-billede.png

Legacy performance

8fe30928-fd59-4250-b7cd-517a3c2ea920-billede.png

Significant difference in performance!!

Way back, there were no images.
There was only text :
Like

c94ea720-e2cd-435a-a578-8e4d7e6222b0-image.png

Image => Words => answer ! 😊

edit : click on the image.

@gertjan @bmeeks Thanks. I reduced the value to half size from default and I will grab using SFTP. cheers

Thanks to those who've offered real help.

It wasn't that difficult once I understood the issues. It turns out I was just enabling too many of the rules, and thus getting shut down.

In the end, I found a site that had explanations of the key groups to block, and all is well.

I'm surprised there are so few well described "how tos" for non networking guys, but there you have it.

@umm12 said in anomaly traffic detection in suricata:

how i can use and configure suricata as Anomaly Traffic Detection IDS/IPS?

The problem is there no standard anomaly traffic... what might be anomaly traffic to you might also be okay traffic for me. In other words, you have to define anomaly traffic for your network as the network administrator.

So, I'll share this thread that has helped me and others setting up Suricata with a warning that it's a very long thread: https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint?_=1632087648731

Good Luck.

Thanks for adding the Netmap thread parameter on the latest release, I can confirm that I'm still limited to 1Gbps with auto, putting 2 fixes the bandwidth issue 👍

@mikej47 said in SNORT gone after Pfsense update:

@bmeeks that is great news. I can just upgrade to that version and the patch is built in. What is Pfsense + ? How do I get the + version?

pfSense+ is the new name for the old "Factory Edition" of pfSense that comes on Netgate appliances. When you upgrade to the latest 21.05.1 version, pfSense+ is what that will be.

You will need to change the port (where specified) in the individual rules you have enabled. Using a modifysid.conf file on the SID MGMT tab is the best way to do this. The SID MGMT feature uses Perl regex. There are some examples of the syntax in the various *-sample.conf files included on the tab.

There is no pre-defined RDP Port variable in the standard configuration. You could certainly define one, but still you would need to modify the appropriate rules in order to have them reference it.

@valir "No"...you need to configure it, enable rulesets, etc. There is a wizard that runs when adding an interface (suggest adding LAN, as WAN will look at packets that will end up being blocked by the firewall). There is a choice to block or not...suggest not blocking for a while and watching the Alerts tab to see what will be blocked. Also, it may be best to start in the default Legacy mode as there are a variety of small issues with Inline mode for instance depending on the NICs. You may want to add your IP to a Pass list so you're not blocked.

I assume you mean when you specify a complete IP address with the mask. If specifying a complete individual IP, the mask is not required, so just drop it and use the x.x.x.x variation. If you want to pass the entire subnet, then use x.x.x.0/24, and that should work.

@code4food23 said in Puzzled about the number of Suricata instances needed for LAN and VLANs due to device showing up on both alert logs:

Also sorry for the dumb question, but the IPs help see which device made the traffic to trigger the alert right?

Hello,

Forgive me (pls.) for butting into the conversation here, but Bill is absolutely right that the management of IDS/IPS systems is a challenge for many well trained administrators too.

To run them in your home, I don't think it's absolutely necessary....

pfSense basically drops all unwanted traffic on the WAN interface +++++ if you use a well configured pfBlockerNG you are safe, this can be said.

The Suricata, Snort can cause a lot of headaches, if you are not skilled enough to handle them, I would start with a VM install and practice before deploying it on my system.

You can also get away with a lot of the abuse your family sends you when the internet isn't working in your home. 😉
(and it can limit a lot of other things in the background if it's set up wrong, which you haven't even discovered yet, FTP, SFTP, Torrent, P2P other, streams, etc.)

BTW:

The physical interface is the "igb_" interface (Intel PHY) that physically connect to the port (RJ45) on your pfSense box, those IDS/IPS systems listen to the traffic on the physical interface, so if you create virtual things (VLAN) on that interface, their traffic will pass through it, but as written the VLAN handling is not really functional at the moment (because of the tags)

++++edit:

Don't get me wrong, I'm not trying to dissuade you and welcome to the team, but at least run it in alert mode first to avoid a lot of unwanted problems.

@bmeeks
Thanks for the reply, i believe i have vtnet
but in theory its pointless to try it out because the VLAN i need to block social network would also block on my LAN

@bmeeks Thank you for looking at this. I appreciate it.
The Realtek's have been squirrelly. But I have not been able to find a solution to my lack of expansion ports and no intel usb3 nics.

@bmeeks Interesting I'm indeed running it on a vlan trunk, NUC only has one port.

@eveningstarnm Thanks a lot for your feedback!

@eveningstarnm said in suricata versus the latest version of snort:

connect your test machine to a consumer Xfinity (Comcast) internet connection

Yup 😉

Yes you are right it is America over there, although nowadays the invasive presence is increasing everywhere.

The idea is good :) - (Xfinity + Comcast ISP)

What I'd rather push is that it's not enough to just increase the number of unwanted events, you also need to increase the traffic (PPS) to see how the processing processor behaves on say a 40 - 100 Gig - f.e.: Netflix network

BTW:

although if I am correct - Netflix also uses a lot of FreeBSD stuff, because of the high traffic and of course the "pf" benefits

about a day or so after I raised this, the issue was addressed and successfully fixed.
I haven't had an issue since. it all works great

@bmeeks You are probably right, wireguard is the last package to start... So I will import the aliases and see what happens.

@bmeeks

Thanks for the quick response, I'll just wait for the patch to be processed internally then.

@cool_corona said in PID Error on starting INline IPS latest Suricata update:

@bmeeks Hi Bill

Neither is there in the system logs. No crashes related to Suricata.

The only possible way a PID file for a Suricata instance can exist in /var/run is if a running Suricata process created it. The only way it can exist when attempting to start that same Suricata instance is if the previous running instance failed to delete it at shutdown due to a crash.

The Suricata binary itself creates and deletes that file as part of its startup and orderly shutdown process. So the only way for the file to persist, if Suricata is not running on that interface, is for the Suricata process that originally created it to have crashed. That crash should show in the pfSense system log unless your log maybe got rotated out.

If this was a one-time occurrence, then don't sweat it.