@stauraum said in Is OpenAppID dead?: @nogamer @bmeeks Ok, I've found my services in "odp/appMapping.data" which was updated in november 2020. So i can create custom rules to block these services in my network. I hope so that this file is updated in the future. I think there is some interest in updating the file from another party, but I can't say who for now. Perhaps they will choose to takeover maintaining the OpenAppID text rules going forward. In the meantime, you can certainly create your own custom OpenAppID rules to supplement those available in the standard archive. You found the proper location for identifying application names (in /usr/local/etc/snort/appid/odp/appMapping.data).

@nogbadthebad said in A funny thing about IDS/IPS.... /DNS related: @bmeeks Yup it had me baffled for ages as I couldn't see any lookups from my LAN interface to the offending FQDNS. Yes, the firewall itself sources the connection for the DNS lookup, and that traffic will exit the WAN on the way to either the DNS root servers or whatever DNS forwarder might be configured. So the IDS rules on the WAN see the traffic and alert. Since it's on the WAN, and the IDS sits beyond the firewall, the IDS sees your firewall's public WAN IP as the "source". The natural inclination is to assume the traffic originated on your LAN, but it actually did not.

@terminalhit said in Suricata SIGHUP every 5 minutes: @bmeeks, If I had to guess it's the EVE.JSON file which i'm ingesting into ELK for dashboards. In the Log Size and Retention Limits configuration the max size is 10MB, but I currently have a file in there "eve.json" that is 1.2GB The idea is for the log to rotate and get a new name with a UNIX timestamp appended to it. Then a new empty log file is opened for Suricata. The SIGHUP is supposed to tell Suricata to reopen log files. Unfortunately, the Suricata binary can only rotate certain logs natively. So without the GUI attempting to rotate the others, they will grow to impossibly large sizes. Do you have any eve.json logs that have a UNIX timestamp on the end? If not, the log rotation is not actually working. That would be why it keeps trying each time the cron task runs (every 5 minutes). You might have a duplicate Suricata zombie process attempting to use the log file. If you can, stop Suricata on the interface for more than 5 minutes. This will allow the cron task to run and hopefully rotate that huge file. Then restart Suricata on the interface. If stopping Suricata for more than 5 minutes does not result in the file rotating, then manually rename it yourself (the big 1.2 GB file) to something else and then restart Suricata.

@bmeeks Impressive, Thanks.

@bmeeks You gotta teach me :)

@volnodumcev said in Suricata failed to setup thread module: SC_ERR_LUA_ERROR(212)] - failed to setup thread module I'm getting this error in suricata.log but didn't find anything neither about this error nor about how to fix it. Can anyone help? Never seen that error before. Please share some information about your installation such as: Version of pfSense you are running Version of the Suricata package you are running Is this a fatal error? Does Suricata start and run, or is it failing to start? List of any other installed packages (including any you may have installed from a non-pfSense repository)

@pfsense7515 said in Snort blocking pass list: @bmeeks Hello thank you for your reply. About your questions did you restart Snort on that interface? yes, I tried several times but without success. Do you need to restart services SNORT ? -How did you even install that version of Snort ? We setup integrated packages includes on pfsense We are aware that it is necessary to update. Do you have any idea other suggestions please ? Thanks a lot No, I have no other suggestions if you have done all of the following: Open the INTERFACE SETTINGS tab for the affected Snort interface and select the desired Pass List by name in the drop-down selector for Pass List assignment. SAVE that change and return to the INTERFACES tab in Snort. Click the icon on the affected interface to restart Snort. If Snort has already previously blocked a particular IP address, then you must manually remove that block by going to the BLOCKED tab and deleting the address from the list (or just clear all blocks). Snort hands off blocking to pfSense, so restarting Snort or stopping Snort will not unblock a previoulsy blocked IP address. Just pointing that out because some folks think otherwise. Snort is not dynamic. It only reads a Pass List when starting, and it can't "unblock" anything. When a Snort alert triggers, Snort extracts the IP from the triggering packet and sends it to the firewall for blocking. After that, pfSense itself holds the block, not Snort. You really need to update your firewall. Running out of date software on a critical component such as a network firewall is not wise.

@nogbadthebad Yes sorry. I replied to good person on correct channel

@volnodumcev said in Matching data between different packets: Please give me a hand with one task. I need to compare Timestamp field between Goose protocol packets to prevent a MITM attack. Can I solve it using Suricata rules? I do not believe that is possible with either Suricata or Snort rules syntax. But I confess to not being a rule writing guru. You might consider posting your question on the mailing lists for Suricata. Here are the Suricata Mailing Lists: https://lists.openinfosecfoundation.org/mailman/listinfo.

Hello! Thanks for looking into this so quickly! The manual restart did the job. John

The IDS packages sit out in front of the pfSense firewall engine. So they see traffic before any firewall rules or NAT is applied. For Legacy Mode Blocking operation, the IDS engine is getting copies of packets as they traverse from the NIC to the firewall engine in the kernel. For Inline IPS Mode operation, the IDS sits between the NIC and the firewall engine by way of a netmap kernel device network pipe. See the two diagrams below that show the traffic flow for both Legacy Mode Blocking and Inline IPS Mode blocking. [image: 1610983985533-ids-ips-network-flow-legacy-mode.png] [image: 1610983998439-ids-ips-network-flow-ips-mode.png]

Let's start first with answering your question about the Protocol rule. That rule is coming from the set of built-in Suricata rules that are part of the base package. I forget exactly what the name of that category is at the moment, but if you look under the RULES tab at the list of categories in the drop-down selector you will find some that have "Events" in the name. Those are the built-in Suricata rules. They always get enabled by default. You can suppress that particular rule alert, or you can completely disable that rule SID. Click the red X under the GID:SID column to disable the rule, or click the plus (+) sign to add it to a Suppress List. Now lets talk about ALERT versus DROP. All rules from the vendors (both the Snort and Emerging Threats teams) come with the rule action set to ALERT. If you want some rules to alert only and others to actually block traffic, then you need to change the ALERT action to DROP for those rules that you wish to block traffic. There are two ways to do that. And for the Snort rules, if you choose to use an IPS Policy, there is a third "sort of" way I will describe last. The most straightforward way to change ALERT to DROP is to click on the rule action icon on the RULES tab (or you can also do this on the ALERTS tab). A modal dialog will pop up giving you the option to choose the rule action. This works fine for a few rules, but it very time-consuming for lots of rules. So on to option #2. Use the SID MGMT tab and the features there. The dropsid option is what you want. Open up the sample file on that tab and read through it (you will see the sample files after you click the checkbox to enable SID management). The are ample comments sprinkled throughout with examples. There is also a Sticky Post at the top of this sub-forum describing how to use the SID MGMT feature here: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata. The SID MGMT feature is a very powerful tool for managing your rules. I highly recommend taking some time to read up on it and experiment with it. A virtual machine is a great place to play with the option to see how it works. Finally, if you are using the Snort rules with Suricata and enable an IPS Policy (on the CATEGORIES tab), then you have an option to let the IPS policy metadata embedded within the rules govern whether the action is ALERT or DROP for each rule. The Snort team embeds IPS Policy metadata in their rules (only the Snort rules, the ET rules do not have this, so ignore this for ET rules). This policy metadata associates a given rule with one of the pre-defined IPS Policies such as "Connectivity", "Balanced", etc. It also provides alternate rule actions for the various policies. There is a drop-down selector on the CATEGORIES tab (when you enable IPS Policy and have the Snort rules enabled) that lets you choose to have the package code automatically change rule actions for you from ALERT to DROP for those rules in your IPS Policy choice that the Snort team recommends be DROP.

@killmasta93 said in Recomended Categories?: @bmeeks Thank you so much for the reply, so forgot to mention currently running webserver, with email server zimbra, as for OpenAppID rules your right not worth it, normally the idea is to keep secure the ports i have exposed to the internet. As for the ET rules what setup do you have taking in consideration that you might not have webserver or email server. And as for the snort text rules didnt really find any documentation of this Thank you The selections you showed in your first post match up with what I would choose from the ET set. There is actually quite a bit of duplication between the Snort and ET rules, and that just logically follows, since the threats themselves are what the rules are targeting. Thus the detection mechanisms have to be the same. Yeah, it's possible one set of rules targets some obscure threat another does not, but all the popular threats are handled by both sets of rules.

Sorry. My example was disabled. With this it works and I can save myself the work of activating everything. Then I only have to look at what is newly added and disabled. Thank you very much for your help.

@teamits said in Suricata widget only giving alerts on WAN. No LAN alerts: @bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts: The LAN is a much better place in almost all cases I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0 vs mvneta1 on this SG-2100). Yeah, that's probably something I should think about changing. That was the way it worked years ago when I inherited maintenance of the Snort package and I never changed it. That default also got copied over to Suricata when I created that package.

@trumee said in Snort, S5: Pruned 2 sessions from cache for memcap. 292 scbs remain: Hello, I am running the latest snort 4.1.2_2 release. I am getting a bunch of messages in the log, Jan 2 19:34:31 snort 99033 S5: Pruned 1 sessions from cache for memcap. 389 scbs remain. memcap: 8387565/8388608 (suppressed 361 times in the last 61 seconds). Jan 2 19:33:31 snort 99033 S5: Pruned 2 sessions from cache for memcap. 743 scbs remain. memcap: 8387767/8388608 (suppressed 10 times in the last 194 seconds). Any idea what is causing this? Thanks Here are some links I found with a quick Google search using the terms "snort stream pruned sessions from cache for memcap". The first link is from the Snort mailing list, and it appears to have your best answer in the third reply in that thread. https://seclists.org/snort/2008/q2/82 https://marc.info/?l=snort-users&m=139827350314791&w=2 https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/40244/bug-8-201-snort-gets-memcap-errors/138536

Thank you for that. There must be someway to make that description clearer. After removing the check, I didn’t immediately see blocked hosts, but after restarting suricata, I now have blocked hosts. Greatly appreciate your response.