@bmeeks hmm, this is pushing me more towards thinking I need to do a fresh install. Thanks for trying that!

At the moment there is no easily installable package for exporting the pcap files. Some users have installed the filebeat package manually. There are several links to be found on Google about doing this.

Of course you could always write your own shell script to copy the files off to another system and use cron to execute it periodically. There is a cron package you can install on pfSense to enable easy management of scheduled tasks within the GUI.

As for filtering the ALERTS tab, I assume you mean that the alert entries prior to them being suppressed are still visible. Adding a filter for that is probably a good idea, so I will put that on my TODO list for a future upgrade of the package. The alert entries will eventually "roll off" once the alert log is rotated. I assume you have enabled automatic log file management on the LOGS MGMT tab. That feature is off by default, but when enabled it will auto-rotate logs and other files like pcaps when they reach a certain size. It will also prune files from disk based on a retention policy you can configure there. So when log management is enabled, those old suppressed alerts will disappear from the ALERTS tab view when the current alert log file is rotated and a new empty file created in its place.

@slu you can also try this patch:
https://redmine.pfsense.org/issues/10836

@tman222 said in Snort 2.9.17:

Hi @bmeeks - are you planning on including this updated binary in the next version of the Snort package? Thanks in advance.

Yes, I generally stay up-to-date with the latest binary. I wait a little bit initially to see if any major bugs get reported upstream before proceeding with the update.

I should get the new binary out before the end of this month.

@JeGr said in Can/is Snort using JA3 hashes?:

@bmeeks said in Can/is Snort using JA3 hashes?:

If JA3 support is critical to your customer, perhaps Suricata might be a better fit for them ???

That was the answer I was looking for. As Surricata didn't have (or still don't?) support for OpenAppID rules we set up Snort at the time in the past as the Netgate blog about support for OpenAppID was posted. The request about JA3 popped out of nowhere a few days ago so if that's something they absolutely want - then yes, we'd have to switch. Would take time though to test it out first, roll out on the cluster and train the team using it that is currently struggling coming to terms with Snort.

There are other options depending on their requirements. For instance, if they simply wanted to monitor/alert on JA3 hashes and not block, they could install Suricata on a separate machine (bare metal or VM) and connect it to a SPAN port on a managed switch.

If you don't have both packages blocking in Legacy Blocking Mode, and you have the CPU horsepower and RAM, it is certainly possible to run both packages on the same pfSense instance. In that case you would run Suricata with a very stripped-down rule set concentrating solely on the JA3 hashing stuff. So in a setup like this you might configure Snort to use Inline IPS Mode (assuming your NIC hardware supports it) and Suricata to use Legacy Blocking. Or you could flip that scenario. The only caveat here is that you can't run Inline Mode and Legacy Blocking Mode on the same physical interface. So you would need to monitor the traffic on another matching interface. For example, Suricata JA3 on WAN and Snort OpenAppID on LAN (or vice versa). You could always run one in alert-only mode and the other package in blocking mode.

Functionally within the GUI, both packages are very, very similar. In fact, the majority of the Suricata PHP code is a copy-and-paste from the Snort GUI code. So the look and feel is the same.

@bmeeks got ya !!

@teamits said in Snort blocking speedtest:

@bmeeks said in Snort blocking speedtest:

https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html

That page shows putting it on the WAN interface in several examples...I don't suppose you could convince them to use LAN throughout?

Yeah, that part and the screenshots that accompany it are quite ancient. At one time I had "edit" access to the doc wiki. I can check if I still do and maybe make some adjustments based on current recommendations.

Crowdstrike Falcon is something that you would load on an endpoint, PC or MAC, not on pfSense. Users don't login or manipulate data on pfSense, so I don't see the relevance.

@bmeeks said in 10G Throughput with Snort:

That would be like the legendary Bill Gates quote from 1981 where he reportedly uttered "640K ought to be enough for everybody".

this is a good quote, I heard it a long time ago :)- MS + Bill G + DOS :)

I was almost 20 at the time...and I was past these, -

the historical summary (you know, I enjoyed these at the time):
(and now I can barely turn my head when the world is rushing)

https://hu.wikipedia.org/wiki/Intel_8088
https://hu.wikipedia.org/wiki/Sinclair_Spectrum
https://hu.wikipedia.org/wiki/Commodore_64
(of which there are two more in the attic)
https://en.wikipedia.org/wiki/IBM_Personal_Computer_XT
https://hu.wikipedia.org/wiki/Pentium_III
https://en.wikipedia.org/wiki/MMX_(instruction_set)

and
https://en.wikipedia.org/wiki/Simons%27_BASIC
https://en.wikipedia.org/wiki/Windows_3.1x
https://hu.wikipedia.org/wiki/Windows_95
https://hu.wikipedia.org/wiki/Windows_98

How about this?

https://www.theregister.com/2020/11/19/nvidia_q3_2021/
https://www.theregister.com/2020/09/29/esxionarm_is_real_and_vmware/
https://www.theregister.com/2020/10/15/nvidia_ai_supercomputer_italy_2022/

this world will leap enormously

Snort is now working after updating my hardware to the latest version of pfsense. Thanks folks!

I don't necessarily disagree, but nonetheless I am a little cautious when it comes to removing existing features still supported by the underlying binary.

Thanks for the link Bill. Read it all and will keep in mind to check every 30 days for any Snort rule updates. I changed the 2.9.15.1 version of the Snort rules to snortrules-snapshot-29170.tar.gz. Suricata updated with no issues.

@bmeeks thanks, I'll have to pay attention to that and see. I am currently putting the finishing touches on building my own box, and am going to restore a backup from my SG-3100 (where I customized things for the rules), so I will look closely at that once I get suricata installed on the new box (it's not connected to the internet yet while I build it, so it's not able to re-install suricata yet).

Thanks again.

@marklark said in Suricata rules without Internet access:

@Yordano

Background: I'm using the GUI for Suricata through the pfSense virtual firewall (FreeBSD instance).
Has anyone tried to use the ETOpen custom URL option to "download" a the ruleset via a "file://" URL? It seems like a reasonable work-around, but doesn't work.

Where would I look to see errors?

Thank you very much!

The internal code within the PHP GUI is expecting HTTP or HTTPS urls only in that field and sets the options for curl with that in mind. The assumption was the user would have an internal web host to download from when using the Custom URL option.

Any errors would be logged on the UPDATES tab in the log file available for viewing there.

Sounds like you have Suricata on WAN, which is before the NAT happens. If you move it to LAN, then 1) you'll see the internal IPs, and 2) it should scan less traffic as it will only see packets making it through the firewall.

@bmeeks
Hi, thanks for all the advice, I will definitely remove some rules that are not used. As I said, the problem has been solved with regard to downloads via sites and via torrents, but if I perform a speedtest from speedtest.com for example, the use of the two interfaces reaches 80% and this did not happen before. Basically, now the problem appears only during a speedtest and I don't understand what can cause it since the same amount of bandwidth of the speedtest is also used to download with torrent and in this case snort uses a maximum of 30% of the CPU per interface.
Edit: Even when I only set the Policy to Balanced and without ET and Community Rules snort uses 40%.

Glad you got it working for you. BOTH is the best choice for the "Which IP to Block" setting as I explained above.

@publictoiletbowl said in snort and pfblockerNG in one box:

hello

im totally newbie on pfsense and im learning now running snort and pfblocker in one box could be a problem later on? please give me some advice base on your experience.

thank you

If you are also a newbie to administering an IDS/IPS such as Snort, I would suggest you not enable the blocking mode. At least not for several weeks. During that period of no blocking, examine the ALERTS tab daily to see what types of alerts are being logged. Research them and determine if they represent potential false positives for your network environment. For those rules generating what you determine to be false-positive alerts, you will want to disable the rule entirely or suppress the alert for certain hosts as you feel appropriate.

Administering an IDS/IPS is really for an expert in network security. It certainly is a skill that takes a long time to learn. For the majority of home networks, I don't recommend use of an IDS/IPS. If you are a curious type and want to invest the time to learn about the tool, then have at it. But be prepared for a lot of stuff to get blocked when you enable the blocking mode. Figuring out what is a false positive and what is an actual issue is where the "expert" earns his keep in the IDS/IPS world.

@Waqar-UK said in Snort not updating today:

Thanks I will wait for the certificate to propagate

Certs, https or whatever TLS is, is never cached.
Because you can't cache it .... the cache-in-the-middle can't find info like a time stamp or a (image) file : its all encrypted - just a binary stream.
The next time you visit the server it will include the new cert, the browser won't yell and all will be fine again.

See here : https://forum.netgate.com/topic/158412/cert-expired-on-snapshots-pfsense-org?_=1605624244707