@bmeeks said in 10G Throughput with Snort: That would be like the legendary Bill Gates quote from 1981 where he reportedly uttered "640K ought to be enough for everybody". this is a good quote, I heard it a long time ago :)- MS + Bill G + DOS :) I was almost 20 at the time...and I was past these, - the historical summary (you know, I enjoyed these at the time): (and now I can barely turn my head when the world is rushing) https://hu.wikipedia.org/wiki/Intel_8088 https://hu.wikipedia.org/wiki/Sinclair_Spectrum https://hu.wikipedia.org/wiki/Commodore_64 (of which there are two more in the attic) https://en.wikipedia.org/wiki/IBM_Personal_Computer_XT https://hu.wikipedia.org/wiki/Pentium_III https://en.wikipedia.org/wiki/MMX_(instruction_set) and https://en.wikipedia.org/wiki/Simons%27_BASIC https://en.wikipedia.org/wiki/Windows_3.1x https://hu.wikipedia.org/wiki/Windows_95 https://hu.wikipedia.org/wiki/Windows_98 How about this? https://www.theregister.com/2020/11/19/nvidia_q3_2021/ https://www.theregister.com/2020/09/29/esxionarm_is_real_and_vmware/ https://www.theregister.com/2020/10/15/nvidia_ai_supercomputer_italy_2022/ this world will leap enormously

Snort is now working after updating my hardware to the latest version of pfsense. Thanks folks!

I don't necessarily disagree, but nonetheless I am a little cautious when it comes to removing existing features still supported by the underlying binary.

Thanks for the link Bill. Read it all and will keep in mind to check every 30 days for any Snort rule updates. I changed the 2.9.15.1 version of the Snort rules to snortrules-snapshot-29170.tar.gz. Suricata updated with no issues.

@bmeeks thanks, I'll have to pay attention to that and see. I am currently putting the finishing touches on building my own box, and am going to restore a backup from my SG-3100 (where I customized things for the rules), so I will look closely at that once I get suricata installed on the new box (it's not connected to the internet yet while I build it, so it's not able to re-install suricata yet). Thanks again.

@marklark said in Suricata rules without Internet access: @Yordano Background: I'm using the GUI for Suricata through the pfSense virtual firewall (FreeBSD instance). Has anyone tried to use the ETOpen custom URL option to "download" a the ruleset via a "file://" URL? It seems like a reasonable work-around, but doesn't work. Where would I look to see errors? Thank you very much! The internal code within the PHP GUI is expecting HTTP or HTTPS urls only in that field and sets the options for curl with that in mind. The assumption was the user would have an internal web host to download from when using the Custom URL option. Any errors would be logged on the UPDATES tab in the log file available for viewing there.

Sounds like you have Suricata on WAN, which is before the NAT happens. If you move it to LAN, then 1) you'll see the internal IPs, and 2) it should scan less traffic as it will only see packets making it through the firewall.

@bmeeks Hi, thanks for all the advice, I will definitely remove some rules that are not used. As I said, the problem has been solved with regard to downloads via sites and via torrents, but if I perform a speedtest from speedtest.com for example, the use of the two interfaces reaches 80% and this did not happen before. Basically, now the problem appears only during a speedtest and I don't understand what can cause it since the same amount of bandwidth of the speedtest is also used to download with torrent and in this case snort uses a maximum of 30% of the CPU per interface. Edit: Even when I only set the Policy to Balanced and without ET and Community Rules snort uses 40%.

Glad you got it working for you. BOTH is the best choice for the "Which IP to Block" setting as I explained above.

@publictoiletbowl said in snort and pfblockerNG in one box: hello im totally newbie on pfsense and im learning now running snort and pfblocker in one box could be a problem later on? please give me some advice base on your experience. thank you If you are also a newbie to administering an IDS/IPS such as Snort, I would suggest you not enable the blocking mode. At least not for several weeks. During that period of no blocking, examine the ALERTS tab daily to see what types of alerts are being logged. Research them and determine if they represent potential false positives for your network environment. For those rules generating what you determine to be false-positive alerts, you will want to disable the rule entirely or suppress the alert for certain hosts as you feel appropriate. Administering an IDS/IPS is really for an expert in network security. It certainly is a skill that takes a long time to learn. For the majority of home networks, I don't recommend use of an IDS/IPS. If you are a curious type and want to invest the time to learn about the tool, then have at it. But be prepared for a lot of stuff to get blocked when you enable the blocking mode. Figuring out what is a false positive and what is an actual issue is where the "expert" earns his keep in the IDS/IPS world.

@Waqar-UK said in Snort not updating today: Thanks I will wait for the certificate to propagate Certs, https or whatever TLS is, is never cached. Because you can't cache it .... the cache-in-the-middle can't find info like a time stamp or a (image) file : its all encrypted - just a binary stream. The next time you visit the server it will include the new cert, the browser won't yell and all will be fine again.

See here : https://forum.netgate.com/topic/158412/cert-expired-on-snapshots-pfsense-org?_=1605624244707

For Snort, everything is stored within the config.xml file where all other pfSense configuration information is stored. So you when you remove and reinstall Snort all the settings come back. For the other packages, I can't say as I don't maintain those.

Suricata binary reverted to 5.0.4 in the latest 6.0.0_1 GUI package. The latest Suricata-6.0.0_1 package reverts the underlying binary to 5.0.4 from the problematic 6.0.0 version. When the upstream Suricata team releases a new 6.x version (hopefully a 6.0.1 update i the near future), I will revisit updating the Suricata binary to the 6.x branch.

An updated Suricata package has now been posted that officially reverts the Suricata binary to the 5.0.4 version from 6.0.0. The new GUI package is Suricata-6.0.0_1.

Hello, After reinstalling the package, making sure that the option to keep configuration was unchecked and then uninstalled the package and all is gone. Thank you all for your assistance on this, Pasquale

@Smoothrunnings said in I have a couple of questions about snort: @bmeeks Is the performance impact not related tot he firewalls hardware? From what I understand Ubiquiti uses snort, and their UDM Pro which is more powerful than their old gen router/firewall which doesn't hurt the performance much. It's definitely not a i5-4570 inside their UDM Pro or 8GB of RAM. Thanks, Certainly the underlying hardware has a huge impact on the performance of an IDS/IPS. How Snort or any IDS/IPS impacts performance is also heavily influenced by the mode. When running in IDS mode (detection only, no blocking), the impact is very minimal unless you truly have anemic hardware. And with IDS mode, dropping packets (by the IDS) would be unnoticed. IDS mode is a parallel processing path for the packet stream. So a copy of each packet is inspected while the original packet went straight to the kernel stack. With IPS mode (intrusion prevention which means detection and blocking), there is a performance penalty. This is particularly true with inline IPS modes because every single packet pulled from the NIC has to be inspected by the IPS engine and then either passed on to the kernel network stack or dropped. The IPS engine literally sits between the NIC and the kernel stack, and every packet must go through the IPS engine (no parallel path of "copied" packets). And in this configuration, any dropped packets (as in the IPS engine could not keep up with the packet line rate) means interrupted network flow and thus a performance penalty.