The next update to the Suricata 5.x package on pfSense will contain a new option for configuring Suricata to export performance stats over a Unix socket to Telegraf. It will support the input.suricata plugin.

Suricata can produce EVE JSON logs, and that data can be either written to a conventional text file or it can be made available to a Unix socket. So if someone produces a log data parser for EVE JSON, then Suricata can easily be adapted to feed data over the Unix socket. I am not familiar with Telegraf since I've never used it. So I don't know what it is capable of in terms of digesting Suricata's EVE JSON logs. The new feature I mentioned came from a Redmine Feature Request submitted a while back. And that request was specifically for Suricata performance stats (things like packets processed, packets dropped due to load, etc.).

@bmeeks said in Suricata Menu Missing Help!:

downloaded during the install process, but ONLY if that option was enabled on the GLOBAL SETTINGS tab and there is a non-null value in the MaxMin

Did everything you recommended and reinstalled Suricata and what do you know it appeared on the menu. Jeez, seems like some sort of bug that needs fixed so a noob doesnt have to spend awhile trying to fix it.

I also upped the tcp memcap, but damn i have it all the way up to 299108864 and it finally started error free. The box only has 128mb of memory.

After going through all that for some reason i ahve my box configured as a Raid 5 box with 4 - 4tb drives in it and im only seeing 1.9T free on the box, seems a little low for 8tb installed, i know the overhead with Raid 5 system but does freebsd utilize a lot more then i am aware of? I know i might never use all the space in it, just how the box came configured and it was cheaper then any applicance out there since i bought it used but i would think i should see a little more then 1.9TB out of the drive system, and everything is mounted on / i just did the recommended install when i set the box up maybe ill just leave it be since it seems to be running great now.

Now to dive into snort configuration since i have signed up for a free key just to start and configuring all my VLANs etc.. Me being a checkpoint firewall guy this seems just a robust as checkpoint ever did and cant beat the price..

Thanks a ton for your help, everything worked out great.

Chris

@kvamsi-k143 said in Suricata does not start?:

@bmeeks
Thanks for your time in helping me on this. There are two issues on my pfSense box. 1) ET not updating and 2) Suricata services not running on the interfaces.

BTW, I did update pfSense before Suricata, I am aware of the catch. 😉

I did check the other thread while investigating. That is when I found issue with "libluajit-5.1.so.2" not found, required by "suricata".

Post your suggestion, I took time to flash the pfSense from scratch after taking a backup of the config. Thanks to the documentation. All was up and running in just a couple of hours, including installation of all packages.

I am overwhelmed with your response. Kudos to you..!!👍 👏 🍻
Owe one for you mate...!!!

Glad you got it sorted out. Something was definitely out of whack with the shared libraries, and that was preventing the start of Suricata. Don't really see how that would have impacted the failure to download the ET Open rules, though.

@slu said in pfSense-pkg-snort from 3.2.9.11 to 3.2.9.12. | Unable to open the IIS Unicode Map file:

Last update (pfSense-pkg-snort from 3.2.9.12 to 3.2.9.13.) was with no issue, thank you very much.

Good news! Thank you for the feedback.

@bmeeks said in Snort Update Changelog:

The latest update was made by a member of the pfSense developer team to tweak the way VPN addresses are pulled into automatic Pass Lists. I will post up a note.

Big THANX!

If you don't want to see the alert, then disable that rule. Click the red X under the GID:SID column and that rule will be disabled.

If you want to figure out why the alerts suddenly started showing up, then you need to examine any changes to your network environment such as a new device being added or someone downloading and installing a new or updated piece of software.

As the alert message states, this alert is coming from multicast traffic from some device on your network.

@scorpoin said in Need to block vpn/proxies:

Greetings to community,

I’ve configured pfblocker-ng in pfsense 2.5.0 version . Blocked many social networking, streaming and some other categories as well it is working fine , but some users installed vpn app in there system / phones to bypass that restriction. I’ve installed snort and enable appID as well. When I enable block offender it start to block every one in network 😕 . I’ve added my system ip into passlist to avoid blocking by snort rules selected as below

emerging-scan.rules <== ET open
snort_indicator-scan.rules <=== ET_text
vpn_tunnel <== appID

Home Net : seletected the default
and Which IP to block set to : Dst

My only goal with snort is to block vpn tunnels , I know it wont work out 100% but it will be fine to save some of my bandwidth .

Regards

If you are using Snort in the pfSense-2.5 DEVEL snapshots, then you have access to its Inline IPS Mode. This will work much better for OpenAppID than Legacy Blocking Mode. Legacy Blocking Mode blocks all traffic to an IP once any alert for that IP is triggered. This is not always optimal. Inline IPS Mode will selectively drop (or block) only traffic matching a DROP rule.

So if your NIC hardware supports netmap operation, then switch to Inline IPS Mode. There is a Sticky Post at the top of this forum describing how that works. Note that when using the Inline IPS Mode you will need to use the features on the SID MGMT tab to change selected rules to DROP from their default ALERT action in order to actually block or drop traffic.

@bmeeks said in Suricata blocking IPs that are on the passlist:

@ELMcDonald said in Suricata blocking IPs that are on the passlist:

No they are not, also not listed in any of the log's

Then if the IP is not listed in an alert showing on the ALERTS tab, Suricata is not the cause. It is not possible for Suricata to block without showing the IP in an alert and on the BLOCKS tab. Just for info, blocked IPs are never shown anywhere in the pfSense system log nor in the suricata.log. So don't look for them there. Look on the ALERTS and BLOCKS tabs. IPs from triggered rules only show up on the ALERTS tab or the BLOCKS tab.

I understand what you are saying. I can't get to reddit while its running and i did check it is in legacy mode. As soon as it stops I can access the site and use the app.

One one odd thing, I can ping and tracert to the site with no problems.

These statements prove to me that Suricata is not your problem (if you are actually using Legacy Mode). Suricata blocks everything for an IP once it blocks. That includes all ports and all protocols. So nothing would work for a given IP if Suricata is actually doing the blocking, so the tracert and ping would fail. This is especially the case in Legacy Mode. It is impossible within the code for Suricata in Legacy Mode to block just one protocol for an IP.

I don't mean to be rude, but your description of the issue leads to me to believe you need much more experience with an IDS before you put it in blocking mode. Go to the INTERFACE SETTINGS tab (for your WAN, since you said you are running Suricata on the WAN) and uncheck the box for Block Offenders. Save the change and restart Suricata. See how things work then. If everything works fine, then that indicates you have a lot of learning to do with regards to how to operate and utilize the Suricata package.

The things you have described as happening to you thus far do not follow logically based on other information you are giving to my questions. To be blunt, it can't be working exactly as you describe. The code just does not work that way. Perhaps you are not describing things correctly when answering my specific questions.

I admitted that I have no experience with IDS/IPS. Do you have any sites that would be good for a beginner?

I stumbled upon another address that my research didn't find the first time. Added that ip and did a test and all works. Turned blocking mode back off.

Thank you for you help.

@bmeeks said in Snort exit with signal 10 or 11 when doing certain updates:

Variations of this problem occur elsewhere in the C source for Snort (and to some degree, in Suricata as well). Other binary packages have similar issues (the ones I mentioned in my earlier post). Turning off compiler optimizations may fix some issues, but not necessarily all of them everywhere in the code. It is a very daunting problem!

Oh I see - like it says in my native language: its a very deep Fountain.

The compiler folks scream "fix your darn code!", and the application people say "just have your compiler make safe choices for op-codes because my code works fine on other platforms!"

😁 😁 😁

@bmeeks Oh man, I had no idea! Thank you for the advice, I really appreciate it.

Just to relive an old topic...

I am seeing the same thing on IGB drivers (E1000 nics).

Just not in abundance. The netmap errors go away if you manually select autoselect or any other settings besides default on the interface page.

Start with the interface showing the netmap errors. Chose autoselect

3bfd1a5b-7328-4ff0-bf66-dbac81df91ea-billede.png

and the errors go away instantly.

I can't tell what exactly since you censored the content of the HOME_NET variable, but something is corrupt in there. And that value is populated with information pulled from the firewall's config.xml file and by making pfSense system calls to obtain certain information such as default gateway, DNS servers, interface IPs, etc,.

Something in your system's setup is now borked and that is causing an improper HOME_NET variable to be constructed and written to the suricata.yaml configuration file for the interface.

Have you made any kind of change to pfSense recently? When was the last time you know Suricata was working, and what (if anything) was changed on the firewall between then and now? That's where I would start my investigation.

@anx

exactly:
(I know you love to learn, this is an older post (thread) but worth reading)
https://forum.netgate.com/topic/147785/pfblockerng-devel-dnsbl-cert-error

Reddit threads as well, if it is possible

edit:
BTW: Follow @bmeeks Bill's advice, if your question falls into this group (category) and you'd get to know pfBlockerNG, there are good professionals here.😉

https://forum.netgate.com/category/62/pfblockerng.

@NRgia said in Suricata inline mode IPS and VLANS:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236584

After I disabled the following:

ifconfig ix2 -vlanhwtso -vlanhwfilter -vlanhwtag -vlanhwcsum

I can start Suricata in inline mode, on parent interface that have other VLANs.

I though it was ok to share, if this is not known already.
Tested on pfsense 2.5.0, but I don't think it matters.

I think this is a driver-specific issue. The em series driver appears to be the one not honoring the disable option. Other drivers do (like your ix series).

There are other features of FreeBSD networking that do not play well with the netmap device either. One of them is limiters (packet shaping). Several folks have reported that when that is enabled in pfSense (FreeBSD, actually), network traffic stops on the interface. Also have reports of the traffic graph function not working when netmap is running on an interface.

@NogBadTheBad said in Can I use IPS to trigger a custom action?:

@NollipfSense said in Can I use IPS to trigger a custom action?:

Are these instructions an example for the OP?

You'd need to follow the full instructions to install homebridge and Homebridge Config UI X, then you'd get a web interface the above code I posted is to create a motion sensor that detects motion when a my nas doesn't ping.

Awesomely, thank you!

@bmeeks What a fast turnaround! Thanks so much for the work.