@bmeeks Thanks for this... I will see if Snort works after having one interface inline and the other legacy.

Otherwise i may switch to Suricata..

@bmeeks it took me years of fine tuning and finesse to get mine to work the way I want, and ohhh does it work beautifully now.

Thank you bmeeks

@michmoor
necro post, did this get resolved? In the GUI I do not see any files saved.

In the /var/log/suricata/suricata<interface>/filestore path I have the 90 something folders that look like hex code but I guess are the first two digits of a hash to organize the files collected by hash. In those folders I have tons of 1-4kb some 1xx kb 'junk' files but no actual jpeg files I've been testing with.

I have ensured to have file-store enabled, hashing enabled (tried MD5 then SHA-1) and upped memory in a lot of non-related settings. In the eve.json logs it shows file-storing=true but file-stored=false.

I don't see in the GUI nor the resultant .yaml file the stream-depth setting mentioned in some suricata documentation. In the tutorial this is set to 10MB to catch decent sized files, pictures etc.

All is see in the pfsense .yaml file generated for suricata in regards to file-store is:

file-store:
version: 2
enabled: yes
length: 0
dir: /var/log/suricata/suricata_em036559/filestore

Additional context, I have the files.rules enabled and have successful alerts of "File Found over SMB and stored" but within that log shows file-stored=false.

I'm tempted to increase the length to some arbitrary large number but it wouldn't survive a service restart to make it valid anyhow- kind of a check-mate here.

@bmeeks
I've had a go at adding custom variables, PR: https://github.com/pfsense/FreeBSD-ports/pull/1380

@bmeeks Upgrading did not help.

What did help was disable the Extra Rules I had configured. 48 hours with no increased swap sofar.

Using https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz as extra ruleset will eat all swap.

@bmeeks
👍 Thanks for help.

@5p9 said in Suricata PHP Error:

hi @bmeeks
thank you. i had wondered why suricata suddenly couldn't cope with the resources. okay, i have now set my php to 768 as a test (suricata.inc back to default) and set up all interfaces as usual. looks very good so far. thanks for the hint.

Could have been that you were sitting on the ragged edge of "just enough" free RAM for PHP, and then a rule update added something that pushed things over the edge. The GUI code does quite a bit of processing when building a new rules file for the Suricata binary portion to consume.

Remember that the rules package vendors are constantly adding, removing, and modifying the rules within their packages. That's why we update them in Suricata - to get their latest changes 🙂. Sometimes those updates by the rules package vendors can result in a new issue surfacing.

IDS/IPS administration requires very frequent (and some would say almost constant) attention. It is a admin-intensive package. Most large enterprises, for example, have persons whose sole job is watching and administering only the IDS/IPS. It takes lot of monitoring to review alerts, to review rules updates to see if changes are needed in the IDS/IPS configuration, and to review the IDS/IPS operational logs to look for any anomalies there (various error or warning messages, for example).

@bmeeks I think you are providing wise council, but at the same time I can understand the OP's desire. We've painted ourselves into a bit of a corner with the move to run everything through the web port and then encrypt it. In days gone by we had a lot more options to inspect and mediate risks, but now the firewall's role is mostly just coarse filtering and enforcing good traffic behavior; any hope for deeper inspection is left to the endpoint scanners. Bugs me of course that for the most part we are unable to see/know much about what the endpoint scanners actually do.

--Larry

@luckman212 +1. I would love to see this in pfSense+. I would consider moving to OPNsense that does support it, but I already own Netgate hardware.

The updates for the binary and GUI have been merged and the new v7.0.6 package is available.

@SteveITS

Thank you for reply.
I was running Snort on WAN but I can't see any portscan detection alerts ?
We issued a few port scans over different outsides IPs but there were no alerts under Snort ?
Are we doing something wrong ?

I just purchase the Snort subscription rules, it’s not that much for private use. You get tons of good stuff with it. Is it ethical to use this rule set for other devices … no so I wouldn’t do it, just purchase a business subscription if you are attempting to do that.

Again there are rule sets for other security providers that I would love to add URLs for.

https://rules.emergingthreats.net/blockrules/3coresec.rules

https://forum.netgate.com/topic/177538/is-it-possible-to-use-a-cron-job-to-update-custom-snort-rules

So I get the appeal for wanting custom URLs but understand why it’s not included, if it was anyone could reuse subscriptions rules on other devices.

I wonder if there is a way to get the best of both custom url and rules and give Snort security for their subscription rules too for no free riders.

@MichaelRMO when you see the Ip address you want in the alert area click suppress for that IP it will no longer block that one in snort. Try to suppress that IP address. If it’s many look at the suppress list and manually add to it and or write a quick Java program to create a new list based on a text file you have. Hope that helps. I use appID with custom lists so I have a massive suppress list.

Thanks @bmeeks for the info.
This is... quite fundamental. Basically it would be like a new IDS system, will take some time to figure out :)

@Antibiotic VIPs though 😎

@focheur91300 said in Suricata IPS block out trafic WAN interface:

@bmeeks I haven't modified my configuration: IP Pass List
72610a9b-72c0-4001-9804-d8e8b745b7b1-image.png

With this configuration, as soon as an alert is sent, the SRC IP is added to the Blocks list.
87c46ccd-04f2-477b-a4e4-c7c120539209-image.png

At this point it is impossible to communicate with the outgoing ip.
0731e8ce-d2a3-4742-a83b-3e7c3e027cbd-image.png

Not sure I fully understand your problem. Legacy Blocking Mode does indeed completely block ALL traffic to any IP that triggered an alert and thus subsequent traffic of any type to that IP is blocked. That's because that IP is added to a pf firewall engine table called snort2c, and all IPs added to that table are blocked for all protocols and ports by a hidden built-in pfSense firewall rule.

In short, it appears to be working exactly as designed. If you want to selectively block individual packets and not ALL traffic to/from the IP, then you would need to switch to Inline IPS Mode (if your NIC natively supports the FreeBSD netmap device). Check the Sticky Posts at the top of this sub-forum for details and examples of Inline IPS Mode operation.

The yellow icon simply indicates the rule matched a SID MGMT condition such as SID or category name, for example. The dropsid.conf logic only modifies the action of a rule, it does not change the enabled or disabled state of the rule. So, default disabled rules remain disabled unless that is overridden in the enablesid.conf logic.

Try installing the Suricata package again. Be sure to let the installation fully complete. Remove the package by clicking the trashcan icon next to Suricata in the Package Manager. Be sure to let the uninstall process complete before clicking away from the page.

My suspicion is either you did not stay on the uninstall page long enough for the uninstall process to complete (if you click away, the process can fail to complete leaving remnants of Suricata behind). Another possibility is that you performed a config backup restore from a time when Suricata was installed. If you restore packages in that scenario, the config.xml portions of Suricata will get restored but the actual binary pieces will be missing.

If you want to permanently remove Suricata and all of its settings from the firewall configuration, go to the GLOBAL SETTINGS tab before uninstalling the package and uncheck the option to retain Suricata settings during uninstall.

@bmeeks
Not too old to learn something new ,thanks to you.

Many thanks
Jonna