@John-Willard The pinned posts in this category are a good start.

@Danil-0 said in Suricata logs:

Is it possible to disable repeatedly logs from suricata to main log?

For example, i have only one line on suricata log.
Suri_block.png Hi,

If attacker repeated attempt, i have more line on main firewall log
Sys_log.png

Also i have disable Log to System Log.

Thanks for help.

Suricata does not put those entries in the System Log that you marked. Those are from the pf firewall engine itself. It's logging traffic hitting the built-in rule that exists for the snort2c pf table that is used to implement Suricata blocking (and Snort, if that package is installed). Suricata does not, and cannot, log to the firewall log tab. It can only log to the system tab.

Suricata "blocks" by adding IP addresses to a pre-existing pf firewall engine table. pfSense creates a built-in rule automatically each time it builds the firewall rules that blocks IP addresses added to the snort2c table.

You should not see these logged entries if you enable the option to "do not log default rules" in the Settings tab of the System Logs tab of pfSense.

@dread said in [1:2240006:2] SURICATA DNS Z flag set:

So my question is, do you usually see this Z flag alert(s) and/or do you think it could be some malware installed on a device? (in my case, one android phone)

Anyone? Thanks!!

When you uncheck the Enable checkbox on the Suricata INTERFACES tab, that Suricata instance will never auto-start (even on a pfSense reboot). But if the Enable box is checked, the interface will auto-start upon a reboot of pfSense even if the interface had been manually stopped before the reboot.

One perverse thing with Suricata and the way it handles TCP sessions and flows is that the more CPU cores you throw at it, the more RAM it demands for the TCP Flow/Memcap parameter. Start simple with just 4 cores assigned to Suricata and 4 GB of RAM in the virtual machine.

And start with Legacy Blocking Mode instead of Inline IPS Mode. Legacy Blocking does not bring in the netmap kernel device and thus will likely bypass any issues existing there in Proxmox. And as I said earlier, you really can't successfully use VLANs with Inline IPS Mode (at least not without a lot of weirdness up to and including random crashes).

Suricata

@Antibiotic said in Snort rules order:

@bmeeks Hello again!
Now did dropsid for some rules and its working. But how to make drop action for whole category?Lets say category: emergening-ja3-rules want to drop action for all category.

The numbers are going not but orders and click whole category too long or make dropsid with a different numbers. Is it possible to make drop action for whole category? Suricata

Go read this Sticky Post at the top of this sub-forum: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.

@munson: I believe you posted this in the wrong sub-forum. This has nothing to do with the IDS/IPS packages.

Perhaps you should have posted this in the pfSense "Problems Installing or Upgrading pfSense Software" sub-forum here: https://forum.netgate.com/category/5/problems-installing-or-upgrading-pfsense-software?

The UUID I was referring to is for the top-level log directory for a given instance. On pfSense, the package uses the physical interface name along with a UUID to create directory paths unique for each configured Suricata instance. So, under /var/log/suricata/ you will see a different unique sub-directory for each configured Suricata interface. Within a given instance's log directory you will find additional sub-directories for various optional logging. One of those is captured/extracted files.

Suricata itself, when configured to capture files, will create its own unique sequence of sub-directories under the file capture logging sub-directory based on hash values. The following section of italics text is copied verbatim from the Suricata docs:

The file-store module uses its own log directory (default: filestore in the default logging directory) and logs files using the SHA256 of the contents as the filename. Each file is then placed in a directory named 00 to ff where the directory shares the first 2 characters of the filename. For example, if the SHA256 hex string of an extracted file starts with "f9bc6d..." the file will be placed in the directory filestore/f9.

Here is the link to the file extraction documentation for Suricata: https://docs.suricata.io/en/suricata-7.0.4/file-extraction/file-extraction.html.

@bmeeks Aha, thank you, I knew I was forgetting something. I'd setup the drop rules a while back and forgot there were disable sid rules I could use too :)

@Bob-Dig said in Problems with Suricata in pfSense on Proxmox running inline mode:

Hyper-V doesn't use vtnet so sure, it won't run.

I didn't mean to imply Hyper-V supported vtnet. Only mentioned Hyper-V because a number of other issues have been surfaced there by users attempting to run pfSense. My point was that these two hypervisors (Hyper-V and Proxmox) tend to show up most often when someone posts with a pfSense issue in a virtual environment. I notice much fewer issues posted when virtualizing pfSense in a VMware environment.

@Antibiotic I have not used the subscriber rules. I would only enable rules for the things you are protecting, for example web server rules. I do not think it would hurt to have overlapping rules, other than extra CPU time processing the packet twice.

@johnpoz yes it is, however it was not in the Talos Cisco IP list yet. I submitted a request to add that specific IP. That link you sent me has a IP list with a lot of them except it was missing that one address.

@mcury Obrigado, vou tentar criar apenas para a porta que estou sofrendo mesmo.
Quanto ao DNS, eu realmente tenho um servidor DNS, que responde na porta 53. Quando alguém digita um endereço que esta no meu servidor, é consultado no registroBR que após isso joga para meu servidor certo? Isso nao estabeleceria uma conexão? A pergunta foi meio de curioso haha

Sobre o Synproxy, achei bem interessante, se tiver alguma experiência sobre o uso, lhe agradeço. Vou fazer todos os testes amanhã: Pelo que vi na documentação:
"
Sinproxy
Esta opção faz com que pf faça proxy de conexões TCP de entrada.

As conexões TCP começam com um handshake de três vias. O primeiro pacote de uma conexão TCP é um SYN da origem, que provoca uma resposta SYN ACK do destino e, em seguida, um ACK de retorno da origem para completar o handshake. Normalmente, o host atrás do firewall cuidará disso sozinho, mas o estado synproxy faz com que o firewall conclua esse handshake. Isso ajuda a proteger contra um tipo de ataque de negação de serviço, as inundações SYN. Normalmente, isso só é usado com regras em interfaces WAN.

Atualmente, esse tipo de ataque é melhor tratado no nível do sistema operacional alvo, já que todo sistema operacional moderno inclui recursos para lidar com isso por conta própria. Como o firewall não pode saber quais extensões TCP o host back-end suporta, ao usar o estado synproxy, ele anuncia que não há extensões TCP suportadas. Isso significa que as conexões criadas usando o estado synproxy não usarão dimensionamento de janela, SACK, nem carimbos de data/hora, o que levará a uma redução significativa no desempenho na maioria dos casos.

Esta opção pode ser útil ao abrir portas TCP para hosts que não lidam bem com abusos de rede, onde o desempenho superior não é uma preocupação."

Okay. I think i understand. I thank you for your answers.
I will try other ways to keep the malicious out.

@bmeeks

I have Snort running on my local LAN.

This is actually a durp moment. I had assigned a static IP to my local desktop because I was accessing a new managed switch I purchased to set the switch up for my network. I forgot to switch the desktop IP back. So while I was saying nothing existed at 192.168.3.2 it was actually the machine I was using to access everything. So False alarm.

Install the Suricata package and then from a command-line shell prompt in pfSense issue this command:

suricata -V

Post back here what that command shows. It should simply print the current binary version, but it might throw an error if there is an issue with your install.

Also, have you looked under LOGS VIEW in the Suricata GUI and then selected your configured interface and the suricata.log file to see what shows there?

Suricata very rarely refuses to start without printing a pretty good explanation of why. The only exception to this rule is if the actual install of the package fails to properly update some shared dependent libraries. But if that is the case, executing the CLI command I suggested above will show that.

@vmillan69 said in paquete snort 4.1.6_17 no se ven las alertas:

since the last update of snort 4.1.6_17 for pfsense in aws version 23.09.1

I do not test Snort for compatibility with AWS installs as I have no way of doing that. If you use it on AWS, then you are on your own. But if it worked previously, I can tell you that nothing changed with the last update that had anything to do with alerting. So, I don't believe the Snort update is the only cause of your issue.

@cjca said in Suricata 7.0.4_1 and Snort 4.1.6_17 package update Release Notes:

@bmeeks i am Carlos help please

You have given me nothing to tell me what your problem is. It's the same as saying "I get in my car, but it won't go" 🙂. How can I help you unless you give me some information?

What is the content of the suricata.log? Are there any Suricata related messages logged in the pfSense system log?

@xokia said in Alerts not being blocked:

@xokia I think I may know what's going on. These are ageing out of the block list I had it set to 3 hrs. I increased it to 12 hrs

That was going to be my first question: what interval has been set for "clear blocked hosts"?

When an IP has not seen any additional traffic during the interval set for clearing blocked hosts, then the cron task will remove that IP from the snort2c pf table.