The updates for the both the GUI package and the underlying Snort binary have been posted for review and merging by the pfSense team.

They aren't going to be used, so it's your call. Really doesn't matter since they are not loaded anyway and thus won't consume any resources (other than the brief milliseconds of CPU time expended during the initial startup of Suricata).

Hey @jlee18 , I am actually incl. the snort block getting approximately about 0 to 3/4(/short times maybe max10) hits per second. After these there is at least a Minute where is often not even one lonely hit (log-alert, under snort or even system logs -> firewall log)

Many are ET or Portscans automatically blocked by pfSense (with or without snort, for example as the firewall blocks incomings on WAN by default)

As I worked it out this is all the normal "background noise".

If I am surfing the WWW the "hits" (alerts, blocks and so on) increase radically but even if there is nothing online (TV off, Printer on standby, any PC or Smartphone "off") there are at least 500 hits per 12 hours on my WAN. All "normal" as suggesting as Portscans, "trial and error brake-ins" or as I guess security look-offs (trying to find malicious or malware-spreading Command & Control-Hosts or similars...)

That nerves, yes. But aint my Business so my Firewall blocks em and that's all at least I can do about :-D

I didnt read the Thread all again but read it several Days ago (sorry for that!)
But I just wanted at least give you an answer on how to at least get an overview of how many hits per second might get produced on your Firewall.

As mentioned: I get between 0 and max10. Sometimes there's even a minute nothing happening on WAN and than there is a hit every 20 seconds or even every minute. And very rarely there seems to be combined operations or "randomly happened hits" which can reach up to lets say maximum 10/hits per second (for just a few seconds)

I am noob as you and just wanted to share my experience with you. If you got any further questions, here's the right place to state them. :-)

BTW I got an own thread where now nobody answered for 2 1/2 Days but it's okay...gotta read more about and (hopefully) worked it correctly out for me :-D

Many thanks for your help. Am hoping the snort 3 will move away from barnyard onto something else that's being maintained!

All of them should be showing there, but it is possible the Suricata GUI code for displaying that tab option has the same bug I fixed earlier in the Snort GUI. I will need to check it out and see. The two packages share a ton of the same PHP GUI code.

UPDATE:
This was indeed the same bug as existed in the Snort code. I have submitted a fix for the pfSense developer team to approve and merge. Look for a new Suricata GUI package update to version 4.0.13_9 in the near future.

Here is an additional comment on Snort3 multithreading with ipfw. I copied this from the Snort Developer mailing list. The author is one of the Snort3 developers --

"I need to correct myself. There is a way to configure DAQ for multiple threads. Please refer to snort3 documentation section – DAQ Configuration and Modules. You will need to configure a separate port for each thread. Also, please note that snort3 doesn’t yet support load balancing internally."

It depends. Suricata would still be able to help police traffic going over established states. However, it is better to run an IDS/IPS such as Suricata or Snort on the firewall's internal interfaces (such as the LAN) rather than the WAN. This is especially true when NAT is being used. If you run the IDS/IPS on the WAN, all of your local addresses such as those on your LAN will show up in the alerts as having the firewall's public WAN IP address. That's not very helpful when trying to figure out which internal host is compromised or is the target of an external attack. Running the IDS/IPS on the LAN means the displayed addresses in alerts are the actual native local IP addresses (pre-NAT).

@logboss said in Suricata not generating alerts for PPPOE interface:

Is there anyway i can get around this? I need netmap. I've got a spare ethernet port, can i use 1 interface for PPPOE, DMZ an interface and put everything behind that?

Something else?

I suggest running Suricata on your LAN interface and not on the WAN interface (which I assume is the one using PPPoE). In the vast majority of situations, running the IDS/IPS on the LAN is actually better because that way all the IP addresses you see in alerts have already been NAT translated back to their actual LAN IP address space. This is useful when you are using NAT, which most folks do. The only time running Suricata on the WAN might be useful is if you have several open ports on the Internet-facing side. Again, most folks do not have open ports on their WAN. So running Suricata on the WAN provides no meaningful extra security.

So in your case I recommend moving your Suricata instance over to your LAN interface and any other local interface like a DMZ and abandon running it on the WAN.

That "3" in the output is the Priority. The Snort implementation on pfSense uses the CSV output logging option of Snort to produce the alert log. The code within the GUI knows which CSV field is which in the alert log output. You can't add any additional text to the CSV output.

Yep, you will find that OpenAppID generates a lot of noise. I would suggest carefully pruning the rule categories so that you are seeing only the specific traffic types you want to eliminate. For example, maybe Facebook stuff in a corporate network. OpenAppID will generate a lot of log alerts and will tend to completely dominate the info on the ALERTS tab. Unfortunately there is no way within the Snort binary at present to have OpenAppID log to a separate log file so those alerts could be isolated from all the others.

Glad you figured out a novel solution. I am surprised that Suricata does not complain about the duplicate output sections in the suricata.yaml file, though. I've never investigated the parsing portion of the YAML code in the binary, so maybe it's the case that the last value read from the file is the one stored in the in-memory configuration array (overwriting any previous value for the same parameter).

I would expect the ALERTS tab in your custom configuration to be blank and not showing any alerts. As I said in my earlier reply, the alerts.log file is how that tab gets populated in the GUI. You will still see any alerts in the other configured output logs, though, such as EVE.

Thanks.

Hi,

I am able to implement Suricata-Redis architecture. Please let me know whether we can use Redis-sentinel feature at Suricata Config block. Because my application will be required redis failover support so if I can also configure Suricata with Redis Sentinel then it would be the best for me.

Shubham

It seems that the changes I made via the web/browser wasn't taking despite it saying so; however, when I made the changes (sysctl dev.netmap.buf_size:4096) at the shell on the machine itself, I haven't seen any more alert. I'll keep my fingers cross!

Solved upgrading to pfSense 2.4.4

Thank you

@bmeeks

Thank bmeeks. I agree that the alerts can be overwhelming. To that effect, I have a rule set up to put alert e-mails into a particular folder so they don't pummel my Inbox.

This is something I wanted to set-up for a few days, more of an observation than anything else.

Thanks for taking the time to reply, your answer gave me a little better understanding of the architecture of pfSense.