Thanks for the quick reply!

If there is one on this forum, can you point me in the direction of a write up on where to add the custom Suricata rules in pfSense? Is it as simple as something like this (attached)? or do I need to figure how to make a separate rules list (attached)?

EDIT
Found this post and got what I needed. https://forum.pfsense.org/index.php?topic=91438.0
Thanks again bcan!

Capture.JPG
Capture.JPG_thumb
Capture2.JPG
Capture2.JPG_thumb

An IDS/IPS assumes that all applications (and thus software developers) follow all the standards for networking, so when the IDS/IPS sees something that looks amiss it will alert on it.  Unfortunately that assumption about all applications (and developers) solidly adhering to all published networking standards is a pipe dream… ;)

The downside for IT Security Admins is we get flooded with spurious alerts that we have to spend time investigating.  The STREAM alerts are about as worthless in Suricata as the HTTP_INSPECT alerts in Snort.  What I mean by that blanket statement is there are so many false positives from both of those that they are both nearly worthless.  Most IT Security Admins will disable the majority, if not all, of these rules.

Bill

Solved.

The ET POLICY rules are in the Resolve Flowbits automatic rules.

However, you can't view the rules in the Suricata Interface LANRules: decoder-events.rules page. You have to view them on the Suricata IDS / Interface LAN - Categories page.

Cool, thanks! I'm using 2.4, so it might be something going on there?

@jeffh is correct.  Snort can only block when block offenders is enabled.  This is because the custom plugin that does blocking simply uses every alert to generate a block.  So any alert that is fired will result in a block of the offending host or hosts when "block offenders" is enabled.  Which host is blocked (source, destination or both) is configurable in the GUI.  Of course alerts that are suppressed, or rules that are disabled, will not generate corresponding blocks.  Right now the plumbing used internally in Snort does not lend itself well to inline IPS mode on pfSense.  That may change in the future.

Suricata leverages the somewhat new Netmap functionality introduced in FreeBSD (in version 9 I think, but I'm not sure off the top of my head) to provide a true inline IPS mode that honors "alert", "drop", "reject" or "pass" as rule actions.  Netmap allows very high speed pipes to be established between the NIC driver and user-land software (in this case, Suricata).  However (and it's a big "however"), Netmap is only fully supported by a tiny handful of NIC drivers on FreeBSD.  Some drivers sort of support it but are still quite buggy.  Also, in pfSense, Netmap is currently incompatible with the traffic shaper and VLANs.  So if you have a traffic shaper enabled or use VLANs, then Netmap will kill connectivity on any interface it is enabled on.  This in turn means Suricata can't work with inline mode on such an interface.

Bill

Snort does this automatically via a cron job.  The update check interval is configurable within the GUI.

You can run this file to manually update if you want to do it outside of the cron process.  Not sure why you would need to do this, though.

/usr/local/pkg/snort/snort_check_for_rule_updates.php

Bill

AC-BNFA or AC-BNFA-NQ.

There are several discussion on why this should be the recommended setting, which you can google or search it.

Dont want to dig this up again but i have posted on a few times about VIP for snort or suricata, Have not heard any updates since but would it be possible to only monitor the VIP?

Thank you

Something you might be interested in while learning pfSense and specifically IPS is pfMonitor. Check it out in the link.

It is in Beta now, the developer is rolling out features rapidly. It lets you compare your firewall hits to other firewalls, gives notes and articles about new attacks and IP's and categorizes IP's so that you can figure out which attackers are serious or true attacks and which are just false positives.

For example, this IP has over 1000 hits on my firewall, but none on any of the other firewalls in the program, which seems kind of strange to me, but probably is because I use a few custom rules that caught the IP (which it sounds like is a FP).

It summarized all of the ports, and how many times that IP has hit my firewall when I searched it.

It really has a ton of great data in it.

I'll be writing up a review and a quick youtube video on it after I've had a chance to use it for a while and figure out all of its uses.

https://forum.pfsense.org/index.php?topic=120972.0

In additoin to scp, you can download the PCAPs via the webgui Services->Snort->Alerts, Alert Log Actions: Download

But if the alert file gets too big it can cause the php process to crash and you may have to resort back to scp.

@doktornotor:

The thing you are probably missing is that you should NOT select any of the pre-defined policies for interface if you want to select individual categories. (IOW, untick the Use IPS Policy checkbox above).

Thank you! That was it.

Anyone?

can be closed.
problem was solved by increasing the Flow Memory Cap and Stream Memory Cap to 128MB

Consider to manual you should use it in such way

ignore_scanned { Snort IP List }

Snort IP List you can create by this guide
https://doc.pfsense.org/index.php/Snort_ip_list_mgmt

Additional steps I've taken…

I found where the settings are retained in this post: https://forum.pfsense.org/index.php?topic=80365.msg438860#msg438860

I uninstalled, removed all settings, and reinstalled.  Finally, a fresh install.  However still no luck.

I enabled detailed startup logging, and I'm starting to see something.  On every boot attempt and on every interface refresh, I'm noticing it dies in the same place - while parsing "file-executable.so".  Here's the last couple of lines from the log:

Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_IP_LONG' defined : Mar 25 22:26:01 snort 30401 [ 135 139 445 593 1024:65535 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_UDP_LONG' defined : Mar 25 22:26:01 snort 30401 [ 135 1024:65535 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_UDP_SHORT' defined : Mar 25 22:26:01 snort 30401 [ 135 593 1024:65535 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_TCP' defined : Mar 25 22:26:01 snort 30401 [ 2103 2105 2107 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_BRIGHTSTORE' defined : Mar 25 22:26:01 snort 30401 [ 6503:6504 ] Mar 25 22:26:01 snort 30401 PortVar 'DNP3_PORTS' defined : Mar 25 22:26:01 snort 30401 [ 20000 ] Mar 25 22:26:01 snort 30401 PortVar 'MODBUS_PORTS' defined : Mar 25 22:26:01 snort 30401 [ 502 ] Mar 25 22:26:01 snort 30401 PortVar 'GTP_PORTS' defined : Mar 25 22:26:01 snort 30401 [ 2123 2152 3386 ] Mar 25 22:26:01 snort 30401 Detection: Mar 25 22:26:01 snort 30401 Search-Method = AC-BNFA-Q Mar 25 22:26:01 snort 30401 Maximum pattern length = 20 Mar 25 22:26:01 snort 30401 Search-Method-Optimizations = enabled Mar 25 22:26:01 snort 30401 Found pid path directive (/var/run) Mar 25 22:26:01 snort 30401 Tagged Packet Limit: 256 Mar 25 22:26:01 snort 30401 Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine... Mar 25 22:26:01 snort 30401 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... Mar 25 22:26:01 snort 30401 done Mar 25 22:26:01 snort 30401 Finished Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine Mar 25 22:26:01 snort 30401 Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Mar 25 22:26:01 snort 30401 Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-ie.so... Mar 25 22:26:01 snort 30401 done Mar 25 22:26:01 snort 30401 Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-executable.so...

The plot thickens.

I went into the directory in the shell, moved file-executable.so out of the directory, and now my WAN interface comes up.  Though I'm sure it will choke on the next rules update.

Thoughts?

@jeffh:

Barnyard is not required and I may be wrong, but I believe will require a separate Barnyard server.

If you are new to Snort or Suricata I would recommend picking one, and working on understanding the way it functions before looking into Barnyard.

Thank you both, I see that barnyard2 is a dependency for snort and suricata. Is this to enhance performance from another process?