Re-posted my comments to a new post as this one is about Snort. My bad…

Morning,

any update on that package?

As BBcan177 noted with his link above, I am creating a logstash-forwarder package for submittal to the pfSense Team.  If they approve, then you can use the new package to send Suricata and other firewall logs to an ELK (Elasticsearch Logstash Kibana) setup.

Thanks,

"Additionally am I right in thinking that in order to block comms between LAN/OPT/DMZ interfaces, I need to specifically add in a block rule to block lan net to dmz net etc?"

Well would depend.. Out of the box when you create an OPT interface pfsense puts NO rules on it, so everything would be blocked hitting that interface.. As to specific block rules and such.. Depends on what if any traffic you want to allow between your different segments and what direction this traffic will be imitated from

Rule are evaluated top down on the interface they enter pfsense on.  First rule to trigger wins, no other rules are looked at.  There is an explicit deny at the end if no rules trigger on an interface then that traffic would not be allowed.  This is on every and all interface.

" Am I right in thinking that my local device names will be passed up to the DNS servers up stream so to speak i.e. the OpenDNS servers. "

No your not right in thinking that… Always just blows my mind how internet is useless without dns, and everyone uses it every single day on every single connected device they own.  Yet seems nobody understands even the basic concepts of how it works ;)  Just freaking blows my mind!!!

If you want your clients to resolve your local devices by name and not broadcast for them.. Then you need to use a nameserver (dns) that can resolve them for you - ie pfsense.  Having a client ask opendns or googledns is not going to be able to resolve your local devices by name other than via broadcast.  So if those other devices are on other network segment that is not going to work!!

Setting your clients to have 2 dns, ie pfsense and something public is not going to work because you can never be sure which dns your client is going to ask.  And it sure doesn't ask them in order or both at the same time, etc.  There are differences in depending on what OS your client is using..  But in the big picture your clients should only ever use nameservers that can resolve the same stuff.  If what your wanting is to resolve public stuff - then sure you could use opendns, googledns, 4.2.2.2 since any public dns can and should be able to resolve all public domains..  But they are not going to be able to resolve your local stuff.

So if you want to resolve local stuff - then your clients have to ask your local dns.. You could get fancy and setup more than 1 that have the same local data.  But in your typical soho type setup there will be 1.. Pfsense if your wanting to run pfsense..

So your clients ONLY ask pfsense!!!  This is how pfblocker ad blocking works you have to be asking pfsense using unbound..  Now you can setup unbound to resolve, or forward.  If you want to forward to opendns you can do that.  But your clients need to only be asking your local dns first if they want to resolve local.  Then you setup your local dns to either forward or resolve..

If you have no rules on OPT, but any any on lan for example.. And LAN creates the connection to something in OPT, the state that pfsense creates would allow the return traffic.

While I commend wanting to learn about IPS/IDS - unless you know what your doing its going to be very painful!!!  I would suggest you turn it on in MONITOR mode only!!!  This can report on stuff that it sees, but will not block anything.  This allows you to trim down the noise before you actually go into IPS mode..  IPS is not something for hey that is what a mask is, oh that is tcp traffic, and that is udp.. but really don't know what the difference is ;)

pfblocker is a great package when used correctly and understanding what it does..  But to be honest it can be quite confusing to someone that is just learning about networking/firewalling/etc.. Letting it autorule shit is prob going to break stuff if you want my honest opinion, no offense bcan!!  Wanting to run an adblocker that is dns based without understanding how dns works is just asking for trouble if you ask me!!  Most likely going to break shit again!!!

Snort works on a copy of a packet, it doesn't block anything, it merely passes the offenders to snort2c table for pf to handle it. If you want an inline IDS/IPS, use Suricata. (Inline mode needs a supported NIC, plus I would not suggest this if you are using VLAN or shapers, see #6690 and #6023.)

Snort user manual is a good place to start http://manual-snort-org.s3-website-us-east-1.amazonaws.com/

Hi.

This alerts are not real problem, do not worry.

Time                        Process PID         Message Dec 14 16:02:30 kernel                      re1: promiscuous mode enabled Dec 14 16:02:26 snort 91336 AppInfo: AppId 4110 is UNKNOWN Dec 14 16:02:26 snort 91336 Invalid direct service AppId, 4110, for 0x80a2ab500 0x819d303c0 Dec 14 16:02:26 snort 91336 AppInfo: AppId 4043 is UNKNOWN Dec 14 16:02:26 snort 91336 AppInfo: AppId 4109 is UNKNOWN Dec 14 16:02:26 snort 91336 AppInfo: AppId 4115 is UNKNOWN Dec 14 16:02:25 php-fpm 85745 /snort/snort_interfaces.php: [Snort] Snort START for LAN(re1)... Dec 14 16:02:24 kernel         re1: promiscuous mode disabled

Regards

Thanks jeffh, this is what I have been looking for:)

It would be nice if there was a way to send an IP through to the firewall to be blocked directly from the Snort interface.

The reason I was thinking of doing it was just to preemptively block IPs that I consider bad. Anything trying to access RDP on my firewall is "attacking" me in some way so if I were to block them when I saw the RDP  connections, which wouldn't achieve anything, it may save me when they switch to SSH which is open and could cause problems.

I tried 2983 before, but there was a suricata update that I installed yesterday and the snort rules snapshot downloaded… So just in case none of the suggestions work, try to update the package.

By disabling the offending rule. No idea which one is blocking search engines from websites, but sure like hell must have been a genius upstream to enable that.  ::)

reboot pfsense

Already tried to get support from NetGate…. mentioned that in my post... they wouldn't help with Suricata - period.  So, I'm stuck with "the community".  I understand no one here is obligated to help anyone else, and that is fine, but the lack of enthusiasm for Suricata in general on these forums kind of bugs me.

I can't run Suricata in Inline mode and I'm cool waiting for that.  I'd just drop back to Snort, which has enthusiastic support here, except for the fact that it can only scan ~20% of my traffic... I might as well turn it off.  Suricata examines over 99.5% of my traffic, except right now, it won't start on my only blocking interface, but only on the primary of my HA pair.  It starts fine on the backup firewall, so there is some kind of lower level corruption of the config files on my primary, but that is as far as I can troubleshoot.

Just venting now... I'll shut up and get back to rebuilding my firewall.  :-\

UPDATE: After a complete rebuild of my primary firewall AND a hardware change from Intel X710 adapters to Intel X520 adapters, Suricata is now humming along in Inline mode.  I want to thank those who responded helpfully to my posts during the process and especially thank Bill Meeks for maintaining the Suricata package.

@BBcan177 Thanks for chiming in. I didn't want to hijack the thread ;) but in my case I'm looking forward to more insights of the per VLAN/subnet setting.

Our use case would be to protect various customer project networks, all separated into different VLANs/subnets that are routed via our Firewall. All those networks get connected via our DC WAN line. But as only two or three customers ask about IDS/IPS usage, we'd like to setup snort (or suricata for that matte) in a way, it listens on WAN but only intercepts/filters/blocks traffic belonging to those customers and leave all other traffic alone. As different customers may have different needs a per customer (-> per public IP/per VLAN) configuration would be needed for that (IMHO), so that's the question I have if such a setup is possible at all.

Greets

I'm currently only monitoring to fine-tune the ruleset since its been a while since I used snort. It alerted on a couple of IPv6 packets for
1:2018959  ET POLICY PE EXE or DLL Windows file download HTTP