Suricata and loss of internet traffic
-
I'm a pfSense newbie, and only mildly competent in Linux/Unix.
I installed Suricata and enabled on my WAN and I lose internet traffic. I checked the log, and all I can see if the pass list gets enacted, but nothing that tells me what's wrong, though there are a lot of "[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]" issues
My searches on this forum show the problem has been seen before, but the threads don't seem to come to a conclusion (at least the ones I found).
Do folks have advice?
-
@nycone If you turned on Inline mode try Legacy as Inline doesn't work with every NIC driver.
-
@steveits said in Suricata and loss of internet traffic:
@nycone If you turned on Inline mode try Legacy as Inline doesn't work with every NIC driver.
Thanks. I was Legacy with a Supermicro X9DRi/LN4 board (intel i350 nic) as a passthrough on ESXi.
For now, I just uninstalled Suricata because it was restarting with every reboot. I'd like to get it going though. I have to wait until later to try changfes, the network is being used by too many people now to make changes.
-
An IDS/IPS package like Suricata or Snort is not something you can just install, and enable a bunch of rules, and call it "done". You will not have a pleasant experience doing that ... .
It takes a fair amount of skill, and somewhat deep knowledge of how network intrusions "work", and how malicious code "works", in order to know what rules you need to enable in your network.
No offense meant here, but you seem to not know where to look to see what is being blocked. You don't look in the
suricata.log
file. That only contains startup information. No alerts or blocks are ever logged there. You find alerting rules on the ALERTS tab, and you can find blocked hosts on the BLOCKS tab (when using Legacy Mode Blocking). This tells me that you are perhaps a novice with using an IDS/IPS. You might want to start by doing some research on Google for links on how to set up and manage an IDS/IPS.I suggest you do it this way.
-
Remove Suricata from your WAN. That's not where you usually want an IDS. Put it on your LAN instead.
-
You are getting the SC_ERR_INVALID_SIGNATURE errors because you have likely enabled Snort rules with Suricata. While many Snort rules will work, there are hundreds of them that will not because Snort accepts different syntax and keywords than Suricata. Those errors are harmless in that Suricata will still start and run, but those particular Snort rules will not be loaded and used.
-
Run Suricata in alert-only mode (with blocking disabled) for several weeks on your network to get a feel for what kinds of alerts normal traffic on your network may generate. Expect a number of false positives. You will need to research each alert and make the determination if it represents a false positive or not. You will want to disable rules that frequently generate false positives in your network.
-
After doing step #3 above for several weeks, then you can try enabling blocking mode to see how things go.
Tuning an IDS/IPS is a big job that takes lots of patience. It's not something you can do by clicking a few boxes in 5 minutes and calling it done.
-
-
@bmeeks said in Suricata and loss of internet traffic:
An IDS/IPS package like Suricata or Snort is not something you can just install, and enable a bunch of rules, and call it "done". You will not have a pleasant experience doing that ... .
It takes a fair amount of skill, and somewhat deep knowledge of how network intrusions "work", and how malicious code "works", in order to know what rules you need to enable in your network.
No offense meant here, but you seem to not know where to look to see what is being blocked. You don't look in the
suricata.log
file. That only contains startup information. No alerts or blocks are ever logged there. You find alerting rules on the ALERTS tab, and you can find blocked hosts on the BLOCKS tab (when using Legacy Mode Blocking). This tells me that you are perhaps a novice with using an IDS/IPS. You might want to start by doing some research on Google for links on how to set up and manage an IDS/IPS.I suggest you do it this way.
-
Remove Suricata from your WAN. That's not where you usually want an IDS. Put it on your LAN instead.
-
You are getting the SC_ERR_INVALID_SIGNATURE errors because you have likely enabled Snort rules with Suricata. While many Snort rules will work, there are hundreds of them that will not because Snort accepts different syntax and keywords than Suricata. Those errors are harmless in that Suricata will still start and run, but those particular Snort rules will not be loaded and used.
-
Run Suricata in alert-only mode (with blocking disabled) for several weeks on your network to get a feel for what kinds of alerts normal traffic on your network may generate. Expect a number of false positives. You will need to research each alert and make the determination if it represents a false positive or not. You will want to disable rules that frequently generate false positives in your network.
-
After doing step #3 above for several weeks, then you can try enabling blocking mode to see how things go.
Tuning an IDS/IPS is a big job that takes lots of patience. It's not something you can do by clicking a few boxes in 5 minutes and calling it done.
I agree. I followed a few guides in setting it up. I have only a beginners understanding of all the settings. Nonetheless, having been a teacher in another domain (medicine), I have to believe there's a site that teaches the particulars. If I can teach a student how to do surgery, I have to believe I can be taught Suricata.
Any reference to a guide that is practical would be appreciated.
-
-
@bmeeks said in Suricata and loss of internet traffic:
An IDS/IPS package like Suricata or Snort is not something you can just install, and enable a bunch of rules, and call it "done". You will not have a pleasant experience doing that ... .
It takes a fair amount of skill, and somewhat deep knowledge of how network intrusions "work", and how malicious code "works", in order to know what rules you need to enable in your network.
No offense meant here, but you seem to not know where to look to see what is being blocked. You don't look in the
suricata.log
file. That only contains startup information. No alerts or blocks are ever logged there. You find alerting rules on the ALERTS tab, and you can find blocked hosts on the BLOCKS tab (when using Legacy Mode Blocking). This tells me that you are perhaps a novice with using an IDS/IPS. You might want to start by doing some research on Google for links on how to set up and manage an IDS/IPS.I suggest you do it this way.
-
Remove Suricata from your WAN. That's not where you usually want an IDS. Put it on your LAN instead.
-
You are getting the SC_ERR_INVALID_SIGNATURE errors because you have likely enabled Snort rules with Suricata. While many Snort rules will work, there are hundreds of them that will not because Snort accepts different syntax and keywords than Suricata. Those errors are harmless in that Suricata will still start and run, but those particular Snort rules will not be loaded and used.
-
Run Suricata in alert-only mode (with blocking disabled) for several weeks on your network to get a feel for what kinds of alerts normal traffic on your network may generate. Expect a number of false positives. You will need to research each alert and make the determination if it represents a false positive or not. You will want to disable rules that frequently generate false positives in your network.
-
After doing step #3 above for several weeks, then you can try enabling blocking mode to see how things go.
Tuning an IDS/IPS is a big job that takes lots of patience. It's not something you can do by clicking a few boxes in 5 minutes and calling it done.
Taking your implied advice, I took off the Snort rules and I maintain internet access.
Is there a good guide to Snort rules meanings and use in Suricata?
-
-
The process is to examine the BLOCKS tab to see which rules are triggering and generating the blocks. Rules have two identifiers: a GID (Generator ID) and a SID (Signature ID). For all the rules in Suricata, the GID will be 1. The GID has more nuanced meaning in Snort (the IDS/IPS program). Every rule must have a SID, and the SID must be unique.
So you will examine the BLOCKS tab to see which rules (SIDs) are triggering and generating blocks. You can also cross-reference on the ALERTS tab to see the text of the triggering rules. The first part of the "Message" field can help you identify which rule category the rule is from. As for finding detailed information on each rule - well, unfortunately, that's hard to find. That's because the rule creators are in general poor documenters of their craft ... . Sometimes you can find a little explanation, but not very many details. Google searches is where you will find whatever might exist.
And again, I didn't mean to imply you were incapable of learning an IDS. Anyone can learn, but I was trying to convey that it is very different from most other parts of computers and networking. So as an analogy, you might could teach me something about surgery, but unless I have years of medical school as a foundation, I won't be very good at it (surgery, that is). Obviously learning cyber security is not the same as medicine and surgery, but it does take a fair amount of experience. So if we are talking about a home network, and you are willing to tolerate the occasional inconvenience, then jump in and have fun learning! But if it's a business network, I would start out with blocking turned off and take baby steps while learning the ropes.
SANS is considered one of the gold standards of cyber security information and training. Here is a link to one of their whitepapers on deploying IDS/IPS: https://www.sans.org/white-papers/2143/. And here is one more from SANS: https://www.sans.org/white-papers/36677/. At the top of this forum section are a series of Sticky Posts that describe how to set up Suricata and Snort on pfSense. There are also some YouTube videos posted by others that present walk-through tutorials.
-
Thanks to those who've offered real help.
It wasn't that difficult once I understood the issues. It turns out I was just enabling too many of the rules, and thus getting shut down.
In the end, I found a site that had explanations of the key groups to block, and all is well.
I'm surprised there are so few well described "how tos" for non networking guys, but there you have it.