Suricata Configuration for Home Use

bose301s

Hello everyone, I am running pfSense on a Protectli unit for home. I have a 1gbps fiber connection and have a few ports open for Plex and qBittorrent and would like the extra protection Suricata gives me. I had found a video from Lawrence Systems and set it up that way but am not sure if it's the best for my use case. If anyone has advice on what would be best for me and can recommend what block lists to use I would really appreciate it.

bmeeks

I don't typically recommend an IDS/IPS for a home network for two reasons.

First, the required skills and knowledge for properly choosing what rules to enable and how to interpret alerts is quite high. It is a skill set the typical home network enthusiast does not have.

Second reason is there are lots of things typically used in home networking (streaming, social media, etc.) that frequently generate false positive alerts and/or blocks. This gets back to reason #1 listed earlier where the skills of the admin are critical for carefully choosing rules that are suitable for the normal network traffic.

If you want to learn how to administer an IDS/IPS, and have some of the necessary background knowledge of programming and especially TCP/IP networking, then Snort or Suricata on pfSense can be a great learning platform. Just be prepared for lots of bumps in the road as you learn the ropes. That means expect stuff you want to work to instead get blocked via false positives. You have to learn to read these and weed them out by removing rules that are not appropriate for your network environment.

If all you want to do is block some IP addresses using some third-party lists, or if you want to use something like DNS blacklisting, then pfBlockerNG-devel is probably a better fit.

sledge

@bmeeks with the understanding this is a pfSense forum and answers will likely be biased, is there a platform that you recommend for using Suricata?

I am new to this and trying to setup a network with multi platform use as we operate a small business from home. We will have multiple VLAN’s and separating traffic appropriately.

I am in the hardware phase right now. I have decided to use Ubiquity switches, cloud key and wireless AP’s. I had planned on having pfSense doing the routing and firewall. However, I had planned on also using Suricata.

I’ve not used the dream machine pro but understand it has a very simple and dumbed down version of DPI/IPS and was curious if that would be a better tool for the inexperienced? I’m not afraid of a challenge, but don’t want to be constantly chasing my tail either.

bmeeks

@sledge said in Suricata Configuration for Home Use:

@bmeeks with the understanding this is a pfSense forum and answers will likely be biased, is there a platform that you recommend for using Suricata?

I am new to this and trying to setup a network with multi platform use as we operate a small business from home. We will have multiple VLAN’s and separating traffic appropriately.

I am in the hardware phase right now. I have decided to use Ubiquity switches, cloud key and wireless AP’s. I had planned on having pfSense doing the routing and firewall. However, I had planned on also using Suricata.

I’ve not used the dream machine pro but understand it has a very simple and dumbed down version of DPI/IPS and was curious if that would be a better tool for the inexperienced? I’m not afraid of a challenge, but don’t want to be constantly chasing my tail either.

Since you already are planning to have a pfSense box in your mix, then it would be the logical place to put Suricata. With that said, Suricata is a very complicated piece of software to properly configure. All IDS/IPS platforms are complicated and require a very detailed understanding of networking and the black arts of hacking in order to select the correct rules for the threats in your environment; and to be able to correctly interpret the large number of alerts a typical IDS/IPS will generate.

If you install Suricata, enable a bunch of rules without any knowledge of what those rules actually look for in terms of threats, and then also turn on blocking you should be prepared for a ton of headaches. This scenario will lead to tons of blocks on normal traffic and your network can be essentially disabled.

IDS/IPS on firewalls (or even something like the Dream Machine Pro) is a technology that is rapidly losing its effectiveness. Why? Because of the increasing use of encryption within network transport. Emails are now sent encrypted via TLS, web traffic is now nearly 100% sent via SSL, and even DNS lookups are increasingly going over TLS (DoT) or SSL (DoH). An IDS/IPS cannot see into encrypted traffic. All it sees are jumbled up bits of random data in the payloads. So the rules for detecting bad things are nearly useless. The only way to inspect such traffic is via some kind of man-in-the-middle (MITM) setup with a proxy. That is very complicated to configure and administer. At best the IDS/IPS can only see the initial header info in an encrypted packet as a connection is established. That is really only marginally useful. And with the coming encryption of that SNI data (via ESNI), even that limited visibility will soon disappear.

So here is the short version of this long story. For a home network (even one that is a small business run from home), forget IDS/IPS and just put a good quality antivirus product on your endpoints (servers, laptops, and desktops) and religiously install all the security updates/hotfixes released for all software running on said machines! Doing that, and being careful what you click on (especially in email attachments), will be about all the security you should need.

Edit: oh, and I forgot to mention that Suricata and Inline IPS Mode is not VLAN-friendly! This is due to limitations within the netmap kernel device.

michmoor

@bmeeks only you can make me uninstall my IDPS :)
Just to add on to what you said, one of the ways that big box vendors stay in business is by selling you a curated lists of threats (threat prevention) that are loaded up on your firewall daily. You don’t have to think about rules. Just install this and be done. It’s a nice value-add but costs $$.
So Suricata is definitely a useful learning tool but I would also argue that businesses large or small, an IDS won’t help. Secure the endpoint and save the cpu cycles on the firewall for other things.

edit: This is why more often than not its easier to have MDR providers.

NollipfSense

@bose301s This thread has helped me and many others, but it's long if you're seriously wanting to learn the basic and would take you about 90days to grasp:
https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint

sledge

@bmeeks thank you so much for that info! It is very helpful and useful as I’m feeling my way through all this.

I noticed you made lots of references to Suricata. I saw Snort can be run inline or passive. I assume passive comes at the cost that if it does sniff something in an already near 100% encrypted world we live in that it would flag the first time and actually prevent the second time?

Assuming there is value, running passive may alleviate another issue I have with the Mac and Broadcom NIC’s not playing nicely with netmap and inline. Does Snort have a problem with these NIC’s as well? And maybe a twist but if I were to run pfSense on the Mac in VM mode would the emulated ethernet drivers bypass the Broadcom issues with netmap by “tricking” it into thinking it’s a supported driver (assume em0 as opposed to bge0).

Alas, would Snort be anymore friendly or useful with VLAN’s? Assuming one dips in the pool. And also is it possible to set rules to only scan unencrypted traffic?

bmeeks

@sledge said in Suricata Configuration for Home Use:

@bmeeks thank you so much for that info! It is very helpful and useful as I’m feeling my way through all this.

I noticed you made lots of references to Suricata. I saw Snort can be run inline or passive. I assume passive comes at the cost that if it does sniff something in an already near 100% encrypted world we live in that it would flag the first time and actually prevent the second time?

Assuming there is value, running passive may alleviate another issue I have with the Mac and Broadcom NIC’s not playing nicely with netmap and inline. Does Snort have a problem with these NIC’s as well? And maybe a twist but if I were to run pfSense on the Mac in VM mode would the emulated ethernet drivers bypass the Broadcom issues with netmap by “tricking” it into thinking it’s a supported driver (assume em0 as opposed to bge0).

Alas, would Snort be anymore friendly or useful with VLAN’s? Assuming one dips in the pool. And also is it possible to set rules to only scan unencrypted traffic?

The problem with VLANs and Inline IPS Mode (and also with certain NICs) is down at the operating system level (FreeBSD we're talking about) where the netmap kernel devices resides. Snort and Suricata both use the netmap kernel device in the exact same way when deployed with Inline IPS Mode operation, so that means both suffer from the same issues and limitations in that regard.

What you call "passive mode" I am assuming is actually Legacy Blocking Mode. That works fine, but the issue with it is that it's a very big, blunt hammer. It blocks host IP addresses and thus will block ALL future traffic to/from the blocked host. Inline IPS Mode can be more selective and simply drop traffic that triggers a rule while passing other traffic that does not trigger a rule. Legacy Mode cannot do that. Once any traffic triggers a rule and that rule implements a block, EVERYTHING else to and from that host is going to be blocked no matter whether it is benign traffic or not. So a big hammer for the problem without any finesse ... . Legacy Blocking Mode works by adding the offending IP addresses to a built-in pfSense table called snort2c. pfSense creates a special hidden firewall rule that blocks all traffic for IP addresses in that pf table.

And no, you can't purposefully configure rules to only scan unencrypted traffic. But it will sort of work out that way because the internal traffic inspection engine will automatically bail out when encryption is detected. It checks that by testing for known encrypted protocols (SSH, for example) and bailing out when it sees that kind of traffic.

sledge

@bmeeks thank you again. I enjoy reading your responses, they are full of good info!

And yes I misused the term passive above and should have been using legacy instead. But yes, that is what I meant.

Either way, it sounds like Snort in legacy mode is not the solution I am seeking. That said, it seems if I were to use either I want inline and unless I find a different solution to the Broadcom NIC's on the Mac Mini then that is dead in the water.

However, even if I had compatible NIC's I still want to structure VLAN's in our network scheme. Can you expand a little deeper on the conflicts that both Snort & Suricata (running inline) have with VLAN's?

I'm not nearly as well versed on this as most folks here, but my feeble mind has me going back to the conclusion you mentioned in your first response to me....it's not worth it for a SOHO setup, and just secure up the endpoints with good anti-virus/malware software.

bmeeks

@sledge said in Suricata Configuration for Home Use:

However, even if I had compatible NIC's I still want to structure VLAN's in our network scheme. Can you expand a little deeper on the conflicts that both Snort & Suricata (running inline) have with VLAN's?

The issue with VLANs is related to the use of the netmap kernel device for Inline IPS Mode operation. The netmap device does not natively handle VLAN tags. The way it is plumbed and inserted into the kernel stack results in VLAN tags bypassing netmap.

You can still use netmap (and thus Snort or Suricata) with a VLAN interface, but you just run a single instance of the IPS on the physical parent interface. It will then see ALL traffic that is passing across the physical interface. But that means you can't have individual rules for each VLAN, though.

A Former User

For home usage you should split services;

• SquidGuard with Blacklists
  Blocks much more then I was expecting
• Snort with an Oink Code free
  Several books from Amazon are available to get in closer touch with it.
• pfBlocker-NG with I-Blocklist for ~10 € a year
  You might be really good sorted with many of them

In short if you sort the things to do over more then one pfSense packet, often you will be getting a better service
out for you or your company it self's! If you where reading
something about IDS/IPS it makes more sense to come back and ask this or that function, about a problem and
more points.

You may think it is not really that books are outdated, old
and whatever, but for getting an overview how it works
and more makes you then also install only one rules, edit
it and see for three month how many false positives you got and then you will starting the second rule once more
for let us say three month and so on. What is the right mode for you, what is the most attacks you may be confronted with, what you want to secure and why.

You may be also setting up Squid & SquidGuard as caching proxy in front of your LAN and lightSquid as an
reserve proxy in front of your DMZ with the servers to get
a better "not in contact directly with the internet" state of
your network. Setting up public IPs directly on pfsense is one more point. Security is not one point and all is fine for you and IDS/IPS is not a set it up and forget it service.

Book: (Amazon)
IDS: Intrusion Detection (Trace search in the net) ~5 €

• Install TCPDump or WireShark and collect data and packets from your network, learn what is written in this
  packets, what are the meaning of the numbers and and and .......

Books: (Amazon)
Network Intrusion Detection
Snort 2.0 Intrusion Detection
Snort Primer: A FAQ Based Introduction
Managing Security with Snort and IDS Tools

• Then after you know this you will be setting up ids/ips and you only insert one rule after one rule and editing them that they match to you network and your situation.

• After you got a problem, @bmeeks might be better able to help you, without making an ids/ips basic course with you.