Is pfSense "IDS weak" ?
-
I am investigating a Suricata package for pfSense. I have been sort of maintaining the Snort package for the last several months. I want to take that knowledge and see if a Suricata package on pfSense will work using the FreeBSD port of Suricata.
Bill
-
You could even run snort on pfSense and push the alert data from snort over to Security Onion for further processing.
Hi Jimp,
Have you configured pfSense to push data to SO? Would be nice to see a packaged SO sensor for pfSense.
If you have any details could you share? If the packet could be pushed to SO that could allow further analysis in SO. -
I am investigating a Suricata package for pfSense. I have been sort of maintaining the Snort package for the last several months. I want to take that knowledge and see if a Suricata package on pfSense will work using the FreeBSD port of Suricata.
Bill
Looks like Suricata has a nice list of features and future additions ….... Would love to see a state of the art open source IPS/IDS package come to Pfsense ...... That is assuming there are better options in the open source community than Snort. But from what I have read Snort is the best time tested IPS/IDS system out there .....
It looks as though DHS funded the the start up of the Suricata project. They say its nothing more than a Snort fork that cost tax payers $1million bucks. Depending on where the rules come from that could turn out to be somewhat troublesome...
I have said this before ...... The states table GUI needs more data and functionality. A IPS/IDS can not catch everything and never will ...... We need a better visual way of seeing what is connected, its GPS location and what its doing connected .... some things just need the human touch. If a IP looks fishy .... out of place, Block it, but we need lots of data to make that decision and must be done quickly/efficiently. Maybe the States Table data could be added to Snort with additional functions, now that might could turn out to be a useful tool?
-
There is a reason that Snort was bought by Cisco…and not Suricata. ;) security, features and usability!
-
There is a reason that Snort was bought by Cisco…and not Suricata. ;) security, features and usability!
But it is my understanding from some limited reading that Suricata is multi-threaded. Snort has not done that yet in their open-source binary. So theoretically Suricata could have better performance in high traffic applications than Snort. Both use the same rules, though. So detection-wise I suspect it's a wash in terms of which is better.
Bill
-
But it is my understanding from some limited reading that Suricata is multi-threaded. Snort has not done that yet in their open-source binary. So theoretically Suricata could have better performance in high traffic applications than Snort.
That's true, but there are ways to run multiple copies of Snort and load balance between them. Even without that it's not likely to be an issue for anyone with a decently-powerful box. There's a user in the thread below who hit 4.3Gbit/s with Snort.
http://forum.pfsense.org/index.php/topic,65462.0.html
-
There are claims on discussion boards that Suricata multi-threading cant touch Snorts single threaded performance.
-
There are claims on discussion boards that Suricata multi-threading cant touch Snorts single threaded performance.
The performance of 1.2 was pretty bad. Newer versions are faster.
-
That's true, but there are ways to run multiple copies of Snort and load balance between them. Even without that it's not likely to be an issue for anyone with a decently-powerful box. There's a user in the thread below who hit 4.3Gbit/s with Snort.
http://forum.pfsense.org/index.php/topic,65462.0.html
I agree that with today's hardware you aren't likely to notice much in terms of performance differences with multi-threaded versus single-threaded until you get to the 10Gbps realm. However, just for fun, I do intend to attempt producing a Suricata package for pfSense in the near future. I have the time now to devote to that project. If nothing else, this will at least offer some insurance for the availability of an IPS/IDS tool for pfSense in the event Sourcefire's new owner decides to scrap open-source Snort at some point. They have said they intend to continue Snort support, but I guess there are never any guarantees.
Bill
-
Until we find out how Cisco will affect the open source end of it if any, I suggest continue developing the snort package and refining it.
-
Until we find out how Cisco will affect the open source end of it if any, I suggest continue developing the snort package and refining it.
Oh, I don't intend to abandon Snort at all. Just looking at Suricata as another alternative to have in the package collection.
Bill
