Suricata package blocking mode coming soon
-
Not saying I'm giving up on inline mode, but it definitely can't happen until there are some changes within pfSense itself.
Bill
Thanks for the clarification on this Bill. I agree on the fan boys on both sides of the fence. There are quite a few groups that have done side by side tests out there and so far it still shows that Snort gets the nod, not by much though. Given my (simple) needs I'm going to hang with Snort for now until "inline" is possible or Cisco destroys Snort… whichever comes first.
Rick
-
Not saying I'm giving up on inline mode, but it definitely can't happen until there are some changes within pfSense itself.
Bill
Thanks for the clarification on this Bill. I agree on the fan boys on both sides of the fence. There are quite a few groups that have done side by side tests out there and so far it still shows that Snort gets the nod, not by much though. Given my (simple) needs I'm going to hang with Snort for now until "inline" is possible or Cisco destroys Snort… whichever comes first.
Rick
I think in terms of "detection and protection" the two are pretty much in a dead heat. As I said in a different thread, Snort is easier to setup for newbies because of the pre-defined IPS Policies you can select. Suricata offers more "information" surrounding alerts what with its expanded HTTP and TLS logs (and even DNS and SMB logs in the new 2.0 version). These extra logs, combined with the file extraction and storage feature, and pcap files provide a rich set of "context" around alerts that you can use for analysis. Snort is a bit lacking in this area, but they are playing "catch up" very well.
Bill
-
As I said in a different thread, Snort is easier to setup for newbies because of the pre-defined IPS Policies you can select.
There are settings in Suricata that you have for IPS Policies, do these not apply to your above statement? I'm finding Suricata to be an awesome replacement for Snort.
I've already ditched Snort and am currently running Suricata in Blocking mode and working on force-disabling the false positives. Kid in a candy store.
Many thanks Bill for your work.
-
There are settings in Suricata that you have for IPS Policies, do these not apply to your above statement? I'm finding Suricata to be an awesome replacement for Snort.
The only issue with the pre-defined policies in Suricata is that they are dependent on the Snort VRT rules. The Snort VRT rules are the only ones with that metadata encoded within them. There are a number of Snort VRT rules that contain Snort-specific keywords. These rules will fail to compile on Suricata. Errors will be printed in the suricata.log file, but Suricata will continue to start up. This is different from Snort where any failed rule will cause a fatal exit on startup. So look in your suricata.log file for your interfaces to see which, if any, Snort VRT rules might have choked.
Suricata does best with the Emerging Threats rules because they create a specific package targeted at Suricata. Either the ET OPEN or ET PRO rules will work. The Snort rules will work, for the most part, but you do need to check the log to see if any Snort VRT rules you chose failed to compile.
I probably need to check the GUI page to see if I made this point clear. I think it's coded so the IPS Policy box is disabled when the Snort VRT rules are not selected (the same behavior as in Snort).
Bill
-
I've already ditched Snort and am currently running Suricata in Blocking mode and working on force-disabling the false positives. Kid in a candy store.
Many thanks Bill for your work.
Then you should really like the upcoming 2.0 version of the Suricata binary. In my admittedly very limited testing thus far, it seems to have zero spurious stream alerts – at least when compared to what I get from 1.4.6 in my VM environment. I'm not sure how much of that is bugs in the 1.4.6 stream processor and how is due to the strange virtual connections you can have in VMware Workstation. I do most of my basic testing using Workstation.
Anyway, I am interested in hearing how Suricata works for you in a real environment and how many persistent false positives you see with things like the stream alerts.
Bill
-
So far the only Stream Alerts I've seen involve the following:
SURICATA STREAM 3way handshake SYNACK resend with different seq
SURICATA TLS invalid record type
SURICATA STREAM FIN out of window
SURICATA STREAM FIN invalid ackAll those alerts resolve back to akamai technologies or 1e100.net. Doesnt seem to be hindering any browsing, 5 alerts within a 24 hour period.
I'm gettting a bunch of these SURICATA HTTP response header invalid with a Source from the Private IP address of my Cable Modem Diagnostic page. I just Suppressed that one.
Ran a torrent that saturated my 114Mbps Cable line and only saw 17% CPU spike. Snort would max out one core on my CPU with my old 57Mbps connection so this is an improvement on my heavily used home network.
-
Then you should really like the upcoming 2.0 version of the Suricata binary. In my admittedly very limited testing thus far, it seems to have zero spurious stream alerts – at least when compared to what I get from 1.4.6 in my VM environment. I'm not sure how much of that is bugs in the 1.4.6 stream processor and how is due to the strange virtual connections you can have in VMware Workstation. I do most of my basic testing using Workstation.
Anyway, I am interested in hearing how Suricata works for you in a real environment and how many persistent false positives you see with things like the stream alerts.
If we had that "duplicate" Interface function, the testing would be a lot easier as we could test a modified Interface with a clean Suppress list and all the rules enabled and then quickly revert back to the previously configured Interface.
With the way it is now, its hard to do this testing with a Production setup as you need to setup a new suppress list and enable the previously disabled rules to see if they re-alert with the new binary etc…
-
@BBcan17:
Then you should really like the upcoming 2.0 version of the Suricata binary. In my admittedly very limited testing thus far, it seems to have zero spurious stream alerts – at least when compared to what I get from 1.4.6 in my VM environment. I'm not sure how much of that is bugs in the 1.4.6 stream processor and how is due to the strange virtual connections you can have in VMware Workstation. I do most of my basic testing using Workstation.
Anyway, I am interested in hearing how Suricata works for you in a real environment and how many persistent false positives you see with things like the stream alerts.
If we had that "duplicate" Interface function, the testing would be a lot easier as we could test a modified Interface with a clean Suppress list and all the rules enabled and then quickly revert back to the previously configured Interface.
With the way it is now, its hard to do this testing with a Production setup as you need to setup a new suppress list and enable the previously disabled rules to see if they re-alert with the new binary etc…
I will add that functionality to the next release. It will work pretty much like the same button for firewall rules. Click the (+) to create a new interface "based on" the one you click. It will inherit the same settings for everything except the physical NIC interface and the name.
Bill
-
Great stuff… This will make testing that much easier!!
EDIT:
On another note, also having the functionality to create a fresh NEW interface would also be beneficial instead of trying to re-enable all of the previously disabled rules.
-
@BBcan17:
Great stuff… This will make testing that much easier!!
EDIT:
On another note, also having the functionality to create a fresh NEW interface would also be beneficial instead of trying to re-enable all of the previously disabled rules.
That functionality is there today with the current (+) icon. I'm not changing that one. I will be adding new (+) icons beside each configured interface. Clicking the (+) beside an already configured interface will perform the DUP function. The layout will be pretty much just like the firewall rules page. So the (+) icon at the top right of the tab will create a new fresh interface (just like it does today). The (+) icon beside an existing configured interface will DUP it.
In terms of the rules, on the RULES tab today is an icon that will remove all forced enable/disable changes for all rules on the interface. This essentially resets the rules to their default state. There is a similar icon that will do this for only the currently selected category.
Bill
