Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Taming the beasts… aka suricata blueprint

    Scheduled Pinned Locked Moved IDS/IPS
    504 Posts 64 Posters 340.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      You are still seeing alerts because of the way snort/suricata work on pfsense. Follow the next steps through, and you will understand why.

      1. A packet comes in on your WAN interface
      2. A copy of that packet is immediately made, and passed on to snort/suricata
      3. pf decides what to do with the packet
      4. snort/suricata decides what to do with the copy of the packet
      5. If rules allow it, pf passes on the packet to your LAN interface
      6. If snort/suricata rules call for an alert, an alert is generated
      7. The original packet has likely reached its destination
        8 ) The offending IP is added by snort/suricata (actually no, but good enough) to the blocked table.

      The most important part is 2: that shows exactly how snort/suricata work, and why alerts are generated. Fast forwarding another round of that list, shows that by the time pf decides that a second packet from the offender should be blocked, snort/suricata already sees the copy of that packet, re-generating an alert. As you can see, no matter what you do, the alerts will always be generated.

      The only 2 ways to stop those alerts is by using an upstream router to block packets from that IP, or using BPF to tell suricata to not inspect packets from those IPs, which is not currently supported nor encouraged (last time I tried it on my 4 million permanently banned IPs, the box crashed, on smaller lists suricata start up took a day or so).

      You don't have to worry about the alerts being generated. That does not mean that packets are passing, they could be blocked and the alert will still be generated on the copy of the packet.

      I like to set up the ban time as 28 days. Offenders (including so-called "state sponsored hax0rz") being mostly script kiddies they will come again with a packet that will generate an alert within that timeframe. The bonus of having snort/suricata work the way they do now, is that once an attacker generates an alert, and he keeps on coming, he will be perpetually banned. Each time an alert is generated, the timestamp for that IP is updated, which means resetting the timer back to 28 days.

      Every now and then, manually inspect the snort/suricata blocked list, and decide on what to do. For example if a number of IPs from a certain /24 subnet are always there, they get added to a permanently banned list, that is used in a rule on all interfaces (block WAN side, reject LAN side). Not that it stops the alerts, but in case the blocked list is flushed (eg reboot?) the IPs are still banned.

      @all: thanks for the wishes. Slowly recovering :-)

      1 Reply Last reply Reply Quote 0
      • N
        neonmatt
        last edited by

        Got my 'new' home network almost up and going, so I popped in to see how the thread was doing. I had to comment and say jflsakfja I hope your recovery is going well!!

        "The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable."

        1 Reply Last reply Reply Quote 0
        • A
          abujammy
          last edited by

          jflsakfja thanks so much for all the time you've spent on getting this up and running.  I read through the ridiculously long thread on getting the half dozen sentences you wanted in order to begin working on the guide.  Now that that's done, what's the timeframe looking like on that and what kind of help do you need to get started?

          1 Reply Last reply Reply Quote 0
          • M
            Mr. Jingles
            last edited by

            @abujammy:

            on getting the half dozen sentences you wanted in order to begin working on the guide.

            and what kind of help do you need to get started?

            I've read this more than once, but I think I'm not quite sure what the question is. Now I'm not JFL, so your question isn't directed at me, but I'm still being curious as to what the question is ( ;D ).

            6 and a half billion people know that they are stupid, agressive, lower life forms.

            1 Reply Last reply Reply Quote 0
            • A
              abujammy
              last edited by

              hahahaha well I thought it was pretty clear. ;)

              Let me try to be more clear.  Do you need:

              • Someone to help edit for English grammar?
              • Someone to convert some of the forum topics over to github so that you can edit from there?
              • Someone to grab pfSense screenshots, crop them and put them in a repo somewhere?
              • Someone to write a section from scratch?
              • etc
              • etc
              • etc
              1 Reply Last reply Reply Quote 0
              • ?
                A Former User
                last edited by

                Still recovering and becoming a regular at the doctors'. Went through everything so far, x-rays, CTs, EMGs, MRIs…(notice the "s" at the end of each one). Still have 2 MRIs to go through, but that's going to take a while, not scheduled for another 4 months or so. Not saying that the guide is going to be delayed until then, but for now, I'm more focused on easing back to my regular life and workflow.

                I only ask for your patience for now  :). Bone marrow and nerves are slow in recovery...

                The upside is that my head is still attached to my neck, that's good!

                1 Reply Last reply Reply Quote 0
                • T
                  TDJ211
                  last edited by

                  @jim82:

                  @jflsakfja:

                  Can I see a screenshot of the floating rule in question?

                  If you are talking about the "block all" floating rule, it should only apply to traffic destined for pfsense's ports (that's why there is a giant red warning under it).

                  Thanks for your reply. I guess the post above concerns the same confusion. Don't get me wrong, but you write the following:

                  Next up Floating tab:
                  Set up a rule but make these changes:
                  Action  Block
                  Quick  TICKED!!!
                  Interface  Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC
                  Direction  any
                  Source  any
                  Destination  any

                  If you read this directly(as I did, since I'm absolute beginner), your rule will block everything in/out on all interfaces, except "LAN".

                  I did this, and got confused. I could not wrap my head around, how on earth a Floating block ANY ANY ANY to all interfaces would possibly allow any traffic to pass through.

                  My suggestion is to clarify(maybe more red big letters) that this floating block rule is ONLY for the ports you specify as being web interface and SSH(which makes good sense).

                  Thanks for your guide, I'm looking forward to following the next steps.

                  BR Jim

                  Ahhhhh….thanks for the clarification! I read it that way too.

                  1 Reply Last reply Reply Quote 0
                  • D
                    dmitri_oga
                    last edited by

                    @jflsakfja:

                    Next up Floating tab:
                    Set up a rule but make these changes:

                    | Action | Block |
                    | Quick | TICKED!!! |
                    | Interface | Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC |
                    | Direction | any |
                    | Source | any |
                    | Destination | any |

                    DON'T CHANGE DESTINATION PORT RANGE!!! Had to add this since I confused a few people already :p

                    Those are pretty much the only changes you need to make. Save and apply the rule. When adding other floating rules, make sure this rule stays at the absolute top of the list.

                    I am either missing something or this is truly going over my head and I apologize for resurrecting an old(er) thread.

                    When I add the Floating rule, all traffic on my network grinds to a halt.
                    Can someone explain to me how to set it up correctly? I apologize for this, I've looked over the thread several times and can't come to an answer. I tried varying setups and, still, nothing.

                    Here's a link to my current rules:
                    Floating: http://i.imgur.com/oqVGRyD.png
                    WAN: http://i.imgur.com/kezi74q.png
                    LAN: http://i.imgur.com/n7g15kf.png

                    Thanks.

                    P.S., hope you're alright, jflsakfja. :D

                    1 Reply Last reply Reply Quote 0
                    • N
                      n3by
                      last edited by

                      you missed the destination admin ports for your pfsense box.

                      oqVGRyD.png
                      oqVGRyD.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • D
                        dmitri_oga
                        last edited by

                        @n3by:

                        you missed the destination admin ports for your pfsense box.

                        So, they need to be in the LAN and Floating section? Also, I noticed I might've mislabeled the LAN and WAN Imgur links. Sorry.

                        1 Reply Last reply Reply Quote 0
                        • N
                          n3by
                          last edited by

                          Be careful with chosen ports, not to be used by normal applications because you will cut access to this ports.

                          You will put restriction rule from LAN only if you want to have specifics designated computers that can access the admin ports.

                          Attached floating rule for WAN and rule for LAN.

                          p.s.
                          you can use as destination: "This firewall (self)" instead of any

                          ![2015-10-20 10.01.07.jpg](/public/imported_attachments/1/2015-10-20 10.01.07.jpg)
                          ![2015-10-20 10.01.07.jpg_thumb](/public/imported_attachments/1/2015-10-20 10.01.07.jpg_thumb)
                          ![2015-10-20 10.14.02.jpg](/public/imported_attachments/1/2015-10-20 10.14.02.jpg)
                          ![2015-10-20 10.14.02.jpg_thumb](/public/imported_attachments/1/2015-10-20 10.14.02.jpg_thumb)

                          1 Reply Last reply Reply Quote 0
                          • D
                            dmitri_oga
                            last edited by

                            @n3by:

                            Be careful with chosen ports, not to be used by normal applications because you will cut access to this ports.

                            You will put restriction rule from LAN only if you want to have specifics designated computers that can access the admin ports.

                            Attached floating rule for WAN and rule for LAN.

                            p.s.
                            you can use as destination: "This firewall (self)" instead of any

                            Appreciate it! Thanks a lot. Kudos.

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User
                              last edited by

                              So long and thanks for all the fish.

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfcode
                                last edited by

                                @jflsakfja:

                                So long and thanks for all the fish.

                                Oh, NO.  r you leaving us? whats happening?

                                Release: pfSense 2.4.3(amd64)
                                M/B: Supermicro A1SRi-2558F
                                HDD: Intel X25-M 160G
                                RAM: 2x8Gb Kingston ECC ValueRAM
                                AP: Netgear R7000 (XWRT), Unifi AC Pro

                                1 Reply Last reply Reply Quote 0
                                • G
                                  G.D. Wusser Esq.
                                  last edited by

                                  @jflsakfja:

                                  So long and thanks for all the fish.

                                  Farewell. Thank you for everything.
                                  Hoping you will return.

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    pfsenseboonie
                                    last edited by

                                    Hi I am trying to create the golden custom rules and need help…

                                    alert tcp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
                                    alert udp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)
                                    alert tcp $EXTERNAL_NET [0:1023] -> any [0:1023](msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
                                    alert udp $EXTERNAL_NET [0:1023] -> any [0:1023] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)

                                    the first two are to block incoming to closed ports.
                                    the last two to block incoming from low ports to low ports.

                                    How should i adjust them in the msg bit or any other comments on them.

                                    Thanks.

                                    1 Reply Last reply Reply Quote 0
                                    • L
                                      lobotiger
                                      last edited by

                                      Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum.  Is it worth reading 30 pages to get this setup?  Is the snort page any better?

                                      LoboTiger

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        n3by
                                        last edited by

                                        My advice is to install Suricata if possible.
                                        Yesterday I just had to uninstall Snort and installed Suricata from one remote site after I seen high CPU load and high CPU temp without traffic. Reason Snort >10-15% CPU - in the same conditions, now it is ok Suricata 1-2% CPU.
                                        The other site had Suricata installed and no problems; both sites are running pfSense 2.2.5 & vpn site to site.

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          Downloadski
                                          last edited by

                                          @lobotiger:

                                          Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum.  Is it worth reading 30 pages to get this setup?  Is the snort page any better?

                                          LoboTiger

                                          I am a absolute beginner and i found this thread very interesting to get some understanding of the principles of good security.
                                          So i wil re-read it and start to implement it.

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            TDJ211
                                            last edited by

                                            @lobotiger:

                                            Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum.  Is it worth reading 30 pages to get this setup?  Is the snort page any better?

                                            LoboTiger

                                            It's probably the best read you'll find on the net about IDS/IPS security. Most of what you need to know is in the first few pages anyway….

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.