Suricata GUI package v3.0_6 for pfSense 2.3 - Release Notes

nikkon

still 0 alerts…damn...this is eather way good and bad i suppose :P not sure it really does anything

bmeeks

still 0 alerts…damn...this is eather way good and bad i suppose :P not sure it really does anything

You could run an nmap scan using an option that is sure to trigger some of your rules. For me, I enable the ET-Scan rules and then run an nmap services scan against the host to trigger alerts. I use virtual machines for my testing, but it can work on a physical host as well. There are web sites out there you can use to externally scan or "attack" a firewall to generate traffic that should alert. Of course "should" is the operative word because it depends on exactly what rules you have enabled. The ET-Scan rules are pretty good in my view for that kind of test.

Bill

nikkon

Never restated…still 0 alerts.
Now...could it be because i use /var & /var are in RAM? I use ram disk for those and suricata keeps logs in /var.

bmeeks

@nikkon:

Never restated…still 0 alerts.
Now...could it be because i use /var & /var are in RAM? I use ram disk for those and suricata keeps logs in /var.

The log files should get created, but depending on space in the RAM disk you may be exhausting it and logging fails. Also, a reboot will wipe out logs when they are a RAM disk.

If you have a NanoBSD installation, I can pretty much guarantee you that neither Suricata nor Snort will perform well. There are just too many limitations with NanoBSD. If you have conventional full install with a hard disk, then why would you be using the RAM disk option? Suricata and Snort log a bunch (and I mean a bunch) of stuff. Either package can easily overwhelm a RAM disk even with moderate network traffic.

Bill

nikkon

I use amd64 install on a 8gb ecc.
/var has 1500 MB defined so i have enought space.I only use 15%.
There is something alse wrong…i don't get it yet :(

bmeeks

@nikkon:

I use amd64 install on a 8gb ecc.
/var has 1500 MB defined so i have enought space.I only use 15%.
There is something alse wrong…i don't get it yet :(

Give me two more pieces of information. Post a screenshot of the main INTERFACES tab in Suricata (so I can see the enabled interfaces and their current running state), and then post the contents of the suricata.log file (if it exists). To see that file, go to LOGS VIEW, select your WAN interface (if that's where Suricata is configured) and then choose suricata.log in the drop-down. The contents of the log file will be shown if the file exists.

Bill

nikkon

thx for helping me.
here you have them :)

![Screen Shot 2016-05-02 at 21.29.35.png_thumb](/public/imported_attachments/1/Screen Shot 2016-05-02 at 21.29.35.png_thumb)
![Screen Shot 2016-05-02 at 21.29.35.png](/public/imported_attachments/1/Screen Shot 2016-05-02 at 21.29.35.png)
![Screen Shot 2016-05-02 at 21.31.36.png](/public/imported_attachments/1/Screen Shot 2016-05-02 at 21.31.36.png)
![Screen Shot 2016-05-02 at 21.31.36.png_thumb](/public/imported_attachments/1/Screen Shot 2016-05-02 at 21.31.36.png_thumb)

bmeeks

@nikkon:

thx for helping me.
here you have them :)

Ahh…I see you are using PPPoE. I am not 100% positive that is supported by the Netmap driver. I did some limited Google research, but failed to find a definite answer. PPPoE support on FreeBSD is relatively new to Suricata. I really don't know about Netmap and PPPoE, though. I don't see any errors in your suricata.log, but if you are not getting alerts then something may well not be working.

Have you done nmap scans against your WAN and not triggered any of the ET-Scan rules? I know if you do the nmap services scan against your firewall and you have the Emerging Threats Scan rules active that you will get some alerts when things are working.

Bill

nikkon

i did the scan. nothing happend.
it seems version 3.0.x supports pppoe.this was on a bug list on 2.2.x

bmeeks

@nikkon:

i did the scan. nothing happend.
it seems version 3.0.x supports pppoe.this was on a bug list on 2.2.x

Yes, but aren't you using the new Inline Mode? If so, that uses the new Netmap driver and I'm not sure that driver supports PPPoE encapsulation properly.

Have you tried running Suricata in the Legacy Mode for IDS? If not, go to the INTERFACE SETTINGS tab and change the mode from Inline to Legacy. Save the change and then restart Suricata. Run the nmap scan again and report.

Trying to narrow down if this is indeed a Netmap-related problem. Snort does not use Netmap. Unfortunately I do not have PPPoE connection to test with.

Bill

nikkon

legacy mode set!
we'll perform the test and report the result asap

nikkon

same behaviour - 0 alerts

bmeeks

@nikkon:

same behaviour - 0 alerts

That is indeed strange. As I said, I do not have a PPPoE connection to test with. Just for grins, stand up a Suricata instance on your LAN, give it more or less the same rules (certainly give it the ET-Scan rules) and then run an nmap services scan from a LAN host against the firewall. That should generate some alerts (may not block depending on Pass List settings, but it should alert). The idea for this test is to make sure your basic Suricata configuration is correct. If you get alerts on the LAN but not the WAN, then the PPPoE part of Suricata is potentially not working. However, if you still get no alerts on the LAN, then you more likely have a firewall/Suricata configuration issue.

The nmap command is```
nmap -sV [target_ip]


Bill

nikkon

i have doble the rules for LAN interface performed the test

for some unknown reason…may be start/restart service i start seeing wan alerts.
i have no explanations ...still looking on to understand why it start working now