Issues setting up Suricata



  • I am new to pfsense and just switched my spare PC from a Sophos UTM, as I got pissed off at it, to PfSense for my router and firewall. So far I have been happier with PfSense in terms of it working with my devices. It's also my first time working with BSD in a few years having been exclusively GNU/Linux.
    I have an issue that whenever I try to setup Suricata and setup rules on the WAN from Snort and Emerging Threats. It kills my whole LAN's DNS resolution. But I can ping OpenDNS ( 208.67.222.222 and 208.67.220.220 ) and I can't browse unless I connect to my private OpenVPN server I have in the cloud. Even deleting the rules wouldn't work unless I restored a backup from before Suricata.
    I currently only have installed and configured pfblocker  and apcupsd for my APC UPS plugged in.
    What is the best way to setup Suricata as I get confused by some of the guides and didn't seem to resolve my issue. Do I need to setup WAN and LAN configurations for Suricata? What lists are best to enable? My network is primarily running Xubuntu (2 are Kodi boxes), Nest thermostat, a Cisco SIP phone for my remote support job, an Obihai 200 for Google Phone, and soon to be security cameras on their own VLAN.

    Also can I use Inline IPS on Suricata with my setup and what changes would I need to do to allow for it. Will I see a performance hit overall on my network? Is my system powerful enough for my planned internet upgrade as I only have a 30Mbps down and 5Mbps Up internet currently, but soon upgrading to a 100Mbps down and 10Mbps Up, and next year 500Mbps down with 50Mbps Up.
    Core i5-3470
    16GB DDR3
    120GB Sandisk SSD
    1 x Intel CT Gigabit NIC (WAN)
    1 x Intel Quad PT Gigabit NIC (LAN)
    I also only setup 8,192MB of swap



  • You have something very weird and rare going on if Suricata kills your DNS lookup and that persists even through a reboot, and only restoring a previous config solves the problem.  That sounds like something else more than just Suricata.  Are you trying to use any of the pfBlocker DNS Blacklist files?  That setup can cause problems with the firewall's DNS resolver, unbound, in some cases.

    Do these problems happen even before you put Suricata in blocking mode?  If you have not tried that, run first for at least a week and preferably nearly a month in non-blocking mode with just alerts firing to get a feel for what happens in your network.  You almost always will get false positives that you have to filter out.  There are guides here on the forum (entire threads, actually) on how to set up suppression lists and which "most likely to false positive" rules you should consider disabling.

    As far as the Inline IPS mode goes, that is totally dependent on the specific NIC hardware in your box and what driver it uses.  If you know which driver the NIC is using, you can search Google for compatibility issues with Netmap on FreeBSD.  I will tell you in advance that not all NICs work.  In fact, not very many work 100% correctly with Netmap.  And if a NIC does not work well with Netmap, then Inline IPS mode is a no-go.

    Finally, as to running Suricata on WAN, LAN or both; here is my advice.  For home networks using NAT, I suggest running Suricata only on the LAN.  That way the addresses you see in the alerts will be traceable to the hosts that generated them by IP address.  When you run it on the WAN, it sees traffic before the NAT is undone, so all of your local hosts on the LAN will show up with the firewall's external WAN IP.  It then is quite difficult to trace down an internal host generating alerts.  You have to dig through other firewall logs.  However, if you run Suricata on the LAN, it sees traffic after NAT is undone and thus the real host IP addresses appear in the alerts.  You can run Suricata on both interfaces, but that really wastes resources for home users and does not really provide any extra security.  The firewall is going to drop all unsolicited stuff anyway if you have it configured correctly.  Running on the WAN primarily helps for folks who have web servers, DNS servers, Email servers or other public-facing hosts.  You might want Suricata on the WAN providing some protection for those externally exposed hosts.  Of course if they sit in a DMZ, you could put Suricata just on the DMZ interface.

    Bill