Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IDS decisions for home network

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Heisenberg1977
      last edited by

      I'm trying to decide whether to go with Snort or Suricata on my home network.

      One of the deciding factors is going to be rulesets. Is the Talos paid subscription worth purchasing?

      1 Reply Last reply Reply Quote 0
      • H
        Heisenberg1977
        last edited by

        I'm also trying to weigh the differences of Inline vs. Legacy. As per the note from @bmeeks it seems that Inline is the way to go. That would give an advantage to Suricata. I've read many posts about Suricata not being able to fully utilize the Snort Talos ruleset. What is the verdict on this?

        How is This Different Than Today and Why is It Better?
        Today, Suricata works in conjunction with the packet filter (pf) engine in the firewall to block offending traffic.  However, Suricata does not sit inline between the NIC and the firewall.  Instead, the PCAP library is used to make copies of the packets as they move from the network card to the kernel and packet filter.  Suricata examines those copies while the original packets continue on to the packet filter.  The firewall may drop them for not matching rules, but otherwise those packets are allowed through.  Suricata generally needs to examine several packets in order to determine if traffic is malicious or not.  While it is doing that with those copies of the packets, remember that the original packets are still getting through.  They have even established a "state" in the firewall's state table and will continue flow even if later Suricata wants to block them.  We call these early packets that get through "packet leakage".  If Suricata determines the traffic is malicious (matches one or more rules), then it inserts the offending IP address into the FreeBSD packet filter table called snort2c.  This is a custom table created by pfSense at boot up and is located very early in the firewall rule chain. If you have enabled the "kill states" option for Suricata, then it will also clear the state table entries for the IPs it blocks in order to terminate any flows (sessions) that may have been established by those early packets that got through while Suricata was analyzing the copies.  With inline mode, there is no packet leakage.  This greatly enhances security.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Don't sweat too much for just a home network.  That's not exactly a juicy target for nation-state hackers.  Either package will work fine for you.  Be aware that Inline IPS Mode with Suricata is very sensitive to having Netmap support in the NIC hardware driver.  Very few NICs work perfectly with Netmap on FreeBSD at the moment.  So depending on your hardware, Inline IPS Mode might not even work for you.  Legacy Mode Suricata will always work.

          As for rules, I pay the $30 for the annual Snort VRT subscription.  I'm still using Snort for my home network protection, but just because that's what I started with and never got around to changing even after I created the Suricata package for pfSense.  You can use a combination of the free Emerging Threats rules and the paid Snort subscription and have good security in my view.  You can also stay completely free and use the free Snort VRT rules.  You can register and use the free version, or register and pay for the subscription.  The carrot that comes with the paid subscription is you get new rules immediately upon them being released.  With the free version, you don't get new rules until they have been out for the paying folks for 30 days (in other words, the rules are 30 days old).

          Bill

          1 Reply Last reply Reply Quote 0
          • H
            Heisenberg1977
            last edited by

            Thanks Bill. My hardware is an APU2C4, but based on your feedback and additional research I am going to purchase the Talos ruleset and go with Snort. My pfSense is not only to defend my home network, but I am also building a lab for various things such as malware analysis. Thanks again for your wonderful contributions to the community.

            1 Reply Last reply Reply Quote 0
            • J
              JasonAU
              last edited by

              @Heisenberg1977:

              Thanks Bill. My hardware is an APU2C4, but based on your feedback and additional research I am going to purchase the Talos ruleset and go with Snort. My pfSense is not only to defend my home network, but I am also building a lab for various things such as malware analysis. Thanks again for your wonderful contributions to the community.

              I have the APU2 & Suricata I tried inline mode but it was a bit crashy so I have it running in legacy mode the paid version of the Snort rules are excellent value I use them & its humming along great hopefully some day the Netmap support will improve for more NIC's

              Brisbane Queensland Australia

              1 Reply Last reply Reply Quote 0
              • P
                pfsense_user12123
                last edited by

                Is there an overfew of supported networkcards for inline mode?
                Using 2.4.x and FreeBSD 11, is there anything different to the old version 2.3.x?

                MB: Supermicro X11SBA-LN4F/F
                RAM: 8GB
                HD: 120 GB SSD
                Switch: Cisco SG 200-08
                AP: TP-Link AP500

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.