Clearing disk
-
@ILIKENETGATE said in Clearing disk:
both Snort and Suricata
Can't tell - I do not use snort neither Suricata. Check out their pfSense GUI part is log file management exists. If not : yes, you should use the one and only real management interface : the console or SSH access.
Btw : both programs are excluded from the club "install them and forget them", as you said, they are beasts in many ways. The fact that these tools create huge log files is know - check out the forum and you will find identical messages : big log files => => file system full => system goes bad.Normally, if big log files are needed, you shouldn't use pfSense to store these files, but set up the packages so they log to a remote "syslogger". These have the disk space to handle these kind of logs.
-
@Gertjan OK so I went into Suricata and I had turned on all the logging and have have now turned them off. The Disk Usage is still almost full so it must be the stuff for before I turned it off. I'll have to figure out in Linux how to erase this disk file. Since I was new I thought storing all this stuff would be useful...but really.
You remind me of a friend who is a big console guy and teases me not to be afraid to type! I'll have to change my ways and embrace the console. So if you aren't using these two packages what do you use for intrusion protection?
-
@ILIKENETGATE said in Clearing disk:
So if you aren't using these two packages what do you use for intrusion protection?
Why do you think he would need to be using that... What are you doing that you think you need to be using it?
IPS is not by any means a requirement to have a secure setup. And it what possible scenario could you possible think a good idea to run 2 different ones on the same box?
I do not run ips or ids on home nor the work deployments of pfsense appliance we have running... Since its not justified in any of the locations and how networks are being used.
-
@ILIKENETGATE said in Clearing disk:
<snip> I'll have to figure out in Linux how to erase this disk file. Since I was new I thought storing all this stuff would be useful...but really. <snip>
@ILIKENETGATE, standard practice in the *nix environments is to check your logs -i.e.
/var/logoften, and because of that most *nix admins know their system well. Old "hacker folklore" type stuff. @Gertjan is telling you about SSH; use it. Practice; open a shell ("command line") on your *nix box and typeman rm; this should give you help for the REMOVE command in *nix. Also do aman ssh. @Gertjan gave you most of the tools to success after you brush up on the use of those two tools. -
new here:
@johnpoz, your style (response style) reminds me of a Squirrel I used to know.
*just got the chills* -
Your new here JohnKaul - but calling a mod a squirrel prob not a great start ;)
Or anyone for that matter..
-
:]
Just don't go reaching for any trouts--and we'll be just fine-. ...The 'Squirrel' had serious (scary serious) chops and taught me a lot in my early days (but obviously still puts the fear of __ in me). -
Dude are you on something?
You should be careful on what slang you use until you know that the audience uses it to mean the same thing..
-
https://en.wikipedia.org/wiki/Wikipedia:Whacking_with_a_wet_trout
-
Yes I am well aware of the old irc days and slapping someone with a trout..
Do you understand the other meanings that can have? :) And the negative connotation of what a squirrel could mean?
-
@johnpoz Looks like you guys are having a lots of fun without me. Rather than brut force removing files in the consol I went into the two programs that are generating these logs and removed the many check marks for the various things being logged. Additionally I changed the number of days that the logs are saved to 1 day for now until more disk space is freed up. This seems to be working. I think I'll keep these two on for now until I know more of what I'm doing to protect myself. Thanks for the assistance.
-
@ILIKENETGATE said in Clearing disk:
So if you aren't using these two packages what do you use for intrusion protection?
@johnpoz said in Clearing disk:
Why do you think he would need to be using that... What are you doing that you think you need to be using it?
These two - three questions are important.
@ILIKENETGATE : do you really think that snort or Suricata can scan traffic that users, using devices on a local LAN, brought in from the 'dangerous' Internet to their devices ? Nearly all traffic is SSL protected these days.
I do not want - and I do not even want to try, to 'see' what traffic comes over.Btw : by default : nothing comes in what wasn't request (from LAN).
And yes, I'm old school in this way : I do get angry when people do things that they shouldn't do with their PC's.
Like putting the gear box in their car in R (of Race) when they reached 120 miles per hours,
Or opening that mails that really promised a lot of money,
Or it really came from Trump himself.
Etc.
I've seen them all - and still, now and then it get's better every day. I don't need a program to tell me when I see bullshit. A GUI is just great for this : it has always a garbage button, and, like Windows 10, it's they only icon you have on your screen !!Also : command line management isn't human, shouldn't be considered normal, and should be band forever. But, fortunately, I was there when the first 6502 (and 6800) came out. Intel followed just after that with a architectural disgusting 8088 (but history tells us the 'won' the market). In that time everybody searched to control those animals, there was no VGA (or CHA, or Hercules) screen then. A VT compatible terminal was what you got.
So, cryptic commands are what we had to control.
The same commands are still used to control Windows server 2012 these days - big mail and web servers, all the DNS stuff, and better : there is NO web interface to control Internet.
If you really could see what an email is today, you wouldn't believe it : a bunch of 'commands' back from the seventies (last century). But Outlook (or Thunderbird) hides all that for you : these programs use these commands for you.I still do think, today, that people should know what a filesystem is, and how, at least, they can navigate into it, see sizes - you saw your disk full, right ? - so : delete that file (and because were are smarter as other animals : make a backup first ^^)
Btw : FreeBSD (pfSense) is not Linux - isn't iOS (from Apple) but they are all very similar - Our Fat32 or NTFS is just a more modern version of what had before.
Well .. ok... all these words weren't needed, so I'll pound you a real (my !) view of the situation :
When you decided to use packages as Snort and Suricate, you should able able to manage them.Using the GUI where it is possible. Console access isn't an option anymore for 'other' tasks. -
@Gertjan Well I think we're from the same generation. I put myself through college selling Apple ]['s with that 6502 so I realize how far we've come from that. Thank God for the GUI or otherwise we'd be read our news online from a news service called The Source with green letters scrolling across the screen at 300 baud. I was a victim of a hack recently so I'm trying to get my "chops" up better to protect myself so getting the better router and putting up a my best defense has now been planted in my DNA. All your preventative methods you speak of are nice and were practiced by me but to no avail. I can tell you there are a lot of shitty people out there and I would like to do whatever I can to keep them at bay short of simply throwing out my computer but that isn't too practical these days.
...so I keep on keeping on...
-
https://people.clarkson.edu/~jmatthew/publications/SPIE_SnortSuricata_2013.pdf
-
@JohnKaul Thanks John. A bit dated but interesting nonetheless.
-
@ILIKENETGATE said in Clearing disk:
I think I'll keep these two on for now
Your going to continue to run 2 IPS, both at the same time? Really? And you don't see a problem with that?
Dude pick one and use it, if you think is protecting you... Not both! You don't run 2!!
-
@ILIKENETGATE said in Clearing disk:
@JohnKaul Thanks John. A bit dated but interesting nonetheless.
No problem but I hope you didn't miss the point. Date has nothing to do with it; that link was to show you the history -i.e. that one is the replacement for the other (you use one or the other, not both). Read the paper, it's a quick 15 minute read (and it's quite interesting).
@johnpoz said in Clearing disk:
<snip>
Dude pick one and use it, if you think is protecting you... Not both! You don't run 2!!^^ What he said.
-
@JohnKaul No I did read the article. My comment about the datedness of it was that haven't these two leapfrogged each other over the past 6 years since they were both tested. Snort seemed interesting to me with it's $30 a year subscription that helps pay for what they do. Playing devil's advocate, what's wrong using both? It seems my 3100 is keeping up with it and computers are speedy when browsing. Go easy on me as I'm a newby and want learn...
-
@ILIKENETGATE, I'm a newbie too. If the 3100 has more then one core, just run Suricata. But before you turn it on, establish what you want to do with it -i.e. monitor certain aspects of your infrastructure or etc. The point behind them both/either is that you need to check your logs. You use the tool to keep an eye on your setup and make improvements (it is not a "turn it on to keep me safe" thing, per se).
I know nothing, other then a very, very high-level overview of these types of tool(s)--because I hate this hardware and network stuff--so, I'd do a lot of reading if I were you (take what I say with a grain of salt). And if I'm honest, I have a friend--into this network security stuff--who's been urging me down a certain path but what he wants to do will require me to actually do some work, so I'm here only because I'm researching an easy way out. ...I want to just buy a thin client and install OpenBSD on it for my firewall.
-
@ILIKENETGATE Another question. So it looks like reading the article again that Suricata is better overall. I caught a sentence in there that Suricata gleans it's beginnings from Snort's initial work. So does the data that Snort gathers NIDS wise and releases every 30 days in the form of updates, and my $30 a year subscription, work on Suricata if so I'll kill Snort?
