Pfsense Migrate Snort to Suricata



  • I have been having maddening Pfsense lock downs. Parts of Facebook for my "phone" home users will not load. A reboot fixes it. I have looked at the logs and can't find anything. To be honest, I really don't think it is Snort's fault. I've disabled it and it still does it, however, I'm actually thinking of banging out and going to Opensense. Not made up my mind. It supports Suricata and my son has had it, and had ripped Pfsense out. I know Bill is fantastic staying on top of Snort so this is kind of directed at him. Is there a best practices to migrate from Snort to Suricata? Is that a bad idea? Because it is multi-threaded and I have a pretty powerful CPU now, I'm thinking it makes more sense to go that route. Looking for advise.



  • @lshantz said in Pfsense Migrate Snort to Suricata:

    I have been having maddening Pfsense lock downs. Parts of Facebook for my "phone" home users will not load. A reboot fixes it. I have looked at the logs and can't find anything. To be honest, I really don't think it is Snort's fault. I've disabled it and it still does it, however, I'm actually thinking of banging out and going to Opensense. Not made up my mind. It supports Suricata and my son has had it, and had ripped Pfsense out. I know Bill is fantastic staying on top of Snort so this is kind of directed at him. Is there a best practices to migrate from Snort to Suricata? Is that a bad idea? Because it is multi-threaded and I have a pretty powerful CPU now, I'm thinking it makes more sense to go that route. Looking for advise.

    There is no "migrating" to Suricata. You would have to remove the Snort package and install Suricata then configure it from scratch. Performance wise there is pretty much zero difference in the two. Multithreaded is not what it is hyped up to be. It makes a marginal difference on very, very busy network links. I'm talking almost saturated gigabit links, and nobody has that on a home connection. Short downloads at line max aren't worth considering. For Suricata's multithreading to make any difference you would need to pretty much keep a gigabit link saturated. No home user I know of is going to do that. So forget migrating to improve performance because you will be disappointed.

    What are you rebooting? Is it the pfSense box, or your network device (phone, PC, etc.)? You may have a hardware issue someplace, especially since you say the issue continues with Snort disabled. Now I assume when you disable Snort that you are also going to the BLOCKS tab and clearing any active blocks. Those will not magically disappear just because you stop the Snort binary on the INTERFACES tab. Remember the firewall is doing the blocking, not Snort. All Snort does is examine the alert, pull out the IP addresses, and then gives those to the firewall to block. After that the firewall will block until you either reboot pfSense, you manually clear the blocks like I described, or if you have a setting other than NONE for the Clear Blocked Hosts interval and that interval timer has expired.

    So assuming my description in the previous paragraph rang a bell and you realized you had not been clearing any blocks after stopping the Snort process, then my next theory would be you need to do some rule tuning. Most likely on the HTTP_INSPECT preprocessor rules. Look at the alerts you received on the ALERTS tab and see what they were. You can correlate them with the device IP addresses. See which rules blocked a device. Go research what the rule is doing using Google and then decide if you should either suppress the alert from that rule using one of the suppress options or disable the rule completely.



  • @bmeeks said in Pfsense Migrate Snort to Suricata:

    What are you rebooting?

    I'm sorry. As usual I'm not clear. The pfsense box. Once it is rebooted all returns to normal. The reason I feel like it is not Snort (I may well be wrong) is that always in the past, there in the logs shows me the offending IP address and why it was blocked. Easy peasy. There is no record that I can find of what is triggering things not getting out. For instance, I have a robot cleaner. For what ever reason, they have elected to put the floor plan map on the cloud and before it can clean, it downloads the floor plan to the bot. This stopped getting out the wan port. A reboot and off and running.

    As far as the migration, point taken. I'm not sure, but I don't think Snort is supported on Opensense. Thus my question. I have had many unexplained corruption issue. Things get borked with no intervention or changes. So my son has already made the switch. I'm watching with great interest to see how it goes for him.

    Snort that you are also going to the BLOCKS tab and clearing any active blocks.

    DOH! I totally forgot about that. Armed with this reminder, I'll go back and work on it again. I'm really thinking it isn't Snort though since it has been a year or so since I've made any rule changes. That being said, I guess Facebook could have started doing something different. And my Neato Bot is a new addition.

    Thanks again Bill for all that you do!

    Lorne



  • @bmeeks

    Oh, one more thing... I have whitelisted Facebook IP addresses/domain name. My laptop on wireless is fine. It is just the Android and Iphones that can't drill down into the comments of a message. It is very strange. I'm thinking I'll do a packet trace right now of it working, and then when it stops, try to see if I can find out what is different.

    The bot is something new that just popped up, since I just bought it.



  • Do you have any other packages running on pfSense (like maybe pfBlocker or Squid)? If so, check that one of them is not at fault.
    Might also be something related to IPv6. Note that if enabled, many (if not most) mobile phones will grab and prefer an IPv6 address over an IPv4 one. That can cause issues, most especially if you have something like a Hurricane Electric tunnel broker account as the HE IPv6 ranges are looped in as being "VPNs or proxies" by most of the major streaming platforms and thus get blocked. Not sure if that applies to social media platforms, though. They probably should still work.

    No, there is no Snort package for OpnSense as there is for pfSense. And on OpnSense, Suricata is baked into the OS and is not an add-on package as it is on pfSense. There is no similarity between the two GUI setups. The only thing the same is that both ultimately depend on the same Suricata binary daemon to perform the real IDS/IPS work.



  • @bmeeks said in Pfsense Migrate Snort to Suricata:

    Do you have any other packages running on pfSense (like maybe pfBlocker or Squid)? If so, check that one of them is not at fault.

    I DO have pfblocker and turned it off. Perhaps there is residual things that stay alive after turning it off?
    I have gone over all the logs and find nothing.

    Might also be something related to IPv6.

    I have all IPv6 turned off everywhere I can find it in Pfsense.

    I'm starting to drift out of the original header, but I just ran across where Snort is blocking 1.1.1.1 and 1.0.0.1. I whitelisted it, but for some reason was not honoring it. I accidentally deleted the Passlist info pointing to White_list. It would NOT let me. It kept saying I can't use a FQDN as a name. Of course I was not, so it appears this constantly annoying gui in corrupting data. I did a restore and white_list is back.


Log in to reply