Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes
-
Many thanks @bmeeks your reply is really clear and I now understand the reasoning behind WAN vs LAN only monitoring. I have 4 internal interfaces I want to screen so maybe I could monitor only the WAN interface then but then I would not know what internal IP am alert is generated for. Is there any way to overcome this "drawback" , besides monitoring every single internal interface?
-
@returntrip said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:
Many thanks @bmeeks your reply is really clear and I now understand the reasoning behind WAN vs LAN only monitoring. I have 4 internal interfaces I want to screen so maybe I could monitor only the WAN interface then but then I would not know what internal IP am alert is generated for. Is there any way to overcome this "drawback" , besides monitoring every single internal interface?
No, unless you want to run the same rules for all the interfaces and they happen to be VLANs. In that case, you could put Suricata on the physical parent interface and it would see the traffic for all VLANs defined on that parent. But that does require that you want the same rules for all the internal networks (or at least all the VLANs defined on that parent).
But also consider carefully tuning the rules you have enabled on interfaces. Customize the rules for the vulnerabilities on that network. Most folks tend to enable way more rules than they actually require. The less rules Suricata has to work through, the smaller the drain on CPU resources and RAM.
-
@bmeeks very nteresting. Am running pfsense as a router on a stick with only 1 physical interface which provides 1 vlan for wan and 4 vlans for internal..... so I guess it would be much easier for me to monitor the parent interface for everything. I do not think I would need separate rules per IF.
-
@returntrip said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:
@bmeeks very nteresting. Am running pfsense as a router on a stick with only 1 physical interface which provides 1 vlan for wan and 4 vlans for internal..... so I guess it would be much easier for me to monitor the parent interface for everything. I do not think I would need separate rules per IF.
Well, in your case with everything on one physical interface, you gain nothing.
Suricata runs the interface in promiscuous mode anyway. So there is no real advantage to changing anything in your case.
But that is not the most secure setup. Having WAN and LAN mixed at Layer 2 is not a good idea in my view.
-
@bmeeks I hate this setup, but I have some limitation due to HW I use for pfSense and cabling. I need to get my ISP NTU moved next to my pfsense. At the moment I have three switches between the NTU and FW.... Here is my setup in case you want to get depressed:
https://forum.netgate.com/topic/138244/2-switches-between-router-on-a-stick-and-modem?_=1677266087572
The only difference is that the switch attached to the NTU is a Cisco 2960G IIRC.
So would it be sufficient to monitor only the LAN VLAN IF and all would be covered?
-
@returntrip said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:
@bmeeks I hate this setup, but I have some limitation due to HW I use for pfSense and cabling. I need to get my ISP NTU moved next to my pfsense. At the moment I have three switches between the NTU and FW.... Here is my setup in case you want to get depressed:
https://forum.netgate.com/topic/138244/2-switches-between-router-on-a-stick-and-modem?_=1677266087572
The only difference is that the switch attached to the NTU is a Cisco 2960G IIRC.
So would it be sufficient to monitor only the LAN VLAN IF and all would be covered?
Yes, monitoring the LAN would actually cover all the networks on that parent. Suricata will place the physical interface in promiscuous mode when it starts, and thus will see all the traffic traversing the parent.
-
-
@darcey said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:
@bmeeks Will 6.0.10 be made available for pfSenseCE 2.6?
I believe the changes that might help with this were introduced in suricata 6.0.8.Suricata issue 4421.
Akismet did not allow me to post two links in one post. -
Regarding using Suricata on WAN, correct me if I am wrong but one reason to do so is if you want it to inspect traffic when using a public facing instance of HAProxy.
-
@darcey said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:
@bmeeks Will 6.0.10 be made available for pfSenseCE 2.6?
I believe the changes that might help with this were introduced in suricata 6.0.8.Yes, later versions of Suricata have addressed the high idle CPU usage by reverting an earlier change in the flow manager code.
As for getting a newer version of Suricata in pfSense 2.6.0, I will have to investigate to see what's feasible. Depends to some degree on what, if any, shared dependency library minimum version numbers might have changed in Suricata.
I would love to get Suricata updated in the 2.6 CE branch, but backporting the GUI code is a large task as the change in PHP from 7.4 in pfSense 2.6 to 8.1 in pfSense 2.7 CE and 23.01 Plus resulted in wholesale rewriting of large chunks of code. And those rewrites are not directly compatible with PHP 7.4.
If 2.7 CE rapidly advances through testing from the current BETA phase to RELEASE, then updating Suricata will be a non-issue as the package is current in the 2.7 snapshots. But if 2.7 CE development gets significantly delayed on the way from BETA to RELEASE, then updating of some packages in 2.6 CE may need revisiting. There is a possible solution to the PHP problem by creating a specialized compatibility module of functions to accomplish in 7.4 what is happening in 8.1.
-
@lawrencesystems said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:
Regarding using Suricata on WAN, correct me if I am wrong but one reason to do so is if you want it to inspect traffic when using a public facing instance of HAProxy.
Yes, there are certainly instances where running Suricata or Snort on the WAN may make sense for a particular network configuration. But this is more likely to be the case for pfSense used in a business network as opposed to a home network.
I would venture it to be very rare to need a Suricata or Snort instance running on the WAN in the typical home network. I won't say "never", but I would say "very rare"
. -
@bmeeks Thanks. That would seem not worth it then. Looking forward to CE 2.7...
-
Hi @bmeeks ,
I am afraid the Pass List improvements broke things here. I am using legacy mode. I have long had the trouble that /24 networks did not work in the pass list so on top of the /24 I put specific /32 IPs in the pass list for important machines.
While conducting tests I can reproducibly block my laptop even though it is part of the /24 network and the pass list has this specific IP in it as well. At least the latter worked up until this upgrade.
The correct pass list is enabled in the settings. And via "View" I can confirm that both the home network /24 and my laptops /32 is in it.
Running 23.01.
-
@j-koopmann:
Will you please share that Pass List? I would like to reproduce the conditions in my test virtual environment as best I can.I have never been able, for some reason, to reproduce this issue of Pass List entries not working. They always work in my testing
. -
@bmeeks Can we retest the issue for doubled interfaces with 6.0.10_3 version, or you're stil working on another fix?
-
@nrgia said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:
@bmeeks Can we retest the issue for doubled interfaces with 6.0.10_3 version, or you're stil working on another fix?
Yes, you can retest if you want to. Be sure you have an easy recovery ready in the event the patch was not successful. I was not able to reproduce the actual duplication, so I had to theorize a potential cause and craft a fix from that angle. So, I cannot say with 100% certainty I fixed it because I could not reproduce the failure and then verify my "fix" prevented the failure.
I am working on fixing the PHP error mentioned in a different thread, so I will be submitting another package update soon. It would be nice to know if my interface duplication fix worked, so if you test, post back here. If the fix is not successful, I can revisit my theory.
-
@bmeeks
Issue with the doubled interfaces is fixed.
I performed 2 tests:- Upgrade in place from 6.0.10_1 to 6.0.10_3
- I've removed 6.0.10_1 and installed 6.0.10_3
In both cases I found no issues.
Thank you for the fix. -
@nrgia said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:
@bmeeks
Issue with the doubled interfaces is fixed.
I performed 2 tests:- Upgrade in place from 6.0.10_1 to 6.0.10_3
- I've removed 6.0.10_1 and installed 6.0.10_3
In both cases I found no issues.
Thank you for the fix.Thank you for testing! Glad to know that serious bug is fixed.
-
@bmeeks In my case the doubled interfaces bug was also fixed with 6.0.10_3
Thanks a lot for your work! -
@greenflash said in Suricata 6.0.10_1 Update for pfSense Plus 23.01 - Release Notes:
@bmeeks In my case the doubled interfaces bug was also fixed with 6.0.10_3
Thanks a lot for your work!Glad you are all set. Thank you for the feedback.
