Snort fails to install.
-
Yeah, that hardware seems to have some gremlins inside. Exchange is a good idea.
-
@bmeeks could you recommend me one for around 200 pounds? (if you know of any)
-
@BlueCoffee said in Snort fails to install.:
@bmeeks could you recommend me one for around 200 pounds? (if you know of any)
The hardware you provided a link to appears fine for the job. Looks like maybe you just got unlucky and received a unit that should have failed the factory testing before it was stocked and shipped to a customer.
I am partial to Netgate hardware as purchasing that directly funds the continued development of pfSense CE.
But pretty much any Intel 64-bit CPU should work. If you want to use Snort, then you want the fastest CPU clock speed you can get. Snort is single-threaded, so that means no matter how many cores a CPU may have, Snort will only use one of them. In that scenario, faster clocks speeds trump more cores (at least for Snort).
The IDS/IPS packages want either a SSD or an actual spinning disk for logging. They can log so much stuff that a smaller eMMC can wear out quickly. In terms of RAM, anything over 4 GB is suffiicient. 8 GB would be more than enough for home use.
If you want to consider changing, Suricata is multithreaded and can can efficiently use all the cores in the CPU.
-
@bmeeks said in Snort fails to install.:
@BlueCoffee said in Snort fails to install.:
@bmeeks could you recommend me one for around 200 pounds? (if you know of any)
The hardware you provided a link to appears fine for the job. Looks like maybe you just got unlucky and received a unit that should have failed the factory testing before it was stocked and shipped to a customer.
I am partial to Netgate hardware as purchasing that directly funds the continued development of pfSense CE.
But pretty much any Intel 64-bit CPU should work. If you want to use Snort, then you want the fastest CPU clock speed you can get. Snort is single-threaded, so that means no matter how many cores a CPU may have, Snort will only use one of them. In that scenario, faster clocks speeds trump more cores (at least for Snort).
The IDS/IPS packages want either a SSD or an actual spinning disk for logging. They can log so much stuff that a smaller eMMC can wear out quickly. In terms of RAM, anything over 4 GB is suffiicient. 8 GB would be more than enough for home use.
If you want to consider changing, Suricata is multithreaded and can can efficiently use all the cores in the CPU.
Ive gone with the same one getting it tomorrow hopefully all's well with this one.
Are you the guy who made snort? I remember reading some stuff many years ago with that avatar you have.
Also can't believe I've been ruining it wrong all these years.
-
@BlueCoffee said in Snort fails to install.:
Are you the guy who made snort? I remember reading some stuff many years ago with that avatar you have.
Also can't believe I've been ruining it wrong all these years.
I did not create the original pfSense package, but I did eventually take over maintenance of it many years ago. I have been responsible for the updates to it for many years. I did create the Suricata package on pfSense.
And no, you have not been "ruining Snort" by running it on the WAN. It's just that the LAN turns out to be better. Don't despair, the very first time I installed the package many, many years ago I chose the WAN as well. But later, as I learned more about how the internal plumbing of FreeBSD and pfSense worked, I realized that putting it on the WAN makes it busy scanning Internet "noise" that the default firewall rules on the WAN are going to drop anyway. Snort (or Suricata) when running on the WAN sees inbound traffic before the firewall does. So, the firewall rules have not yet acted to clean-up and filter out the noise. But when running on the LAN, the WAN firewall rules have already eliminated the noise. And of course there is the annoyance of all the local IP addresses being masked behind the NAT operation of the firewall engine. That means all local hosts show up in any alerts as having your public WAN IP. That makes it hard to track a problem to an indvidual local host on your LAN. Running on an internal interface eliminates these disadvantages and does not impact security. All the WAN traffic still must come and go through the Snort instance on the LAN interface in order to reach any of the hosts on the LAN.
-
@bmeeks I was meant to say "running" :) Thanks for the info and I thank you for your hard work over the years.
What is Suricata is it similar to snort?
-
@BlueCoffee said in Snort fails to install.:
@bmeeks I was meant to say "running" :) Thanks for the info and I thank you for your hard work over the years.
What is Suricata is it similar to snort?
Suricata is also an IDS/IPS like Snort. It is much newer and was created by a consortium originally sponsored by Emerging Threats. Emerging Threats was purchased and absorbed into Proofpoint a few years ago.
Here is the Suricata official website: https://suricata.io/.
Snort on pfSense is currently running the older 2.9.x branch which is single-threaded. There is a new Snort3 branch that is multithreaded, but there is currently no plan to port that to pfSense. I tried twice, and there were just too many changes required and porting over an existing install was almost impossible. So, I gave up on a Snort3 package. Someone else in the future may decide to create one, but I'm not interested. I had rather continue support for Suricata. At some point in the future, the upstream Snort/Cisco folks will discontinue the Snort 2.9.x branch. At that point, unless someone has created a Snort3 package for pfSense, then Suricata will be the only IDS/IPS option on pfSense. However, a case can certainly be made that without MITM (man-in-the-middle) breaking of the encryption prevalent in all of modern network traffic, IDS/IPS software on any host but an endpoint is becoming almost useless. At least that's true in terms of payload inspection. Sure the IDS can examine headers for now, but even there moves are afoot to encrypt them as well.
Suricata offers many advantages to Snort. Chief among them is more detailed logging. You can find discussions of both Snort and Suricata in the IDS/IPS forum here on the Netgate forums site. At the moment the only shortcoming of Suricata is that it lacks an equivalent of OpenAppID.
-
@bmeeks said in Snort fails to install.:
@BlueCoffee said in Snort fails to install.:
@bmeeks I was meant to say "running" :) Thanks for the info and I thank you for your hard work over the years.
What is Suricata is it similar to snort?
Suricata is also an IDS/IPS like Snort. It is much newer and was created by a consortium originally sponsored by Emerging Threats. Emerging Threats was purchased and absorbed into Proofpoint a few years ago.
Here is the Suricata official website: https://suricata.io/.
Snort on pfSense is currently running the older 2.9.x branch which is single-threaded. There is a new Snort3 branch that is multithreaded, but there is currently no plan to port that to pfSense. I tried twice, and there were just too many changes required and porting over an existing install was almost impossible. So, I gave up on a Snort3 package. Someone else in the future may decide to create one, but I'm not interested. I had rather continue support for Suricata. At some point in the future, the upstream Snort/Cisco folks will discontinue the Snort 2.9.x branch. At that point, unless someone has created a Snort3 package for pfSense, then Suricata will be the only IDS/IPS option on pfSense. However, a case can certainly be made that without MITM (man-in-the-middle) breaking of the encryption prevalent in all of modern network traffic, IDS/IPS software on any host but an endpoint is becoming almost useless. At least that's true in terms of payload inspection. Sure the IDS can examine headers for now, but even there moves are afoot to encrypt them as well.
Suricata offers many advantages to Snort. Chief among them is more detailed logging. You can find discussions of both Snort and Suricata in the IDS/IPS forum here on the Netgate forums site. At the moment the only shortcoming of Suricata is that it lacks an equivalent of OpenAppID.
Thanks again mbeeks for the information ill have a read on the site
I do have one quick question is it safe to use. no spying from the owners etc,,, -
@BlueCoffee said in Snort fails to install.:
I do have one quick question is it safe to use. no spying from the owners etc,,,
Of course! It is fully open source software, and it is used by many corporations and individuals around the world.
-
@bmeeks said in Snort fails to install.:
@BlueCoffee said in Snort fails to install.:
I do have one quick question is it safe to use. no spying from the owners etc,,,
Of course! It is fully open source software, and it is used by many corporations and individuals around the world.
got the new box and all is well guess the other one was bad. Ive installed Suricata (looks alot like snort) Would you set this up on lan also? Do you know where I can read more about the setup? don't want to not have it set correct this time around. -
@BlueCoffee said in Snort fails to install.:
got the new box and all is well guess the other one was bad. Ive installed Suricata (looks alot like snort) Would you set this up on lan also? Do you know where I can read more about the setup? don't want to not have it set correct this time around.
You can find several Sticky Posts at the top of the IDS/IPS sub-forum here: https://forum.netgate.com/category/53/ids-ips.
As with Snort, I recommend putting Suricata only on internal interfaces (LAN, DMZ, etc.). The only time I would veer from this approach is on a box with very limited RAM and/or CPU horsepower and I had a fairly large rule set enabled. That might be a point where you conserve RAM and CPU by just putting a single instance on the WAN instead of several instances on internal interfaces. But you will have the limitations I mentioned in my earlier post. Best practice would dictate that the different interfaces on a firewall likely will need different IDS/IPS rules enabled. Rules should be tailored to the unique vulnerabilities and threats present on the protected network. So, in that scenario, individual IDS/IPS instances on internal interfaces works better (if you have the necessary RAM and CPU power).
As you noticed, Suricata and Snort have an almost identical GUI. That's because a ton of the Suricata PHP GUI code was a copy and paste from the Snort GUI.
Any basic set up instructions you find for Snort on pfSense will also apply to Suricata on pfSense. One key difference is that Suricata does not use Preprocessors in the way that Snort does. Suricata just works differently internally. The preprocessors were a way for Snort to add new features over the years. Suricata accomplishes that a bit differently internally, so no need for specific preprocessors. There are settings similar to the Snort preprocessor settings under the FLOW/STREAM and APP PARSERS tabs in Suricata.
A big difference in the packages is the rich EVE.JSON logging system in Suricata. Initially EVE.JSON logging is disabled causing Suricata to log essentially the same way as Snort did. But if you enable EVE.JSON logging for an interface, you can capture a lot of data about network traffic and of course any alerts. Suricata can log a lot of data with EVE.JSON logging and many of the options underneath that feature enabled. Just be sure you go to the LOGS MGMT tab and enable automatic log management. The defaults you find there should be fine for an initial install.
Here is a link to the official documentation: https://docs.suricata.io/en/suricata-6.0.13/.
