Is pfSense "IDS weak" ?



  • Hey!

    What do you think about http://securityonion.blogspot.se/ ?    see also :
    http://www.irongeek.com/i.php?page=videos/derbycon2/2-2-9-doug-burks-security-onion-network-security-monitoring-in-minutes

    Don't you think that pfSense is somewhat "IDS weak" in comparison to this distro?

    Thank you for your advice & comments!



  • No.  They are two completely different things.

    Because, using your comparison, Security Onion is a terrible firewall/router distribution as compared to pfSense.



  • PFsense and security onion are different things, but why not have more options.
    Judging by forum traffic, IDS is a pretty popular use of PFsense. 
    Snort is handy, but the parent company has just been bought by cisco. Who knows what they plan to do with it. http://newsroom.cisco.com/press-release-content?articleId=1225204

    Securityonion has suricata and ossec in addition to snort, Along with some interesting data visualization tools.
    PFsense may not need every feature from security onion, but it is a good tool. Perhaps we could learn something.


  • Rebel Alliance Developer Netgate

    Security Onion is nice. And you can run both at once (setup a span/mirror port on your switch to copy data to security onion for monitoring)

    You could even run snort on pfSense and push the alert data from snort over to Security Onion for further processing.



  • Network security monitoring is something that needs a dedicated platform like Security Onion. The guy behind Security Onion is a big pfSense fan, they have it widely deployed at work and home. NSM takes up a ton of hardware resources, CPU, RAM, and disk. Their recommended hardware requirements exceed what many people run as a firewall. What I'd like to see, maybe once bhyve stabilizes and matures, is a VM of Security Onion running on top of pfSense. That would allow you to share the hardware resources, and limit your NSM's total resource consumption. Would require significantly faster hardware for many people vs. what they're running now, but it would be a nice solution.



  • I have added Snort package on pfSense, configured as IPS (inline) not just IDS and works fine!  :)
    I agreed with the guys above that you cannot compare two different distros.



  • FWIW, I just submitted a new pfSense package for ossec today. It's very experimental, but if committed, it should be available for evaluation on 2.1 systems.

    Cheers,

    Lance


  • Netgate Administrator

    Ooo that's interesting. Nice work.  :)
    More options is always better. Who are OSSEC? They seem to be tied to Trend Micro. Is that better than Cisco?  ;)

    Steve



  • I am investigating a Suricata package for pfSense.  I have been sort of maintaining the Snort package for the last several months.  I want to take that knowledge and see if a Suricata package on pfSense will work using the FreeBSD port of Suricata.

    Bill


  • Moderator

    @jimp:

    You could even run snort on pfSense and push the alert data from snort over to Security Onion for further processing.

    Hi Jimp,

    Have you configured pfSense to push data to SO? Would be nice to see a packaged SO sensor for pfSense.
    If you have any details could you share? If the packet could be pushed to SO that could allow further analysis in SO.



  • @bmeeks:

    I am investigating a Suricata package for pfSense.  I have been sort of maintaining the Snort package for the last several months.  I want to take that knowledge and see if a Suricata package on pfSense will work using the FreeBSD port of Suricata.

    Bill

    Looks like Suricata has a nice list of features and future additions ….... Would love to see a state of the art open source IPS/IDS package come to Pfsense ...... That is assuming there are better options in the open source community than Snort. But from what I have read Snort is the best time tested IPS/IDS system out there .....

    It looks as though DHS funded the the start up of the Suricata project. They say its nothing more than a Snort fork that cost tax payers $1million bucks. Depending on where the rules come from that could turn out to be somewhat troublesome...

    I have said this before ...... The states table GUI needs more data and functionality. A IPS/IDS can not catch everything and never will ...... We need a better visual way of seeing what is connected, its GPS location and what its doing connected .... some things just need the human touch.  If a IP looks fishy .... out of place, Block it, but we need lots of data to make that decision and must be done quickly/efficiently. Maybe the States Table data could be added to Snort with additional functions, now that might could turn out to be a useful tool?


  • Banned

    There is a reason that Snort was bought by Cisco…and not Suricata. ;) security, features and usability!



  • @Supermule:

    There is a reason that Snort was bought by Cisco…and not Suricata. ;) security, features and usability!

    But it is my understanding from some limited reading that Suricata is multi-threaded.  Snort has not done that yet in their open-source binary.  So theoretically Suricata could have better performance in high traffic applications than Snort.  Both use the same rules, though.  So detection-wise I suspect it's a wash in terms of which is better.

    Bill



  • @bmeeks:

    But it is my understanding from some limited reading that Suricata is multi-threaded.  Snort has not done that yet in their open-source binary.  So theoretically Suricata could have better performance in high traffic applications than Snort.

    That's true, but there are ways to run multiple copies of Snort and load balance between them.  Even without that it's not likely to be an issue for anyone with a decently-powerful box.  There's a user in the thread below who hit 4.3Gbit/s with Snort.

    http://forum.pfsense.org/index.php/topic,65462.0.html



  • There are claims on discussion boards that Suricata multi-threading cant touch Snorts single threaded performance.



  • @Clear-Pixel:

    There are claims on discussion boards that Suricata multi-threading cant touch Snorts single threaded performance.

    The performance of 1.2 was pretty bad. Newer versions are faster.



  • @Jason:

    That's true, but there are ways to run multiple copies of Snort and load balance between them.  Even without that it's not likely to be an issue for anyone with a decently-powerful box.  There's a user in the thread below who hit 4.3Gbit/s with Snort.

    http://forum.pfsense.org/index.php/topic,65462.0.html

    I agree that with today's hardware you aren't likely to notice much in terms of performance differences with multi-threaded versus single-threaded until you get to the 10Gbps realm.  However, just for fun, I do intend to attempt producing a Suricata package for pfSense in the near future.  I have the time now to devote to that project.  If nothing else, this will at least offer some insurance for the availability of an IPS/IDS tool for pfSense in the event Sourcefire's new owner decides to scrap open-source Snort at some point.  They have said they intend to continue Snort support, but I guess there are never any guarantees.

    Bill



  • Until we find out how Cisco will affect the open source end of it if any, I suggest continue developing the snort package and refining it.



  • @Clear-Pixel:

    Until we find out how Cisco will affect the open source end of it if any, I suggest continue developing the snort package and refining it.

    Oh, I don't intend to abandon Snort at all.  Just looking at Suricata as another alternative to have in the package collection.

    Bill