Snort: Where do I find a specific rule?
-
…With regards to Snort on pfSense, it is currently what I term a hybrid; but cyber security purists would take offense at my characterization. …
<<< World's First And Only Cyber Security Purist.
Ideally the pfsense box should be running suricata in IPS mode and send the logs to another device.
A)Capturing a live stream of the packets going through/getting blocked by the box (and historically archiving it) would be an added bonus but you need to take into consideration their rotation, I'm thinking daily and datestamping the compressed file. A gui to download Monday the 29th of 3084 would be appreciated. While you are at it, logs/captures need to get pushed away from the firewall box ASAP, so as soon as it is finished datestamping the file, a copy is emailed to an address of your choice (in case a creative rm -rf ./* is executed on the captured packets). Most home users will not notice any slowing down, since a 10Mbps connection only puts out 1.25MB/s (most drives should be able to write well above that). Double that (symmetric connection) and it's still way to low for a disk to stress over it. We might run into some difficulties as we approach the 100Mbps mark, but nothing an SSD can't solve. Or Fiber Channel with the new 120Gbps standard. Oops, forgot we are talking about (holds a giant sign) >HOME< connection. Emphasising since some forum members have difficulty reading the HOME word. I do realise that most people are using gigabit for their internal networks, but how many of those have the need for a true IPS capturing a live stream of the traffic passing through their wifi? (routers set up to forward all packets upstream, clients can't communicate directly with each other, most asus(es?) do that.)
B)Logs ("I blocked this packet from passing through") should be sent to existing syslog facilities (so they can be sent to a remote syslog server if so configured).In summary, the new suricata package should concentrate on working as a true IPS system, and be able to capture information/data for criminal procecution (there are those of us who need that) and troubleshooting.
EDIT:Capturing the live stream could be done upstream with a mirror port, but it saves you the trouble if you don't have a managed switch. That, and since all the traffic passes through the box already, you might as well capture it anyway and saves you the trouble of setting up a separate sniffing host (connected to aforementioned mirroring port).
-
@jflsakfja:
…With regards to Snort on pfSense, it is currently what I term a hybrid; but cyber security purists would take offense at my characterization. …
<<< World's First And Only Cyber Security Purist.
Ideally the pfsense box should be running suricata in IPS mode and send the logs to another device.
A)Capturing a live stream of the packets going through/getting blocked by the box (and historically archiving it) would be an added bonus but you need to take into consideration their rotation, I'm thinking daily and datestamping the compressed file. A gui to download Monday the 29th of 3084 would be appreciated. While you are at it, logs/captures need to get pushed away from the firewall box ASAP, so as soon as it is finished datestamping the file, a copy is emailed to an address of your choice (in case a creative rm -rf ./* is executed on the captured packets). Most home users will not notice any slowing down, since a 10Mbps connection only puts out 1.25MB/s (most drives should be able to write well above that). Double that (symmetric connection) and it's still way to low for a disk to stress over it. We might run into some difficulties as we approach the 100Mbps mark, but nothing an SSD can't solve. Or Fiber Channel with the new 120Gbps standard. Oops, forgot we are talking about (holds a giant sign) >HOME< connection. Emphasising since some forum members have difficulty reading the HOME word. I do realise that most people are using gigabit for their internal networks, but how many of those have the need for a true IPS capturing a live stream of the traffic passing through their wifi? (routers set up to forward all packets upstream, clients can't communicate directly with each other, most asus(es?) do that.)
B)Logs ("I blocked this packet from passing through") should be sent to existing syslog facilities (so they can be sent to a remote syslog server if so configured).In summary, the new suricata package should concentrate on working as a true IPS system, and be able to capture information/data for criminal procecution (there are those of us who need that) and troubleshooting.
EDIT:Capturing the live stream could be done upstream with a mirror port, but it saves you the trouble if you don't have a managed switch. That, and since all the traffic passes through the box already, you might as well capture it anyway and saves you the trouble of setting up a separate sniffing host (connected to aforementioned mirroring port).
I hear you on the true IPS mode. That is the desire, but some more pfSense patches are likely needed to make that work for TCP, UDP and ICMP. The first BETA package will be IDS only just to get some feedback from users on the general look and feel and performance in detection-only mode. It will offer pretty much all the Suricata bells and whistles such as TLS handshake logs, HTTP logs, file-json logs and optional capture of downloaded files (if suitable rules are created), full Barnyard2 support with both MySQL and remote syslog output, and finally full packet capture to pcap-format files. Even in my little VMware environment this gobbles up a lot of disk really quickly! I've got to find a way to move this data off the firewall in a quick and efficient manner to something else that is beefier and meant to take the load.
Unless you turn off all these capturing features, Suricata is NOT going be something you run on NanoBSD… :). I also don't see home users taking advantage of all this except for just playing around. As you say, though, there are some commercial users of pfSense that will find the Suricata features useful.
I am very close to releasing the BETA of Suricata. Testing the install/uninstall scripts now, and need to add some code to allow viewing of all those log files I mentioned above in the GUI.
Bill
-
I have had snorby going on seperate box. Wish it would just run on same machine. Along with the other tools that security onion has in there. Nice to see some in depth data from your net and find out what is really going on under the hood.
-
Bill, you can also use Suricata 2.1beta4. Been using it on linux boxes for months, w/0 trouble. More stable and feature rich than 2.0.8, including CIDR IP Rep, etc..
Considering inline operation in IPS mode. Its now a real must. Malware as small as 20kb get pass the snort hybrid mode of pfsense…
F.