Taming the beasts… aka suricata blueprint

BBcan177

@dmitripr:

Thanks BB. I didn't have those lists added. I will do so and disable the categories on snort/suricata.

Anytime.

Take a look at my script. It has a lot of Threat Sources. Not all of them can be used in pfBlocker as it can't recognize the different formats like my script can.

wetspark

Thanks to those that have spent their time to make document so much and distribute solid advice.
Its been a long time since I administered or needed to administer a firewall and was about to setup SNORT and such to build a better kid trap for my kids to have access to the internet.  The efforts here convinced me to use Suricata and I'm happy I did.  While a lot of the initial setup is redundant to me, it does cover the general theme for my multii-WAN-LAN FW.

Thanks for all the efforts!!

A Former User

@Hollander:

A most stupid question, for which I am by now famous: wat is the OpenVPN-interface; WAN or LAN?

Virtual Private Network would suggest LAN, but on the other hand: it is connected to the WAN  ???

Think of it like a dedicated ethernet line connecting two adjacent houses, without the dedicated ethernet line. That's why it's called a "private" network, because the tunnel is really a direct connection between two points, and (supposedly) it actively tries to be secure at it, for example by tearing the tunnel down and establishing a new one when attackers interfere with it. Like digging up the cable and moving it a couple feet over, when detecting that someone is tampering with it.

There are a couple of ways to set up openvpn:

1. Terminating the tunnel on an internal (separate) interface, then use rules to direct traffic where it's supposed to go.
   or
2. An even safer way is terminating the tunnel on a separate host connected to a separate LAN-type interface. A raspberrypi/cubox-i/other-cheap-ARM-thingy is perfect for this, unless trying to route loads and loads of bandwidth through it. If it's just for remotely administering a pfsense (I'll save my don't do it speech  ;D) then go for it. Don't forget the interface rules.

@dmitripr:

On the suricata setup, I followed your instructions for the rules. So, I did turn off the ones you mentioned in the posts here. However, I did have dshield and DROP categories enabled – apparently pfblocker doesn't have all the latest IPs for those, and some get though to IPS and are blocked there. For comparison sake, I have the same rules enabled for snort (just keeping it apples-to-apples).

I'm a believer in suricata, based on what I read, but probably not quite prime-time ready (at least in my setup, based on my limited testing). I have not uninstalled it, just disabled it at this point. I'll try again once 2.x.x comes out, hopefully soon.

Dshield/drop is a lot of work for an IDS. Try enabling suricata without those categories and test again, if it's not too much trouble.

You've demonstrated the reason this topic was created. Using the IDS part of a gateway is using 3 times the power the firewall part is using, which is exactly the reason I started this and the snort topics.

@all:
WRT the low power, a particular asrock mobo caught my eye: http://www.asrock.com/mb/Intel/Q1900M/. It has space for 6 intels (2x1 port + 1x4 ports) + extra onboard nic. 2 uplinks, 2 downlinks, 2 to play with, 1 spare. It's all you want in a small cute package ;D. Anyone out there care to try it/has tried it and want to share experiences? I'm sure for a top-of-rack firewall it should be perfect.

bmeeks

@Hollander:

@bmeeks:

I am hopefully just a week or so away from posting the Pull Request for 2.0.x Suricata.  I ran into a small snag compiling the new package for 2.2 of pfSense, but I think I have a solution for that now.  I have been developing/testing with 2.0.2, but if it's not too big of a change I will bump it to 2.0.3 before I post the Pull Request.

Bill

Hi Bill  ;D

Would that also include the suggestion from one of the biggest noobs on this board to have an easy way to multi-enable/disable the rules per category (the same check boxes you see in the left side of the firewall rules screens)?

That would be quite lovely, so to speak :P

Yes, but that functionality is already there.  On the RULES tab in both Snort and Suricata are icons for "Enable All Rules in this Category" and "Disable All Rules in this Category".  There are "X" and "+" icons on the right side of the upper middle of the page.  Hover your mouse over them to see tooltips pop up with descriptions of what they do.  The "category" refers to the rule set currently selected in the drop-down combo-box on that tab.

Bill

Mr. Jingles

@bmeeks:

@Hollander:

@bmeeks:

I am hopefully just a week or so away from posting the Pull Request for 2.0.x Suricata.  I ran into a small snag compiling the new package for 2.2 of pfSense, but I think I have a solution for that now.  I have been developing/testing with 2.0.2, but if it's not too big of a change I will bump it to 2.0.3 before I post the Pull Request.

Bill

Hi Bill  ;D

Would that also include the suggestion from one of the biggest noobs on this board to have an easy way to multi-enable/disable the rules per category (the same check boxes you see in the left side of the firewall rules screens)?

That would be quite lovely, so to speak :P

Yes, but that functionality is already there.  On the RULES tab in both Snort and Suricata are icons for "Enable All Rules in this Category" and "Disable All Rules in this Category".  There are "X" and "+" icons on the right side of the upper middle of the page.  Hover your mouse over them to see tooltips pop up with descriptions of what they do.  The "category" refers to the rule set currently selected in the drop-down combo-box on that tab.

Bill

Hi Bill  ;D

There might be a misunderstanding, probably due to English not being my native language

(As you may know by now education has been completely abandoned in the netherlands - we barely even know where the US, the UK or Canada is on the map. That is, however, not a problem so informs us our government in the weekly propaganda: knowledge can be found on google ('google' is a new language in dutch schools: english was dropped for it), it is 'what you do with it' that counts, not pure, factual, simple knowledge. Such as english words. That all is obsolete in the 'knowledge society' that the netherlands is. I heard it seamingly is the same in the rest of the west).

So I'll use the simple techniques our ancestors used ( ;D ): a picture. The old people once said that a picture can say more than a thousand words.

Because if I understand you correctly the current system only allows to enable/disable all rules in a category. What JFL writes is to selectively disable/enable for example 70 rules in 1 category. And that means the current Way Of Working is quite inefficient (click one rule disable/enable, wait for pfSense to respond which can take up to 1 minute, move on to the next rule, and then 70 minutes have passed for only 1 category. And there are many categories. It can easily take up to a full day to customize 1 interface).

A Former User

@Hollander, it's not just in the Netherlands, it's the world trend now. They feel the need to dumb down the students so their authority is not threatened in the future when they grow up to be the tax-paying zombies they are meant to be  ;D

Agree with the checkboxes approach. It could save a lot of time to enable all, then disable the 20 rules that need to be disabled per interface, and click the disable selected rules button.

Imagine, the package is that good that we are picking on the details  ;D

BBcan177

@bmeeks:

Providing rule management functionality equivalent to PulledPork with regex matches for enabling or disabling rules.  In other words, the ability to read and interpret enablesid.conf, modifysid.conf and disablesid.conf files.  You would be able to edit these offline and upload to the firewall, or edit in place using the same interface as I implemented for the IP REP lists management tab in Snort.

I think the best approach is to wait for the changes that Bill has posted above.

We should only be clicking these ICONS for some exceptions. The majority of this work being done with these configuration files (disablesid, enablesid and modifysid) will greatly improve our use of time and ultimately have less potential for errors.

We just need to be patient to get it coded.

bmeeks

@BBcan177:

@bmeeks:

Providing rule management functionality equivalent to PulledPork with regex matches for enabling or disabling rules.  In other words, the ability to read and interpret enablesid.conf, modifysid.conf and disablesid.conf files.  You would be able to edit these offline and upload to the firewall, or edit in place using the same interface as I implemented for the IP REP lists management tab in Snort.

I think the best approach is to wait for the changes that Bill has posted above.

We should only be clicking these ICONS for some exceptions. The majority of this work being done with these configuration files (disablesid, enablesid and modifysid) will greatly improve our use of time and ultimately have less potential for errors.

We just need to be patient to get it coded.

I favor the enablesid, disablesid and modifysid approach, but it will take some time to get this coded.  It and filtering for the ALERTS tab are my next tasks.  I have the new 2.0.3 Suricata package pretty much ready to go.  If I can get it coded in time, I might include the filtering and enablesid stuff in it, but I can't promise.  It's more important in my view to get "current" with the Suricata binary first.

Bill

bmeeks

@Hollander:

Hi Bill  ;D

There might be a misunderstanding, probably due to English not being my native language

(As you may know by now education has been completely abandoned in the netherlands - we barely even know where the US, the UK or Canada is on the map. That is, however, not a problem so informs us our government in the weekly propaganda: knowledge can be found on google ('google' is a new language in dutch schools: english was dropped for it), it is 'what you do with it' that counts, not pure, factual, simple knowledge. Such as english words. That all is obsolete in the 'knowledge society' that the netherlands is. I heard it seamingly is the same in the rest of the west).

So I'll use the simple techniques our ancestors used ( ;D ): a picture. The old people once said that a picture can say more than a thousand words.

Because if I understand you correctly the current system only allows to enable/disable all rules in a category. What JFL writes is to selectively disable/enable for example 70 rules in 1 category. And that means the current Way Of Working is quite inefficient (click one rule disable/enable, wait for pfSense to respond which can take up to 1 minute, move on to the next rule, and then 70 minutes have passed for only 1 category. And there are many categories. It can easily take up to a full day to customize 1 interface).

Sorry, I did misunderstand.  I remember us having this conversation a while back.  I had forgotten until I saw your picture to remind me.  See my reply to BBcan177's post where I favor using the upcoming enablesid, disablesid and modifysid functionality.  That is ultimately less work and will make it easy to "share" rule setups with other users.  Just upload the file and apply it to an interface.

In the interim, one sort of workaround would be to "enable all" the rules in the category using the current icon, then selectively click the ones you want to disable (or vice-versa).  In the upcoming Snort and Suricata updates (the Snort one is waiting for approval right now), the response should be a bit faster when clicking as it does not save everything and regenerate rules until you click APPLY.

Bill

dmitripr

@jflsakfja:

Dshield/drop is a lot of work for an IDS. Try enabling suricata without those categories and test again, if it's not too much trouble.

You've demonstrated the reason this topic was created. Using the IDS part of a gateway is using 3 times the power the firewall part is using, which is exactly the reason I started this and the snort topics.

Alright, I ran some tests after disabling those categories – though during the peak hours (5-6pm), so, won't get the best throughput, but close. With snort my 2 consecutive results were: 99.17 then 101.95 mbps. Snort maxed out at about 65% CPU utilization. Disabled snort, enabled Suricata and retested: 95.39 then 101.32 mbps. Suricata maxed out at 95% (probably hit close to 100%) CPU utilization. So, it did get marginally better it seems. But I still feel that the performance is not on par with snort.

Maybe it's just my setup, or suricata + pfsense combination. I'm looking forward to 2.0.3 suricata release shortly (hopefully).

The way I see it: for most people with lower speed tiers (50/10 and below), this probably won't be noticeable at all. It just seems that once you get over 100 mbps, you start running into performance limitations of the CPU (in my case Atom) with suricata -- and snort too, for that matter, but it's fairing a little better so far.

Once 2.0.3 is out, I'll retest and let you know. Looking forward to it.

All this is making me wonder about all those 1 gbps lines poping up from Google and AT&T now, people raving about them. But will regular consumers be able to actually take advantage of the speed with an over-the-counter routers? Certainly not with OTC routers that run any sort of IPS/IDS (e.g. Small business Cisco). You really would need a Xeon type of system to push those sort of speeds, not to mention top of the line NICs. Just curious. (maybe a bit off topic here)

Cheers.

A Former User

@dmitripr:

Alright, I ran some tests after disabling those categories – though during the peak hours (5-6pm), so, won't get the best throughput, but close. With snort my 2 consecutive results were: 99.17 then 101.95 mbps. Snort maxed out at about 65% CPU utilization. Disabled snort, enabled Suricata and retested: 95.39 then 101.32 mbps. Suricata maxed out at 95% (probably hit close to 100%) CPU utilization. So, it did get marginally better it seems. But I still feel that the performance is not on par with snort.

At least it's a step in the right direction. Thank you for taking the time to test and provide those results. There is nothing wrong with (nearly) maxing out the CPU, it's there for a reason afterall. As long as you don't literally max it out, then things start getting weird. If it stays at 95% and never sees 100%, then it should be good to go.
@dmitripr:

Maybe it's just my setup, or suricata + pfsense combination. I'm looking forward to 2.0.3 suricata release shortly (hopefully).

The way I see it: for most people with lower speed tiers (50/10 and below), this probably won't be noticeable at all. It just seems that once you get over 100 mbps, you start running into performance limitations of the CPU (in my case Atom) with suricata – and snort too, for that matter, but it's fairing a little better so far.

Once 2.0.3 is out, I'll retest and let you know. Looking forward to it.

Oh it will get better, trust me. I've never seen a (serious) program get worse with newer versions. Serious excludes any version of windows, gnome, and firefox with the idiotic chrome-wannabe interface. How the hell is moving the close search button from the left (right next to the search text box) all the way to the right (on the other side of the screen) a "user experience improvement". When will people realize that programmers must be constantly educated with the help of a baseball bat in order for them to be productive?
@dmitripr:

All this is making me wonder about all those 1 gbps lines poping up from Google and AT&T now, people raving about them. But will regular consumers be able to actually take advantage of the speed with an over-the-counter routers? Certainly not with OTC routers that run any sort of IPS/IDS (e.g. Small business Cisco). You really would need a Xeon type of system to push those sort of speeds, not to mention top of the line NICs. Just curious. (maybe a bit off topic here)
Cheers.

An atom will not be able to pull that off. You really need something in the i3 league (not e3 (xeon)) to get there. This is assuming full duplex on the connection (1gbps down/1gbps up fully maxed out). If it's just for downloading (1gbps down maxed out/let's say a quartergbps up) as long as it's a 1155 socket or newer it will work OK. Not saying get the cheapest 1150 you can get and expect it to get you there, but there are some powerful options, WRT their price. I'd (personally) take a $400 (total) option getting 900mbps than a $2000 option getting 1gbps. More so if it's for a home. Maybe this too will change with the newer pfsense (multithreaded pf) + newer quad core atoms. Oh excuse me, "celerons"  ;) (see asrock above). If it still can't get you there, at least suricata offers the chance of using the GPU to help along.
Don't confuse specialized CPUs with general CPUs. It's the reason switches have <1Ghz CPUs and can still route at multi-dozen-gbps speeds. Not arguing that a linksys/asus/cisco/whatever router can get there, much less so when using any IDS.

There is no need for top of the line, intel nics are already the best there is  ;D. For their price, I wouldn't complain.

Beeing off topic is what keeps this topic at the top. It's an exception to the "keep on topic" forum etiquette most people are accustomed, but it gives us a chance to talk about things we wouldn't have if it was strictly on topic. For example this discussion about the (expected) performance. "Ah, a thread about how to set up suricata. That's strange, this guy says he has tested suricata on X and can get Ymbps out of it. I'm only using Zmbps, so it must be able to pull it off. Let's see if using that other guy's suggestions can help out". A couple days later it's "ZOMGWTFWRTBBLLOL! I never knew suricata could do that". How many would find such an advise useful when buying parts for their next box, without having to start separate topics of "will this work for suricata/snort@Xmbps?".

wetspark

@jflsakfja:

Beeing off topic is what keeps this topic at the top. It's an exception to the "keep on topic" forum etiquette most people are accustomed, but it gives us a chance to talk about things we wouldn't have if it was strictly on topic. For example this discussion about the (expected) performance. "Ah, a thread about how to set up suricata. That's strange, this guy says he has tested suricata on X and can get Ymbps out of it. I'm only using Zmbps, so it must be able to pull it off. Let's see if using that other guy's suggestions can help out". A couple days later it's "ZOMGWTFWRTBBLLOL! I never knew suricata could do that". How many would find such an advise useful when buying parts for their next box, without having to start separate topics of "will this work for suricata/snort@Xmbps?".

Perfect example.  I was tinkering again this morning while waiting on some other fools at work and thought, "Hmm, wouldn't it be cool if I could use some of these expensive ASICs we use at work for Suricata processing".  Then I read this which lead me to search and discover that there's CUDA support being developed for Suricata.

Networks I work on have lots of IDS/IPS and tons of other acronyms running.  Its amazing that we have commercial systems that will only do 1Gbps and we are struggling to find/operate 10Gbps effectively while this discussion board is talking about stuff that anyone can download and run on old hardware that can do most/all of 1Gbps.

I primarily work on ADC/ADN and SDN stuff these days.  I have several pieces of commercial hardware in the cabinet behind me that I could be using for my network but I'm happy with this P4 running Pfsense and Suricata.

A Former User

@wetspark:

Perfect example.  I was tinkering again this morning while waiting on some other fools at work and thought, "Hmm, wouldn't it be cool if I could use some of these expensive ASICs we use at work for Suricata processing".  Then I read this which lead me to search and discover that there's CUDA support being developed for Suricata.

Networks I work on have lots of IDS/IPS and tons of other acronyms running.  Its amazing that we have commercial systems that will only do 1Gbps and we are struggling to find/operate 10Gbps effectively while this discussion board is talking about stuff that anyone can download and run on old hardware that can do most/all of 1Gbps.

I primarily work on ADC/ADN and SDN stuff these days.  I have several pieces of commercial hardware in the cabinet behind me that I could be using for my network but I'm happy with this P4 running Pfsense and Suricata.

My point exactly. Suricata/snort on pfsense is more than enough for the majority of users out there. There are exceptions (like multiple 10Gbps connections) but for the majority out there, including me, cost of getting the connection far outweighs the need for a faster firewall/IDS. The software side is there (has been for quite a few years actually), it's only a matter of getting the hardware that satisfies the needs. Hardware getting faster/more efficient, while at the same time costing less and less, leads to hardware that can do what 5 years ago could only be dreamed about.

Let's take the example of a pure datacenter pfsense with suricata. It doesn't need to analyze traffic for all the exploits out there about browsers, since none of the computers behind it run that software. Out of all the publicly available rules out there, only a handful actually make sense in that particular environment. You can do a whole lot more with 50 custom rules.

Another example is the typical home connection. It doesn't need to analyze traffic for all the servers out there (web/email/etc). Trimming down the rules to only the bare essentials, and using the recommended rules for a network gateway, coupling it with a (relatively) cheap atom + intel nics gets you a firewall that can be on par with most (if not all) the commercial alternatives out there. The bonus is that since the software is open source, you can still use it 10 years down the line without worrying about an unpatched vulnerability existing. Another bonus is that the software will get better and better.

dgcom

@jflsakfja:

The bonus is that since the software is open source, you can still use it 10 years down the line without worrying about an unpatched vulnerability existing. Another bonus is that the software will get better and better.

I can't agree with this… Reading this forum I see a lot of people with old versions of pfSense having their packages broken because support is removed.
And if some new vulnerability is discovered (like we had earlier with OpenSSL) - you are screwed, because you can't really fix it without pfSense-specific build tools...

So you either upgrade or get outdated.

bmeeks

@dgcom:

@jflsakfja:

The bonus is that since the software is open source, you can still use it 10 years down the line without worrying about an unpatched vulnerability existing. Another bonus is that the software will get better and better.

I can't agree with this… Reading this forum I see a lot of people with old versions of pfSense having their packages broken because support is removed.
And if some new vulnerability is discovered (like we had earlier with OpenSSL) - you are screwed, because you can't really fix it without pfSense-specific build tools...

So you either upgrade or get outdated.

This is true, but to a large extent it is also true for more expensive commercial packages.  They frequently move on and drop support for older stuff or don't backport some fixes.  Depending on the particular vendor, some are better and some are worse than pfSense in this regard.

Snort on pfSense is a recent example of a package that had to move on and drop support for 2.0.x.  That's mainly because the underlying FreeBSD 8.1 OS is EOL, so security updates would not be happening.  Also, the old package system using *.tgz files was unwieldy in the way it handled shared libraries.  You frequently hit the equivalent of Window's "DLL hell".  So moving on to supporting only 2.1 and higher with PBI packages was an inevitable change.  Granted FreeBSD 8.3 which pfSense 2.1.x uses also just went EOL, but at least there is ongoing frenzied development to move to FreeBSD 10 with pfSense 2.2.

So while I feel the pain of users with older installations losing support of a package, that has to be tempered with the concept of staying more "current" and keeping the software development task more manageable.  Trying to support, for example, three different OS environments is a bit much for a one-man package maintainer.  For instance, the installation paths differ between pfSense 2.0 and 2.1 and 2.2; plus the variety of system calls differs.  For example, support for IPv6 varies between the versions.  So this makes the code in a package sometimes quite complex as it tries to deal with all the subtle differences in pfSense versions.  The more complex a package's code becomes, the higher the potential for bugs.

Bill

Mr. Jingles

And if some new vulnerability is discovered (like we had earlier with OpenSSL) - you are screwed, because you can't really fix it without pfSense-specific build tools…

This is a serious problem, indeed.

@bmeeks:

Trying to support, for example, three different OS environments is a bit much for a one-man package maintainer.

Even if it were more than 1 maintainer it would be difficult, would be my guess.

Life evolves, and so does software. It is not always nice to upgrade, because new problems will come along because of that.

But then again: we grow older, and new problems come from that too.

Life is life.

To me the value of open source software is that we are not dependent on crappy companies that sell us product X on day 1, and on day 1 + 1 simply drop support with an arrogant 'sue me, stupid customer'.

For that reason I don't consider open source 'free' as in: money-free: I've donated to many open source projects. I do realize devs want to have a beer too. The value of open source for me lies in: much more serious.

But, in the end: old software has to be replaced by new software. Nature's law, the new replace the old.

Mr. Jingles

@jflsakfja:

@Hollander, it's not just in the Netherlands, it's the world trend now. They feel the need to dumb down the students so their authority is not threatened in the future when they grow up to be the tax-paying zombies they are meant to be  ;D

Hmmm  8)

I think you are a little bit too negative.

Have some faith in mankind, in what TPTB cook up for us. After all, the most talented, the most skilled, only the very few that manage to pass all the top tests, are hand picked to become a member of government, or parliament.

People like you and I don't get there, we don't have what it takes. This is a fact of life, to be observed in every country across the globe.

So you might be a little bit too negative.

The central planners know what is right, they are the creme de la creme. We should not criticize. We don't have the brains to do that. That's why we are here and they are there.

I don't want to ridicule you, but I mean, what is next?

You saying that all these highly intellectual real life social insight television shows about pawn shops, cooks that have a tough time in their kitchen (lots of them, given the number of shows about it), 'dr. fil', 'opla', 'who is the best singer/dancer/whiner', 'who can put a cucumber in his ear the fastest', 'remodel your house', 'rent a house from the bank in a place under the sum and pay it off 3 times in intrest and charges' and thelikes are fake?

Given your negative way of looking at the world, I would not be surprised if you would invent a new line for it. 'Scripted reality', or something like that.

Have faith, young man, have faith.

Right, I am off now, watching on our ever reliable state television how bad that certain country in eastern-europe is.

( ;D ;D ;D ;D ;D )

A Former User

@dgcom:

I can't agree with this… Reading this forum I see a lot of people with old versions of pfSense having their packages broken because support is removed.
And if some new vulnerability is discovered (like we had earlier with OpenSSL) - you are screwed, because you can't really fix it without pfSense-specific build tools...

So you either upgrade or get outdated.

Don't confuse the need to stay up to date with updating the existing software. They are not the same.

Staying on top of vulnerabilities is one thing, supporting every single hardware/software configuration out there is another.

I did mention on a Debian mailing list that one of the biggest mistakes Debian made was forking firefox to iceweasel. Hold your horses, even if I killed someone the judge would still hear me out, so hear me out.

Debian is extremely conservative with their release cycle. A new version is usually a couple years away. These days a "couple years away" is a disaster. An utter and plain disaster. Not in the stuff breaks sense, hell I would trust a life sustaining machine running Debian more than I would trust the multi-million machine in the hospital, but in the needed new features sense. No, not the Gnome 3 f***-me-upside-down-and-inside-out-if-it's-a-usable-gui. The syslog logging for nginx for example. An extremely useful feature, that isn't in the version currently in wheezy (7.x). In my use case I have to import the logs into rsyslog, process them, then spit them out to remote hosts >and< on top of that split them per nginx vhost >and< split them at the same time to normal logs and errors. rsyslog isn't meant to be a text file tailing software. It's meant to take a single line, decide where it should go and get it there. I can make it work though, and patiently await for the time that the newer version gets to stable. I completely know that you can patch nginx and recompile it to get to where I want to be, but that's out of the question for a production machine. I'm not a developer, never will be, I leave that job to others. More on this following.

Debian stable (as already mentioned) is as solid as concrete. Recently they decided to go ahead with the squeeze-lts (long term support), which ties all this to firefox/iceweasel) citing the fact that I-forget-right-now-which-company-exactly recently migrated 5K servers to ubuntu LTS. Most people involved with the decision failed to see the actual reason for the migration: more frequent updates, even if it's for an LTS version.

What does running an LTS mean exactly? It means continuing to support old software, that has fixed the flaws you are trying to backport changes for, in newer versions of that software (bingo for firefox!). They also added a few newer features along the way, as an added bonus. Or extra shafting, depends (like australis). The whole reason iceweasel was born was that mozilla wouldn't let them use their trademarks for supporting EOL versions of firefox.

Canonical can support an LTS version, SPI (Software in the Public Interest, the guys behind Debian) cannot. Why? Hollander hit it right on the head: developer support.

Developers need to get payed to work on software. RMS's extremely distorted reality does NOT apply in the real world. Either contribute to the developers, or forget their support for the software. Nobody will spend a week of their own time working on a version you (not you you, general you) are using, just because you like it and fear installing a newer version, and the reason is they prefer actually working on the feature that 100 others desperately want implemented. Or that recent 0-day vulnerability that needs urgent fixing.

Support doesn't only come in the $$$ sense. It also comes in the documentation sense. How many hours did this topic save a developer? Or a user? A day? A week? A year? Instead of developers spending their time trying to weed out the false positives and improve them, they can instead take a look at the list and immediately see the rules they need to focus on. Users can also do the same, which saves them time asking if that rule is a false positive or not, spending a week arguing on the forums if it truly is a false positive, which by the way is probably a week of a developer spending his time troubleshooting with them/arguing/agreeing, then disabling the rule. Documentation is the most hated thing to do, an I can understand that (this topic is a form of documentation, you can't imagine the time I've spent behind the scenes working on it). It's why I rage about the ET guys ignoring the list ;D. The list is there, and it's accurate, now start removing the rules I suggested.

Got a little carried away, back to our mailing list discussion: The argument was that if I want a patch backported to a software I refuse to update, for personal reasons, it's up to me to make sure the developer has the incentive to do it. If the developer needs to spend a week, at $100/day to backport and troubleshoot the update I need (which by the way comes standard in the newer version) and I can spend $500 to get newer hardware that doesn't have a problem with the newer version, then I could do myself a favor and save the $200. Get newer hardware and don't expect the developer to work exclusively for me.

In the particular case of snort, going by what bmeeks said, I would personally choose to drop support for the older versions of pfsense. Why? Because they will never be completely up to date. By making a conscious choice of running an older version of a critical part of your infrastructure, you are making the conscious choice of getting your network broken into. Do you have the knowledge to backport all the necessary patches into the version you use? Great, the previous statement doesn't apply. Are you a regular user that waits on others to fix it for you? Then try to help them out, by not expecting them to work for free.

Braking something in a newer version is inevitable (although I still don't get how the Debian guys don't break stuff  ;)). Our job as users is to let the developers know that they broke something, and work with them to the best of our abilities to get it fixed. If we can provide log samples, we do that. If we can provide kernel oopses, we do that. If we can provide money for the developer to get a pizza for him and his children (hey, 'murica does it and it works, so think of the children), then we do that.

That is what open source means. It doesn't mean "we need to make those businesses fail because ALL software should be free". A starving developer is a soon-to-be-dead developer, simple documented fact.

@Hollander: smack Snap out of it! They got you too?!?! smack. All hope is lost  :(

DISCLAIMER
This is NOT a direct attack on anyone around here, nor elsewhere. I'm merely expressing my opinion. If you do not agree with me, discuss in a calm, well-mannered way. Swearing is acceptable, as long as it's directed at the ET guys*, cisco* (for charging a night with your wife, your first born's right kidney, and your left kidney for a support contract), or the developers of either unity*,gnome 3*, or internet explorer* (all versions ok). Windows 8* accepted/encouraged.

*all relation to actual names, claimed trademarks, registered trademarks, physical and/or legal entities, is purely coincidental. Nope, no relation at all to the real world. Nothing to see here, move along.

BBcan177

@bmeeks:

Trying to support, for example, three different OS environments is a bit much for a one-man package maintainer.  For instance, the installation paths differ between pfSense 2.0 and 2.1 and 2.2; plus the variety of system calls differs.  For example, support for IPv6 varies between the versions.  So this makes the code in a package sometimes quite complex as it tries to deal with all the subtle differences in pfSense versions.  The more complex a package's code becomes, the higher the potential for bugs.

I agree, keeping up with the updates is important, especially if we have the support of the Maintainer to fix issues that arise…. If it wasn't for Bill maintaining these packages, I am sure we would be more hesitant to upgrade.  ;) :o

Double K

@BBcan177:

Could you please shed some more light on the max, dmax, and pmax variables?

1. Using a "max" variable, if it finds over the Max variable it will perform a Maxmind Geoip Database lookup and will process a /24 block for configured Foreign Countries on an individual Blocklist Basis.

2. Using a "dmax" variable  if it finds over the dmax variable it will perform a Maxmind Geoip Database lookup and will process a /24 block for configured Foreign Countries at the end of the download process on all of the Blocklists together.

3. Using a "pmax" variable, if it finds over the dmax variable it will process a /24 Block excluding Country Code whitelist at the end of the download process on all of the Blocklists together.

I had 7 unique addresses in the 104.28.7.x range in the IR_Match alias file.  This also created a 104.28.7.0/24 entry as well.  I tried accessing a site that was not one of the unique addresses (ie. not blocked by the lists), but it was blocked by the /24 range.

You are referencing "Match" aliases here.

Here is a snipet from the pfiprep script-

# country Code p24 Process (pass/match)
ccwhite=match
# Define what to do with IP Ranges found that are in the
# Country Code p24 Process (block/match)
ccblack=block
# For pfSense, the "Match" IPs can be "Monitored" with
# "Floating Rules" which can log packets from these IP Ranges,
# but still allow the Blocking of the Individual IPs found in the
# same /24 Range.

So the script will Block a whole /24 range depending if you select ccblack=block.
ccwhite=match will put the IP ranges that are in the Safe Country list into a match alias.

So the match file has all of the IPs that are being blocked with a "!" at the start of the IP to tell pfSense not to match the "!" excluded IPs, and match on anything else in the /24 range.

I would suggest leaving the "match" alone until you get everything else working. Change the ccwhite=match  to  ccwhite=pass

So at a high level, the max,dmax and pmax variables look at how many IPs are repeat offenders in all of the blocklists. And then depending on these settings block/match as required.

Thanks BBCan177, I've read & re-read this about 15 times, drawn it out on paper, changed the floating rule for IR_Match to "Match" instead of Block, and still can't figure it out.
Unfortunately, all I seem to be doing now is adding individual IP addresses to the Floating rules to allow them to pass through these Blocks - because legitimate IP addresses such as bing.com's IP address are being blocked by these Blocking Lists.