Suricata true inline IPS mode coming with pfSense 2.3 – here is a preview

repne

I installed suricata, and the installer complained about some mysql client vulnerability that will not be patched. Something to be worried about?

bmeeks

@<deleted>:</deleted>

Suricata package has been updated today from 3.0_7 to 3.0_8.

From the changelogs I see only a fix for "Suricata, a broken download should not wait forever." ,and some changes in licenses.

@bmeeks I don't understand, why not jumping to the latest version, with latest fixes, because they are alot ?

10x

I have been very busy with other work outside of my volunteer package maintainer duties for Suricata and Snort.  The other work pays me, the volunteer maintainer duties do not …  ;).

I am testing the latest 3.1.1 binary this weekend and hope to have a pull request posted very soon.

Bill

dcol

Will inline IDS be working with the latest Suricata update?

bmeeks

@dcol:

Will inline IDS be working with the latest Suricata update?

Hopefully better than it currently does.  The issues are pretty much all netmap related as netmap is a relatively new technology.  Suricata has had some upstream bugs reported around the netmap interface used for inline mode.  A lot of those reported issues are fixed in the 3.1.1 release.

Bill

Wisiwyg

Thank you @BMeeks!

Looks like there's an updated Suricata in Package Manager with the latest 3.1.1_1 version. Trying it out now!

ntct

Does  latest suricata 3.1.1_1 support hyperscan pattern match ?

Guest

@Wisiwyg:

Thank you @BMeeks!

Looks like there's an updated Suricata in Package Manager with the latest 3.1.1_1 version. Trying it out now!

On which branch are you? I don't see any updates on stable branch?

Wisiwyg

2.3.3_dev

Guest

@Wisiwyg:

2.3.3_dev

Thanks @Wisiwyg

bmeeks

@ntct:

Does  latest suricata 3.1.1_1 support hyperscan pattern match ?

It's not turned on yet.  That is next on my list to test.  Not sure what kinds of tweaking may be required in FreeBSD ports to get that enabled and compiling successfully.

Bill

dcol

I will give inline mode a go again when Suricata 3.1.1 becomes available.

Wisiwyg

Available now… for pfSense 2.3.3x and 2.4 development versions. Not the pfSense stable, yet.

Version 3.0.8 of Suricata for pfSense contains the Suricata 3.1.1_1 update - the pfSense implementation hasn't been up-rev'd.

dcol

2.3.2-p1 is the latest version according to my dashboard. I do not risk using development versions. Pfsense is in a production environment.

dcol

Lately, when I ask for status on Inline Suricata, the thread gets deleted. What's up with that? I thought this was a community forum.

I will attempt more questions

Is it in testing?
How is the testing going?
What are the issues?
Why is PFsense so far behind in Suricata updates?
How many people are working on it?
Do you need testers, or help?
Is there an ETA?
Should I move on?

I guess the last question depends on if this post also gets deleted, or I get banned for asking questions.

Guest

You should probably move on and do IPS on a dedicated machine running a hardend version of your favorite OS.
It's not a priority on pfSense (for now) and if you haven't setup a full blown SIEM solution it's anyway a toy ;-).

Regarding your questions, just search through the forum and you'll find your answers.

Regards,

Emanuel

dhboyd26

Not the first time I have seen that reply about a SIEM… one has nothing to do with the other.  Wanting Suricata working in inline mode on my firewall is completely unrelated to a SIEM and is definitely not relegated to "toy" status in the absense of a SIEM.  I'd love to have a serious discussion (off of the forum if necessary to reduce clutter) about this as I am not trying to throw rocks or start a flame war.  I just don't grok the relationship between running Suricata in inline mode and having or not having a SIEM.

jwt

@dcol:

Lately, when I ask for status on Inline Suricata, the thread gets deleted. What's up with that? I thought this was a community forum.

I will attempt more questions

Is it in testing?

Yes, of course.  https://forum.pfsense.org/index.php?topic=118541.msg656395#msg656395

@dcol:

How is the testing going?

Are you helping?

@dcol:

What are the issues?

Take a look in that thread, or the FreeBSD bug tracker, below.  There are a number of reasons why this software hasn't merged into FreeBSD as yet.

@dcol:

Why is PFsense so far behind in Suricata updates?

So far behind what?

Suricata 3.1.2 was released on 7 September: https://suricata-ids.org/2016/09/07/suricata-3-1-2-released/

At the moment 3.1.1 and Hyperscan are still pending in the FreeBSD bug tracker.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210490

As is Suricata 3.1.2
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212815

As you can see by looking at that, Herr Fitchitis is hard at work to make both happen.  Given this, I don't see how any additional effort on our part would make it happen any sooner.

@dcol:

How many people are working on it?

Which part?
Are you helping?

@dcol:

Do you need testers, or help?

We always need testers.  Thank you.

@dcol:

Is there an ETA?

No.

@dcol:

Should I move on?

You're welcome to stay and you're welcome to contribute.

As with most things, this is your choice, not mine.

jwt

@dhboyd26:

Not the first time I have seen that reply about a SIEM… one has nothing to do with the other.  Wanting Suricata working in inline mode on my firewall is completely unrelated to a SIEM and is definitely not relegated to "toy" status in the absense of a SIEM.  I'd love to have a serious discussion (off of the forum if necessary to reduce clutter) about this as I am not trying to throw rocks or start a flame war.  I just don't grok the relationship between running Suricata in inline mode and having or not having a SIEM.

An IPS responds to known threats.  IDS has a different task set. It must identify a large number of threats, including:

Security policy violations, such as systems or users who are running applications against policy.

Infections, such as viruses or Trojan horses that have partial or full control of internal systems, using them to spread infection and attack other systems.

Information leakage, such as systems running spyware and key loggers, as well as accidental information leakage by valid users.

Configuration errors, such as applications or systems with incorrect security settings or performance-killing network misconfiguration, as well as misconfigured firewalls where the rule set does not match policy.

Unauthorized clients and servers including network-threatening server applications such as DHCP or DNS service, along with unauthorized applications such as network scanning tools or unsecured remote desktop.

Doing these without an SIEM is nearly impossible.

dhboyd26

Right!  These are two different tasks.  I'm not interested in my firewall telling me all this stuff, at least not my Internet facing firewall.  I want it to guard my perimeter and drop bad traffic, but not interfere with my users' legitimate connectivity.  Hence, I want Suricata to run as an IPS on my external firewall, preferrably without the pain of unintentionally blocking valid sites and traffic because of a mangled packet somewhere.

I am exploring internal sensors and SIEM solutions, potentially using Suricata, wherein I will look for all those other things, but the lack of this capability does not lessen the effectiveness of my perimeter firewall.

They perform two distinct tasks.

Any further debate can move to another thread or offline, I don't want to take this thread off the rails.

Thanks for the input, I do like it whether I agree with all of it or not!  :)

dcol

Thanks jwt, glad to see some activity here. That's all I asked for.

As for helping, I am willing to do what I can but not sure how to go about it. I am not a coder so I can't help there, but I have many different platforms here to test on. Every time I test inline IPS, I do post my results. Maybe I am doing that in the wrong place.

OK 3.1.2 Suricata is in FreeBSD bug tracking phase. Just noticed a new release to 3.0.9. Will try that one soon. I am not even sure Suricata is the reason for inline IPS not working, may be netmap, or something else.

But one question remains. Where can I look at testing results from using Inline IPS. I saw one report and it froze their system. That's essentially what happened every time I tried it. Does anyone have it working, even partially?

I agree with dhboyd26 SIEM is just another device which just collects security data. Not sure how that applies here. I already know where my problems are.

In my opinion true inline IPS turns PFsense from a 'toy' to a full blown security appliance. That's why I am surprised as to its priority. It seems to be working with other firewall software using FreeBSD and Suricata.

Here is the #1 reason I need this, there are others. I run multiple mail servers and receive constant hits from spammers that change their IP with every hit. Snort catches these but the first one always passes, then the spammer sends the same email with a different IP seconds after the previous one and snort sees it as a new hit. This happens thousands of times a day filling logs and using bandwidth. My spam detection system is almost constantly checking and blocking these, but in doing so takes much time going through all the checks. I need a way to block these before they get to the spam engine. Inline IPS would do this using my custom rules. You would think these spammers would run out of IP's, but apparently not. If anyone has any ideas or other ways to prevent these multiple IP spams, please let me know. Pfblocker is not a solution because these all come from within allowed countries.

I had a thread which stated this problem before and the answer was to use Inline IPS. I have been waiting for it ever since. That was over six months ago when this thread started.