Snort and Suricata on pfSense 2.3?



  • I am looking at switching from Snort in the current blocking mode to Suricata inline mode when pfSense 2.3 reaches stable. But I don't want to lose the coverage of the Snort VRT rules that aren't supported in Suricata.

    Assuming my pfSense has enough CPU and RAM, would it be possible to run Snort with the VRT rules in the traditional blocking mode and Suricata with ET rules in the new inline mode?

    I know this might be overkill, but just want to see if its possible, and then evaluate further from there.


  • Moderator

    You don't want to run them both at the same time in the same box…

    The ~700 Snort Rules are shared-object type rules... Most of those, I would assume are already covered by the ET Rules... I wouldn't be too concerned about that... If you are really concerned about coverage, then get the Paid versions of the Rules where there are Fresh Rules generated more frequently.



  • @BBcan177:

    You don't want to run them both at the same time in the same box…

    The ~700 Snort Rules are shared-object type rules... Most of those, I would assume are already covered by the ET Rules... I wouldn't be too concerned about that... If you are really concerned about coverage, then get the Paid versions of the Rules where there are Fresh Rules generated more frequently.

    I realize it might not be the best idea to run that both at the same time on the same box, but I'm wondering if they can run simultaneously, or if something will conflict and they won't work properly.

    One of the reasons I am concerned about moving from Snort to Suricata is losing access to the SO rules. I'm sure some are covered by ET rules, especially ET Pro, but there have been instances in the past where Snort VRT has released SO rules for unpatched vulnerabilities, providing some detection/blocking before the vendor released a patch (and/or before the vuln was public) the last case I can think of off the top of my head where this happened was the Cisco ASA IPSEC vulnerability. Snort VRT had SO rules a couple months before the vuln was announced and the patch was released.

    I'm just trying to weight the pros and cons of moving from Snort to Suricata. Under pfSense 2.3 and Suricata 3.0 there are a lot of reasons to move to Suricata for inline IPS. But the downside is losing all the Snort VRT SO rules and any others that aren't supported under Suricata. Thus I want to see if running both in tandem on the same system would be a possibility that should be evaluated.


  • Moderator

    Snort and Suricata both use the Snort2c table but with Suricata now having the inline option, that might resolve the conflict with having both packages use the same table… However, I am not the Dev of the package, but it should work if Suricata is in Inline mode.

    There are pros and cons to both packages... Just have to pick your poison... :)  Expect Snort to have inline also at some near future...



  • @BBcan177:

    Snort and Suricata both use the Snort2c table but with Suricata now having the inline option, that might resolve the conflict with having both packages use the same table… However, I am not the Dev of the package, but it should work if Suricata is in Inline mode.

    There are pros and cons to both packages... Just have to pick your poison... :)  Expect Snort to have inline also at some near future...

    I want my cake and I want to eat it too!  ;D

    Bill's comment about Snort not working as well with Netmap is what got me thinking of switching to Suricata. Then I started wondering if I could run both. Just trying to determine what changes to make now that there are more options and making sure I evaluate all available choices.

    @bmeeks:

    No, this is not currently available for Snort.  It might be in the future, but that is currently uncertain.  Snort's DAQ module is not as Netmap friendly as Suricata is.  If this is ever available for Snort, it would also only be on the pfSense 2.3 and higher platform.



  • @BBcan177:

    Snort and Suricata both use the Snort2c table but with Suricata now having the inline option, that might resolve the conflict with having both packages use the same table… However, I am not the Dev of the package, but it should work if Suricata is in Inline mode.

    There are pros and cons to both packages... Just have to pick your poison... :)  Expect Snort to have inline also at some near future...

    OK, so I decided to run both just because it seemed like a good way to test your theory.  Mind you this is a (all linux)home setup and not a large network. Motherboard-GA-C1007UN–-Memory-4GB---DualCore Celeron(1.5 GHz) running 2.3 latest build x64 using re1 drivers.
    I have been running it since this post was put up with the only error log showing the rules that Suricata does not like which have already been discussed and were expected. Running Suricata with inline mode and basically default settings with SNORT rules and ET community.
    They both seem to not clash yet with SNORT watching the WAN and Suricata with my main LAN. Both have had upgrades from PFSence and still no problems as far as the logs show.  The Processes used has bumped up some 17 or so but the little Processor seems fine and the memory usage has also climbed up some but over all nothing to concern myself. Runs just as cool and speed hit is not noticable. Maybe Bill can jump in and tell me I am an idiot.. 0_o , but till then it seems to work out. Hope this puppy does not blow up.



  • So long as Suricata is run with inline IPS mode enabled, there will be no conflict as inline mode does use the snort2c pf table.  Snort does use that table, so if you try to switch Suricata over to legacy mode and still have Snort running, then they will conflict with that single pf table and unpredictable results can occur.

    Bill



  • @bmeeks:

    So long as Suricata is run with inline IPS mode enabled, there will be no conflict as inline mode does use the snort2c pf table.  Snort does use that table, so if you try to switch Suricata over to legacy mode and still have Snort running, then they will conflict with that single pf table and unpredictable results can occur.

    Bill

    "So long as Suricata is run with inline IPS mode enabled, there will be no conflict as inline mode does use the snort2c pf table."
    Just to make it clear here, I am assuming a typo at "inline mode does use the snort2c" to be "inline mode does not use the snort2c".
    So to sum up for anyone if I run Suricata with inline mode and Snort then they will not conflict at snort2c pf table.
    If I run Suricata in legacy mode and Snort together then they will indeed conflict with snort2c pf table and then I am an idiot.  :o
    Got it.
    Thanks bmeeks. Appreciate the work involved to keep these two monsters running.



  • @webtyro:

    @bmeeks:

    So long as Suricata is run with inline IPS mode enabled, there will be no conflict as inline mode does use the snort2c pf table.  Snort does use that table, so if you try to switch Suricata over to legacy mode and still have Snort running, then they will conflict with that single pf table and unpredictable results can occur.

    Bill

    "So long as Suricata is run with inline IPS mode enabled, there will be no conflict as inline mode does use the snort2c pf table."
    Just to make it clear here, I am assuming a typo at "inline mode does use the snort2c" to be "inline mode does not use the snort2c".
    So to sum up for anyone if I run Suricata with inline mode and Snort then they will not conflict at snort2c pf table.
    If I run Suricata in legacy mode and Snort together then they will indeed conflict with snort2c pf table and then I am an idiot.  :o
    Got it.
    Thanks bmeeks. Appreciate the work involved to keep these two monsters running.

    Yep…typo.  Should have said "inline mode does not use the snort2c" table.

    Bill



  • I had been running Snort (VRT rules in blocking mode) and Suricata (ET rules in inline mode) both on my WAN interface since 2.3 came out, seemingly without problems.

    Recently I noticed my WAN speeds were slow. Doing some troubleshooting I can see that my CPU is often getting maxed out when doing a speedtest, downloading large files, etc.

    Currently my pfSense is a VM (I may switch to hardware one of these days when I get around to it…) with 2 cores. I'm going to try adding 2 more cores to see if that improves things.

    But what I'm trying to figure out is if anything changed recently that would cause it to slow down. I don't remember specifically testing it, but I'm sure I would have noticed if it got as slow as it did recently previously.

    The only change I have made is upgrading to 2.3.1, but I'm not sure that these slow speeds coincided with that upgrade.


  • Moderator

    Depending on what rules your using, probably going to eat memory like crazy… Is snort set to AC-BNFA-NQ?

    Run the following from the shell:

    ps auxww | grep "snort\|suricata"
    

    There should be only one PID per each IDS interface setting… Maybe you have some zombie PIDs that are eating away at your memory...



  • @BBcan177:

    Depending on what rules your using, probably going to eat memory like crazy… Is snort set to AC-BNFA-NQ?

    It doesn't seem to be a memory issue, I can't test right now, but will do so later, but reported memory use is around 2GB when running both. (50% of 4GB total RAM). It seems to be CPU related based on my troubleshooting.



  • After doing some more testing it seems like I am never getting reaching my max internet speeds with Suricata inline mode, even with Snort stopped.

    I also started another thread (https://forum.pfsense.org/index.php?topic=113195.0) about slow speeds with Suricata inline mode in general. This other thread is on different hardware, different network and not running Snort concurrently.


Log in to reply