notes: DO NOT simply pull out the ram on a tbs-453dx. If you check the manual, it mentions you press both sides of the ram, there is a metal clip thing that will pop out the ram. so DO NOT SIMPLY yank out your ram just like that from the get go
now testing suricata :}
Suricata is a free, open source, Intrusion Detection System software, or IDS for short. But it can also act as an Intrusion Prevention System, or IPS. It works by finding patterns using heuristics typically from network traffic. When configured to just warn about suspicious activity it is called an IDS, however when it blocks the traffic because of the pernicious activity it is called an IPS. Suricata is typically installed as a plugin in pfSense, a complete enterprise grade, open source, firewall and networking distribution based on FreeBSD.
https://www.youtube.com/watch?v=KRlbkG9Bh6IWhat are the differences in the rule sets?
Community Ruleset program
The Community Ruleset is a GPLv2 Talos certified ruleset that is distributed free of charge without any Snort Subscriber Rule Set License restrictions. If you are a Snort Subscriber Rule Set Subscriber, the community ruleset is already built into your download. If you are a registered user (under the 30-day delay) you may also include this ruleset in your Snort installation to stay current. The authors of the rules in the community ruleset are listed in the AUTHORS file inside the tarball. This ruleset is updated daily and is a subset of the subscriber ruleset.
Registered
This ruleset is also free for use for individuals and businesses (however, Integrators may not use this ruleset). This ruleset is 30 days behind the Snort Subscriber Rule Set and does not contains zero-day threats under the “limited” provision of the Snort Subscriber Rule Set License. This ruleset does contain the Community ruleset. It is recommended that you use both the Registered Ruleset and the community ruleset, if you are not going to become a subscriber. This ruleset is generally updated on Tuesdays and Thursdays.
Subscriber
This is the full Snort Subscriber Ruleset, without delay. For more information on the Snort Subscriber Rule Set, please read our FAQ. This ruleset is also referred to as the “VRT Ruleset” or the “Talos Ruleset” This ruleset is generally updated on Tuesday and Thursdays, but may be updated at any time to stay current with emerging threats.
https://www.youtube.com/watch?v=9QaM3b0Kd6M
*update
ok got suricata up and running. cpu and ram usage seems ok so far, but i'll have to leave this running for a while to know for sure.
did my config as suggest by lawrence, but i couldn't get "IP Reputation Configuration" setup. Seems there is a separate requirement to get that to work for free users
Code: Select all
Assignment of a 'Categories File' is required when IP Reputation is enabled!
https://forum.netgate.com/topic/149946/ ... ion-help/5bmeeks -
Jan 27, 2020,
Suricata's IP reputation engine works nothing like Snort's. To use IP Reputation in Suricata you either need to manually build your own configuration files (it takes at least two) or subscribe to the very expensive IQRisk package from Proofpoint (formerly Emerging Threats).
You can find configuration information for IP Reputation in Suricata here: https://suricata.readthedocs.io/en/late ... ation.html. The link is to version 5.0.1, but 4.1.x works the same way.
The IP REP tab was originally put in place to support users with an IQRisk subscription from Emerging Threats.
There is a guide here to setup for that for free users
https://forum.netgate.com/topic/70170/t ... ueprint/12A forum member, BBcan177, was kind enough to create a script containing the necessary functions missing. The script was designed to keep snort IP reputation lists up to date, but we'll adapt it to our needs.
We'll use aliases to keep a large number of IPs in a rule. This allows us to set up quick floating rules for a number of interfaces, keeping our per interface ruleset to a minimum. Remember, incoming should always be blocked, outgoing should always be rejected. In the future, when you add an interface, instead of copying existing rules to that interface, you just edit the existing quick floating rules and CTRL+click the new interface and you are done .
If BBcan177 passes by this thread, please provide the script for public downloading. I do understand that the script is released under GPL, but I'm not willing to take credit for the script by providing the download.
https://forum.netgate.com/topic/110325/ ... -updated/2Using Snort VRT Rules With Suricata and Keeping Them Updated
bmeeks Jan 17, 2017,
Suricata is compatible with most of the Snort VRT rules, and thus many users like to include the Snort VRT rules in their collection of rule signatures used with Suricata. However, using Snort VRT rules with Suricata requires understanding and working with two key points. First, obviously Suricata is not Snort; and thus while it is compatible with most legacy Snort rule options, there are some newer Snort rule keywords/options that Suricata will not recognize. Suricata will print errors in the suricata.log file when encountering rules like this. Luckily, unlike Snort which will quit when encountering a rule syntax error, Suricata will skip the offending rule and keep on loading the next one. The second major point to understand is that Snort VRT rules are versioned and tied to a specific Snort binary version. So you must run 2.9.8.3 rules with the 2.9.8.3 Snort binary. For instance, the only rules package that will work with Snort version 2.9.8.3 is snortrules-snapshot-2983.tar.gz. If you manually download a different rules snapshot version and attempt to use it with Snort 2.9.8.3, the rules load will fail.Warning: do not attempt to use the Snort3 rules with Suricata! If you enable the Snort 3.0 rules download, you will break your Suricata package install completely and the only way to recover will be to delete the package and install it again. You've been warned ... .
The Snort package on pfSense automatically determines the correct Snort VRT rules snapshot update to use because it knows what version of the Snort binary is running. Suricata can't know that. Nor does Suricata have any way of determining what the "latest" version of Snort might be. The Suricata package depends on you to tell it what Snort VRT rules snapshot file to download. You do this on the GLOBAL SETTINGS tab when you enable use of the Snort VRT rules. There is an input box where you should type in the Snort VRT rules snapshot filename. Enter just the filename. Do not enter a URL and do not enter your Oinkcode here! This filename parameter tells Suricata which snapshot file to download for the daily rule updates.
It follows from the above that it is also incumbent upon the admin user to keep up with changes in the Snort binary and resulting rules snapshots so the rules snapshot filename Suricata uses is updated when necessary. For instance, recently Snort has posted a new 2.9.15.1 binary version and associated rules snapshot. Suricata can use the updated rules in the new 2.9.15.1 rules snapshot file (snortrules-snapshot-29151.tar.gz for the 2.9.15.1 Snort binary), but it won't download that file until you tell it the name on the GLOBAL SETTINGS tab. Also, if you forget to change the value on the GLOBAL SETTINGS tab, then when the file version specified there goes end-of-life and is pulled by the Snort team, Suricata's Snort Subscriber Rules updates will start failing. So if you are using Snort Subscriber Rules with Suricata, set some kind of external reminder in your email or on your smartphone to prompt you to check the www.snort.org site once a month to see if updated versions of the Snort Subscriber Rules snapshot files have been posted and update the Snort Subscriber Rules snapshot filename on the GLOBAL SETTINGS tab in Suricata..
Bill
other than lawrence and wendel's suricata guide, i couldn't find any other good suricata setup guide. i had to resort to non english guides, but it's managable with auto translate.
in this video he highlights exactly the problem with using snort v3 rule sets using suricata. Make sure you DO NOT use snort v3, or you will have BIG problems In all fairness, event the pfsense gui has notes pointing this out (more reason to pay careful attention to the pfsense notes in settings ui) he has some very good info and details that it was hard to find elsewhere that explained it simply (step by step process)
https://www.youtube.com/watch?v=SobzXrDOnm8
https://forum.netgate.com/topic/121082/ ... rop-only/3Enabling the new option for "Block on DROP Only" is only 50% of what is required. You must individually modify the rule action keyword from ALERT to DROP for those rules which you want to now "block" in the new mode. This is the way things work with the Inline IPS Mode. This new mode of operation is actually how all major IPS hardware operates – namely only selected rules drop or block traffic, and all the other rules just produce alerts with no blocks.
I don't mean to sound harsh with this reply, but if you can't answer this question then using the new mode may not be suitable for you yet. Read up on rule signatures and various attack traffic types and methods to gain some knowledge about the blackhat hacking craft. As you gain experience in that arena, the answer to your question will become more obvious.
One easy shortcut for beginners is to subscribe to the Snort VRT ruleset. Next, on the CATEGORIES tab in Suricata, check the box to use IPS Policy and select a policy. For beginners, I strongly recommend starting with "Connectivity". This provides basic protection from most really bad stuff while at the same time not being overly aggressive with false positives. Underneath the drop-down where you choose the IPS policy is another option for choosing the Policy Mode. Set that to "Policy" in order to use the suggested rule action contained in the IPS Policy metadata provided by the Snort VRT folks. When set to "Policy" mode, Suricata will automatically change the rule action to match that suggested by the rule metadata. There is some help text on the screen to explain the options. To gain a better understanding of IPS Policies inside the Snort rules, try a few searches on Google.
Bill
https://forum.netgate.com/topic/141743/ ... nterface/3bmeeks Mar 20, 2019,
For someone new to an IDS/IPS, here is my recommendation.
Configure Snort on your LAN interface only. There is generally no extra security obtained by putting an instance on your WAN as the WAN, by default in pfSense, drops all unsolicited inbound traffic anyway.
Do NOT configure blocking at first. Just use the default IDS (detection-only) mode for at least two weeks and potentially a month so you can see what alerts happen on your network. This lets you investigate and weed out false positives without getting frustrated because things get blocked.
Register for either a free or paid ($29.99/year for paid) Snort Subscriber Rules Oinkcode. There is link for that on the GLOBAL SETTINGS tab when you click the checkbox to enable the Snort Subscriber Rules. For convenience, here is another copy of the link: https://www.snort.org/products#rule_subscriptions. Once you have done this, go to the UPDATES tab and force a rules update so your Snort Subscriber Rules will download.
Edit the LAN interface in Snort and go to the CATEGORIES tab. Check the box to use an IPS Policy and then choose IPS-Connectivity in the drop-down selector. This is an excellent starter policy that offers very good protection with hardly any false positives. Save the change then start Snort on the LAN interface (or restart it if it was already running).
Sit back and study the alerts you receive by periodically reviewing the ALERTS tab. It is likely you will get some false positive alerts from the HTTP_INSPECT preprocessor rules. Here is a link to an older thread about Suppression Lists and using the SID MGMT tab to control false positives: https://forum.netgate.com/topic/50708/s ... lesid-conf. Remember that with Snort, once blocking is enabled, every alert you see could have resulted in a block of host traffic. This is why you examine the alerts and suppress or disable those rules which are firing on benign traffic in your environment.
After you get the rule set tuned up, you can go back and enable blocking mode. If things are smooth, then you can bump up your IPS Policy to IPS-Balanced and see how that works for you. I do not recommend folks use the IPS-Security policy as that one enables a bunch of extra rules that are highly prone to false positives (especially in home networks). You can also choose to start using some of the free Emerging Threats rule categories by going back to the GLOBAL SETTINGS tab and enabling the Emerging Threats Open rules. You would then add those rule categories to your ruleset back on the CATEGORIES tab for your LAN interface.
https://www.reddit.com/r/Ubiquiti/comme ... ps_alerts/
https://www.reddit.com/r/PFSENSE/commen ... ta_alerts/
so yeah.... as a pfsense newbie, i think i'll stick to basic settings for now.
most of the default rules is auto, but for snort, seems i have to check each month whether to change to new snort file name for basic maintenance. i don't mind that too much.
in troubleshooting suricata, i identified something i was blocking which it shouldn't. have to go alerts, then whitelist the host ip, or disable a rule. when you do that, it takes like 15-20 seconds for the rule to apply, so you can't browse away from that page until 15-20 seconds have pass afaik. i tried clicking save but that didn't seem like it did jack if i refresh too soon.
*update
after further testing, not sure that intel celeron is cutting it for suricata. during regular browsing and netflix streaming, everything is fine. Cpu is 50-60% under.
But when i begin maximizing my alloted isp bandwidth dl/ul, that is when cpu pegs at 100%
not happy with that because feels like my speed is being throttled somewhat i suspect under that kind of max load on cpu. at least from what i read if it hits 100% that's not good.
https://forum.netgate.com/topic/70170/t ... eprint/205
so for now i'll just leave it running a few days see what it does, then roll back to just using pfblocker which seems to be enough for me.
I don't port forward, so i don't reckon i need this do i?
*update
further testing.
to simulate max load, i downloaded a bunch of torrents at the same time.
broadband package is 100 Mbps = 12.5 MB/s for dl, and 50 Mbps ul.
i only managed to get 10 MB/s on vpn.
it does fine for a bit, but later it hits 100% and then router acted funny. the torrent connections get cut, and the router wan connection seemed to have died or something not sure. but it's apparent that on intel celeron 3 cores allocated for suricata wasn't sufficient
with casual browsing and not maxing out on my connection, it's usable. but i rather be able to max out my paid for speed without worrying about router dying on me
without suricata (i reverted to an older snapshot prior to installing suricata), but only using pfblocker, i get similar speeds. but equally importantly it remains stable without router crashing or any weird connection drops. cpu usage also below 20% load