Re: [pfSense] Snort or Suricata
I am runiing it now like this. I will push all alerts to my Kibina now and will check that for a couple of weeks to get a good overview. > Am 13.06.2016 um 21:48 schrieb compdoc : > >> How do you have Snort configured to differentiate between incoming and >> outgoing traffic? > > > > I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the > problem. It watches any http traffic, which is mainly outgoing in our case. > > > > On the Services / Snort / Interfaces page, edit your interface. And then > click the 'WAN Preprocs' tab. > > > > I used to just disable HTTP Inspect, but at some point in time snort in > pfSense started displaying a large warning. > > > > So, in that section there's a 'Server Configurations' option. I have one > configuration named 'default', and you might have the same. > > > > Edit default, and there's a Ports area where you specify an alias which > contains the ports snort should watch for HTTP traffic. I use port 10, but > can be any unused port. Now snort listens on port 10 for HTTP traffic and > never hears any. > > > > Also on the WAN Preprocs tab, there's an option 'Portscan Detection' which I > enable. I think I leave most of the other options on defaults. > > > > Mine is configured for the VRT rules, GPLv2 Community Rules, Emerging Threats > (ET) Rules, and a list named 'emerging-compromised-ips.txt' on IP lists tab. > > > > However, I edit the snort interface and check 'Use IPS Policy' and then > choose 'IPS Policy Selection: Connectivity'. I believe when you do this, > snort decides which one of the rulesets it will use. > > > > Occasionally, as rules get updated snort will start blocking something that > it wasn’t blocking before, and you have to add those rules to the suppress > list. This doesn’t happen too often, though. > > > > > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
> How do you have Snort configured to differentiate between incoming and > outgoing traffic? I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the problem. It watches any http traffic, which is mainly outgoing in our case. On the Services / Snort / Interfaces page, edit your interface. And then click the 'WAN Preprocs' tab. I used to just disable HTTP Inspect, but at some point in time snort in pfSense started displaying a large warning. So, in that section there's a 'Server Configurations' option. I have one configuration named 'default', and you might have the same. Edit default, and there's a Ports area where you specify an alias which contains the ports snort should watch for HTTP traffic. I use port 10, but can be any unused port. Now snort listens on port 10 for HTTP traffic and never hears any. Also on the WAN Preprocs tab, there's an option 'Portscan Detection' which I enable. I think I leave most of the other options on defaults. Mine is configured for the VRT rules, GPLv2 Community Rules, Emerging Threats (ET) Rules, and a list named 'emerging-compromised-ips.txt' on IP lists tab. However, I edit the snort interface and check 'Use IPS Policy' and then choose 'IPS Policy Selection: Connectivity'. I believe when you do this, snort decides which one of the rulesets it will use. Occasionally, as rules get updated snort will start blocking something that it wasn’t blocking before, and you have to add those rules to the suppress list. This doesn’t happen too often, though. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
When we first started experimenting with Suricata we had pfSense running on a very old PC...XP era probably, and I'd guess 10-15 years old. When running, Suricata did seem OK and not too CPU or RAM intensive but Suricata did simply stop working now and again. That hasn't happened since using newer hardware with a faster CPU, though we've also upgraded pfSense since then. We haven't had any such issue elsewhere. I would expect that higher traffic would definitely benefit from multithreading, hence our choice of Suricata over Snort. The one issue we had with Suricata is on a CARP setup, where the sync would fail and crash the web service and/or PHP on the second router. I had tried to disable a lot of rules (some of the rulesets have hundreds) that didn't apply, and that took forever since it tried to sync each time. Later I found all those rules were enabled again, and we haven't had the problem lately. My guess is the more individual rules that one disables, the longer it takes to sync, and the larger sync info is. Then at some point something crashed and reset the rules to not have any disabled, after which the sync is smaller. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife Sent: Monday, June 13, 2016 2:12 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Snort or Suricata With as many rules as an IDS/IPS would evaluate for each packet, it seems that a multi-threaded option would be an obvious choice, especially on modern multi-core quasi-embedded systems (e.g. Rangely/Atom) with lower absolute clock speeds. Otherwise it seems you might become effectively CPU bound given modern uplinks and applications (e.g. captive portal, multi-lan etc), thus introducing jitter and reduced throughput. Is this consistent with anyone's real-world observation/testing? On 6/13/2016 9:28 AM, Steve Yates wrote: > See if disabling the stream-events.rules ruleset helps. The web forum had > some references about that being incompatible with the pfSense > implementation. If memory serves, it's because Snort/Suricata see copies of > packets not the actual stream so they are often processed out of order. > > When I looked a while back it seemed like Snort and Suricata were similar but > Snort was single thread and Suricata could multi-thread. > > https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan > http://wiki.aanval.com/wiki/Snort_vs_Suricata > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel > Eschner > Sent: Sunday, June 12, 2016 1:57 PM > To: pfSense Support and Discussion Mailing List > > Subject: [pfSense] Snort or Suricata > > Hi there, > > i installed Snort and let it run with snort Community Rules and ET Rules. > I get ton als Fals positiv alters. > > Maybe is suricata better? What are the difference? > > It Seems that only the ET rules has no or veryl less fals positivs. > > Cheers > > Daniel > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
With as many rules as an IDS/IPS would evaluate for each packet, it seems that a multi-threaded option would be an obvious choice, especially on modern multi-core quasi-embedded systems (e.g. Rangely/Atom) with lower absolute clock speeds. Otherwise it seems you might become effectively CPU bound given modern uplinks and applications (e.g. captive portal, multi-lan etc), thus introducing jitter and reduced throughput. Is this consistent with anyone's real-world observation/testing? On 6/13/2016 9:28 AM, Steve Yates wrote: See if disabling the stream-events.rules ruleset helps. The web forum had some references about that being incompatible with the pfSense implementation. If memory serves, it's because Snort/Suricata see copies of packets not the actual stream so they are often processed out of order. When I looked a while back it seemed like Snort and Suricata were similar but Snort was single thread and Suricata could multi-thread. https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan http://wiki.aanval.com/wiki/Snort_vs_Suricata -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Sunday, June 12, 2016 1:57 PM To: pfSense Support and Discussion Mailing List Subject: [pfSense] Snort or Suricata Hi there, i installed Snort and let it run with snort Community Rules and ET Rules. I get ton als Fals positiv alters. Maybe is suricata better? What are the difference? It Seems that only the ET rules has no or veryl less fals positivs. Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
> > > How do you have Snort configured to differentiate between incoming and > outgoing traffic? Mhh, dont configured anythink. Just put the rules in my WAN interface. Maybe i have to spend more time and read more documentation on it ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
On Sun, Jun 12, 2016 at 7:32 PM, compdoc wrote: > > I've never tried suricata so I cant say if its better, but snort works > pretty well. There is one problem with snort, however. It can watch > incoming > traffic as well as outgoing traffic. > > But when snort watches outgoing traffic, it flags and blocks almost > everything. That's too much trouble for me, so I have snort setup to only > watch incoming traffic. > > Even then, you will have to watch the alert and blocked lists to make sure > it doesn't block sites you need. That doesn't happen too often, though. > > When it does happen, you just click to add those rules to the suppress list > and remove the ip addresses from the blocked list. How do you have Snort configured to differentiate between incoming and outgoing traffic? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
See if disabling the stream-events.rules ruleset helps. The web forum had some references about that being incompatible with the pfSense implementation. If memory serves, it's because Snort/Suricata see copies of packets not the actual stream so they are often processed out of order. When I looked a while back it seemed like Snort and Suricata were similar but Snort was single thread and Suricata could multi-thread. https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan http://wiki.aanval.com/wiki/Snort_vs_Suricata -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Sunday, June 12, 2016 1:57 PM To: pfSense Support and Discussion Mailing List Subject: [pfSense] Snort or Suricata Hi there, i installed Snort and let it run with snort Community Rules and ET Rules. I get ton als Fals positiv alters. Maybe is suricata better? What are the difference? It Seems that only the ET rules has no or veryl less fals positivs. Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold