How To Secure pfsense with Snort: From Tuning Rules To Understanding CPU Performance
HTML-код
- Опубликовано: 12 июн 2024
- lawrence.video/pfsense
Suricata VS Snort
www.netgate.com/blog/suricata...
Cisco Small Business Switch Review
• Cisco Small Business R...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
Time Stamps
00:00 - How To Setup Snort on pfsense
00:37 - Install and basic setup
03:32 - Snort on WAN interface
04:47 - Creating Interfaces to Snort
06:24 - Examining Alerts and How They Are Triggered
09:36 - How Encryption Blinds Intrusion Detection
10:53 - Security Investigations and Tuning Rules
12:46 - Rule Suppression
15:53 - Snort CPU Requirements and Performance
19:55 - Some final notes on processors and rules 
Наука
Tom, the quality of your content is just simply amazing, the explanations of what, when, why & how are extremely helpful. You really are a credit to this community.. Thank you. 👍
Wow, thank you!
@@LAWRENCESYSTEMS Hi TOM!!, Do you think pfsense on an old Dell Precision quad core would run ok? it's got 24GB RAM , here's what BSD (pfSense) says about my CPU: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: No
QAT Crypto: No
@@dabneyoffermein595 yes
@@LAWRENCESYSTEMS thank you sir. means a lot that you get back to people (forever subscriber!)
The most comprehensive tutorial on pfSense on youtube. Thank you very much for your hard work
As always, an excellent video. Thanks to your videos, I can now handle our small IT department with as much understanding and testing as possible.
Amazing Video! The Content just gets better and better!
This video is not better timed, I just had the itch to work on IT security at home again. Much appreciated for the work you do, Tom!
Hi Tom! Thanks for the great video!
Thank you for this video! I try Snort but it block a lot of stuff I didn't want it to... This video help out a ton!
Great Vid as always.
I set up Suricata on my HP T620 plus box I built. It was constantly at 100% CPU. Building a new router now to handle it. But then again I do run a lot of other stuff on that router.
Hey Tom ,
Great Tutorial as always :)
Great as always! Thanks Tom!
You're my hero Tom, thanks for great video!
Amazing Video Tom, thanks!
Great tutorial as always😃
Great video!
Had been helpful with a video explaining best practices to secure a small business environment or a home lab that has self-hosted services like web servers, mail servers, game servers, media serves etc. publicly accessible. And how Snort or Suricata can be used to detect and stop intrusion and hacking attempts and block generally “bad” traffic towards your services.
Tom, a reality check on the "slow" Celeron processor you're using there: it may not be all that quick for general purpose work, but in my experience it has key capabilities that are far more important for good performance in modern data flow and packet analysis: the CPU has all of the latest *hardware* instructions enabling high performance. No need for software based encryption etc. This can be seen in two ways:
1) Scroll down on the Passmark page you showed. This CPU can encrypt/decrypt at 1.7GB/sec. That's a one-number summary telling me it will be Just Fine. :-D
2) I always search online for ark + cpu name. The Ark link for this Celeron CPU is given below. Scroll to the end of the page. It has AES-NI (most crucial), plus all of the VT-* instructions, which enable rapid context switching (yes and VM ;) ), and scrolling up a bit, SSE4.2 -- a rather advanced/modern set of instructions.
Compare this, for example, to Core i7-860. Also Passmark 2974 (same as the J4125. It even is 4 core, 8 thread! BUT: no AES-NI. Data Encryption speed: 551MB/sec, about 1/4 of the J4125. Most likely it would be inadequate for gigabit. (This is why no Raspberry Pi can come close...)
J4125 on Ark: ark.intel.com/content/www/us/en/ark/products/197305/intel-celeron-processor-j4125-4m-cache-up-to-2-70-ghz.html
Thank you Tom for the informative video as ever. At the beginning you mentioned you don't enable it for the WAN interface, which makes sense if you've not got ports open etc. However if you are hosting things with ports open you enable it, but have to spend the extra time refining and tuning the rules etc.
It will examine the interface that the things you are hosting are on.
Tom is THE Pfsense authority on the web/youtube.
Great video!
Excellent explanation! I wish I had this when I was a new Information Security analyst. Oops, that was before RUclips. I learned it anyway so I know that this video is spots on.
My hero, thank you so much!
youtube has annoying popups about ad blockers now so since that pause STOPs the video altogether expect views to go down at some point. I was the first upvote and that's a first for me. Thank you for this video about snort, I needed that.
mate good vid as always do you have vid on qos
Again very informative! just wondering what sort of tips do you have if i were to have multiple VLANs against this interface? I am using the unifi switches. Ideally i want to be as tight on rules with my IoT devices and guest networks and allow my main lan servers that would constantly be doing stuff but for my main lan i would force disable lesser of these rules?
Fantastic video! :)
You mention that several services are self-hosted at your offices. Do you also self-host an opensource remote desktop service for internal use, and if so, which? Would love a video from you showing the service and suggested setup. :D
Do you mean remote management (and access) like TeamViewer, or simply RDP? RDP would work in your OS when connected to the VPN.
I'd recommend looking up Rust Desk for the former and also wouldn't mind a video about it, even though I'm already using it.
Interesting video again Tom. Thank you. Question
How does one decide which interface should have snort/suricata enabled? Do i want it watching on my guest network? Surely my DMZ. Whats the checklist one should go through to decide?
Do you care about or want to manage the alerts on the guest networks?
@@LAWRENCESYSTEMS lol I don’t
Hello Tom, You should have done one for Suricata since you already have done a couple with Snort. Great Content. Congrats. Thank you
My old videos were on Suricata, not Snort.
Oh, good to know Tom, I will take a look at your videos... @@LAWRENCESYSTEMS
This was interesting, but what I would like to know is what kind/size of network do you need this. I have just a small home network, it basically only myself on it, both wired and wireless connection and a bunch of IOT devices. Are IOT devices a trigger for using this kind of security? Is this even necessary for this type of network. What threats should a small home network be concerned vs a larger business network. Maybe you have this, but a higher level discussion on the type of threats and security technology a home network should deploy particularly concerning IOT devices.
Do you have videos on protecting endpoints?
Hello, I am new to this thread and was not sure where to post. I used Edgerouter ER-X, but now not working, any all-wired modem recommendations, please?
Tom, I'm interested to know your opinion on OPNsense vs PFsense? Which would you reccomend? Thanks!
PFsense
Thanks Tom! What about snort vs Suricata? 🤔
Suricata VS Snort
www.netgate.com/blog/suricata-vs-snort
I was hoping you will mention that Snort on pfsense is only single thread? Because it is still V2. So the CPU load that you monitored would not show all threads loaded by Snort. With J4125's 4 cores/threads - Snort would only use 1 thread or 25%.
So having pfsense/snort on VM with 4vcpu and 8 GB Ram will fly like jet
hello sir. I want to ask about pfsense and snort, i am studying attacks on the lan port on pfsense, i have a pc with 2 nics (lan and wan) that have pfsense installed, and installed packet snort. after that I paired the lan port on the hAP lite (ID: RB941-2n0-TC) on port 1, on ports 2 and 3 I paired the laptop and PC. I tested the attack on the laptop to the PC but it couldn't be read. but on the laptop to PC pfsense is read. How do I get snort to read attacks on my laptop to my PC? I ask for your help. Thank You
Would you still run these if you have EDR running? Seems like a lot of tweaking if they are performing similar functions. Do you enable these on your clients or for specific reasons?
We run SentinelOne, Huntress, and Blumira for our clients.
It's hard to understand the value of something when it starts off with many false alarms, and your first actions are to suppress most of them. This is not a criticism of Snort, it's a limitation of human nature and the reality of calibrating detection of rare events that can vary a lot. I'm left wondering if there will be much left to detect anomalies after the tuning phase, even without considering the affect of TLS. Is there a special test, similar in principle to the EICAR anti-virus test file?
Tom 1.3 can be intercepted on L7 ngfs :)
They can only if they have a trust certificate installed in each device that is connected and break the TLS 1.3 perfect forward secrecy.
@LAWRENCESYSTEMS Yes, that is completely true. This is a must-have if you want to do an SSL inspection.
This gives you 100% look into the payloads. With that being said, you are much more aware of what's happening. DPI is done on good endpoint protection software ;)
The problem with TLS inspection is that many sites can detect it and will break. Then you start having to build an exceptionally long list of exceptions to TLS inspection. By the time you get done building setlist, you are allowing about 80 to 90% of encrypted traffic the pass through. So the trouble you have to go through to break the encryption to inspect the traffic really isn't worth it. The best way to do traffic inspection is at the client side. The other days of the unified threat management at the edge are long since gone.
@hescominsoon its not true what you said about exceptions, etc. Licensed devices have very good implemented all DPI things and yes there are some sites that will tell you "hey you cant see whats inside"(gov and banks) but all rest is barely noticeable, so definitely not 50% or even 80%. Have a lincensed device this is what you are paying for. Someone spend time and resources to makenit work as expected.
Doing DPI on endpoints is exactly the same situation ;)
@@RK-ly5qj unless you're breaking the encryption, you're not going to see anything. So and in my experience from when TLS was first started until today, unless even with you running a trusted certificates, banks and many financial sites can still detect the interception and will break and stop you from accessing them. So that's the main reason I don't worry about sericata or snort at the edge. It's not worth it to intercept TLS for the problems that it's going to cause. Now. If you're experience is different that's great, but mine continues to be the same over a decade later since encrypting everything first even began to be a thing 🙂
but if you can install such great firewall, but still will be attacked by ransomware, dont you think such a waste, can such firewall pfsense top up with some anti-ransonware at end-point, since you are expert in this field will appreciate you come with such video full firewall protection and ransomware protection. thank you
Firewalls are not the right tool to stop ransomeware.
@@impactsoft2928 as I stated above., firewalls are not the right tool to stop ransomware. End point protection tools are the way to do that here in 2023
Can i use both lan and wan sir for snort?
Yes
@@LAWRENCESYSTEMS how can i do it sir? is it the same config for WAN?
@@Myst876 Yes, just choose that interface
@@LAWRENCESYSTEMS thank you sir appreciate your help
Cool .. played with that few years back - unfortunately if there's no much to protect (my case) not worth the resources.... but in a middle size network and small business - it works fine. However - this was never been solution for a guy who is not a network or Linux admin (or at least geek/enthusiast).
If you want it set up properly - catch someone who knows what he is doing.
(Well we can exclude the most of people here :-) IMHO )
I don't have much to protect in my network either and I have no use case for IDS/IPS. Currently I have Pi-Hole setup in my network in order to avoid any kind of malicious advertisements and I use NoScript in Firefox to prevent bad code from getting in my web browser of choice. This may not be related to IDS/IPS, but when it comes to email, especially phishing emails, I have about 250 email addresses and my email provider, StartMail, allows me to create as many aliases as I want that forwards to my main inbox. I'm not taking any chances when it comes to protecting my devices in my network and that is for that reason why I do not need an IDS/IPS.
Great video, can you do one for Suricata.
ruclips.net/video/S0-vsjhPDN0/видео.html
isn't it ironic that Tom has a video about Snort while he sounds terribly congested?
*APPLAUSE*
coming from the ModSecurity world, it's considered bad practice to outright disable the rules, your supposed to disable a rule with another rule only under certain conditions. Outright disabling rules seems like a bad idea, after all those rules were created for a reason and not just for the sake of annoying you. Is this not common for NIPS solutions?
Some rules will consistently match good traffic so the only solution is to disable the rule and ideally submit a bug report.
@@LAWRENCESYSTEMS So there's no way to disable other rules by creating another rule like in ModSecurity like for example
ctl:ruleRemoveTargetById=1000;ARGS:foo
that's a shame, not a good solution but what can you do if that's your only option
it's a waste of CPU cycle(s) unless you install SSL certificates.
It's a shame that pfsense bolted snort 2 on to the side. Having TLS interception, snort 3 and the Cisco Firepower approach to snort rule management would make it much more useful.
Currently with an Haproxy pf install, at best you would have to terminate the TLS on HA then feed it out an interface to a backend, but sadly snort is before this instead of after the scan.
Even if you could scan it, snort wouldn't have the correct IP address unless it could be patched to look at the x-forwarded-for header. Tbh, its depressing product, but so are "enterprise" ngfw prices. Can't win!
to seed... linux iso
Slows my pfsense😅
I'm likely to get told by someone who doesn't understand actual security; that I need to install an IDS or IPS system ($10 says they don't even know the difference). As useless as it is going to be; I'm thinking I may go with Snort on my PFSense edge firewalls running on some surplus hardware. Long live the 8350!