Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020
HTML-код
- Опубликовано: 2 июн 2024
- Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 5% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
Forums post about this topic:
forums.lawrencesystems.com/t/...
#pfsense #Firewalls - Наука
This is crazy, installed pfsense 2 days ago, installed suricata yesterday and watched your old video this morning... And here we are with a fresh take on that old video :-D Nice job :-)
Well done and great tips. Glad you explained the value of subscription services, the realities of encrypted traffic, etc. Thanks for the video.
Just the video I need. Was thinking of changing from snort just to, because. Your last suricata video was a bit old. Perfect timing! 👍
Another perfect video to get my PFSense Firewall even better! Thank you.
Wow that was fast. I believe you mentioned you were going to make some videos around this on your podcast/ stream last week! Didn’t expect them so quickly! Interested in these next few videos!
Thank you Tom. A complete security video would be great.
Yeah definitely. Specifically something that runs down the things to consider when setting up your network. Firewall and vlan rules for things like iotcrap (well we get that one now lol), management networks, your web facing services or internal ones.
Serracada and Snort are both great products, I visit my logs files once a month to retune, or if my new soft phone doesn’t work as expected, ohh the joys of home working. 🤣
Omg thank you!! I wanted an updated video lol.
Thanks! Very helpful. Took me a min to realize that blocks on one interface block everywhere. Thought it was a glitch.
Hey, thanks for this video. It reminded me to look at this. I set it up from your previous videos but, I haven't been tuning it in a while. A revisit was indeed due. (Unrelated, I loves me new T shirt cheers.)
Good video and quality content! you should have way more subscribers
Always good videos! Thanks Tom.
Thanks for the demo and info, have a great day
Nothing about security is ever set it and forget it. Security is a process, not a destination.
The real security was the friends we made along the way
Great video, would love to see how I could setup kubernetes behind my pfsense firewall! Thanks Lawrence.
Thank you, Tom!
Would you recommend running Suricata on a home network or is that a complete overkill?
Tom again Thank you for this updated video of installing en setup Suricata! I have a question, make it sense to install Clam AV (package in Squid) as an antivirus in PfSense ?
The “I AM ROOT” t-shirt made me laugh pretty hard
Thanks for this video, very helpful. Question: If you're not running any type of web services and no server at the office, do you still need any IDS/IPS? Is firewall enough since there is not server to protect?
Awesome, thanks Tom!
How do we disable rules on a per IP address basis? You may want to allow certain IP addresses but block others for the same rule.
Thank you for your videos!
Thanks awesome video, I would like to see a video about Suricata in Selks.
Hi Tom, it seems you want to enable blocking on the WAN interface. If for example someone runs an aggressive NMAP scan against your public address, and you have NAT'd VLANs configured in your network, the corresponding VLAN interface within Suricata will show the source IP of the attack as the private VLAN gateway address and the destination address will be that of the machine with the open port. If you are set to block only on the VLAN interface, then the attacker never gets blocked since the original public source address isn't captured (assuming default pass lists are enabled). Help me understand if I am mistaken here. Love your videos, keep up the great work!
you can use it on both interfaces at the same time.
Total (Dutch speaking) noob here, but planning to go pfSense with unifi switch/AP's. So both (pfSense and Unifi) have this IDS/IPS options. Should I enable them both or not? Will they conflict/double negative like? Or if enabled at pfSense it will pass it to unifi? Or...??? 😀 Thx... greetings from Belgium!
Wooooo! Suricata baby!
Thanks for the video. This helped me get up and running with Suricata on my OPNsense firewall. I can log in to the dashboard and see the alerts, but I wonder if you have a recommendation for gathering logs from multiple devices for monitoring and alerting? This is on my home network with two LANs (one for devices and one for IOT). I'm not looking for a commercial/expensive solution. Just something to alert me when one of my devices gets hacked. Thanks!
Graylog
Can you make rules based on AD users or AD groups? I don't think there is such an option but I will ask just in case.
Hi Lawrence, what tool do you use to make RUclips vids?
Many thanks for the great videos, particularly on pfSense. Can you tell me how quickly the Suricata plugins for pfSense tend to get updated, after they are released. Many thanks
Hey Lawrence, can you please make a video how to configure SID Management and Inline mode in Suricata or Snort ?
How did you get version 5.x.x? I cant see anything over 4.x.x ?
Hello, what is this: "SURICATA UDPv4 invalid checksum"
I have installed Suricata as in this video. But get this in my alerts. How can I fix this?
also I have a Snort (Oink) code. Is it worth using this in Suricata?
Hi Lawrence, do you have a video, or maybe you could make a video that goes into depth on identifying false positives and how to exclude them. I ask because I have followed your videos on setting this up, and I got all that working. But I get false positives that I cannot figure out and help to learn how to identify ones that start blocking resources after weeks or months would help a lot. Because I can enable block, and it works for weeks, then suddenly it stops something, and I simply cannot figure out how to ID the rule that is the cause.
Anyway, I thought it would be a good supplement since you have helped us with the initial setup. Thank you!
I covered the tuning in that video.
WONDERFUL!
Do you take that much time to tune all your new clients firewalls? Do you have a pre-tuned config that you use for all your clients as a starting point?
Tuning each.
@Lawrence Systems. What type of light background you used. Cool video. thank you
I don't understand the question.
The developer porting Snort 3.0 has given up based on the netgate forum threads … looks like Suricata is more ported and update for pfSense. However no news on Suricata v6 yet.
I use it mostly for custom tripwire rules. i.e. touch this port get blocked. I turn off 98% of the built in rules. Right or Wrong, just how I like to use it.
how many hard drives does freenas support
Hello Tom 👍👋
Hey Tom, Would you still recommend Suricata over Snort for pfsense?
Yes
Eso es un firewall o es para inspeccionar? Quiero instarlo pero no tengo claro como se conectaría a nivel físico.
Es un paquete instalado en PFsense para poder monitorial tus paquete en la red. No hay nivel fisico ya que es basado en la cara o interface. En el caso de el te esplica que si lo usas en la parte de LAN puedes ver lo que pasa dentro de tu red.
is this necessary for home networks where you arent hosting sites or anything external facing?
not really
How do u upload custom .xml rules to suricata through open sense
Great,
Would pfsense be a suitable tool to manage multiple suricata instances ?
no
Over the past year 90% of my false positives have been on the 'Generic Protocol Command Decode' class. It has gotten to the point where i just white list them as I see them. From what I can find you can't whitelist an entire class which has been very annoying.
On a side note, anyone notice the feeds for pfBlocker no longer seem to update? I get failed to download message for the last few months for pretty much all my feeds.
Many of the feeds are old and no longer relevant
Do you run Suricata just on the LAN at your office?
Yes
You were not lying about tuning! I've been at it for 3 days now@@LAWRENCESYSTEMS
2022 update video? Looks like some new rule sets
Excuse my ignorance (I just stumbled across Suricata), but this video gave me the impression it has a built-in Web-server.
AFAICS, it has not. But you're setup seems to depend on some (for me) strange pfSense firewall. So it doesn't seems to be an
option on Windows-10 to have this really nice web-based user-interface of the Suricata analysis etc.
So are there other "web-backends" for Suricata?
What are the minimum hardware requirements to use Suricata?
There are not really any but performance will be limited based on hardware and number of packet streams it has process.
@@LAWRENCESYSTEMS Thank you for the reply. For a home network, with around 8-10 devices and a 250Mbps down and 25Mbps up connection, I suppose something basic will suffice. At the same time I wonder if a home user needs IDS/IPS at all. Is it something a home user should think about implementing?
Can we run snort and suricata together on pfsense?
No
Not enabling IPS on the WAN is not smart.
You can set it to not block, so you can still keep an eye, or better yet, do blocking for the Emerging Threats, on the SOURCES only!
when I click on alerts..I don't get any entries showing there..why this is happening?
Maybe because you don't have any alerts
@@LAWRENCESYSTEMS but please tell me how to show alerts ?
If people / users only really knew what we did and what is happening in the Internet 24/7
16:05 So i'm watching this as i'm setting up my new box. It's an r5 3400G on a gigabyte A520i AC with 8GB and 250GB Samsung 960 Evo NVME m.2 drive. LOL @ extra cpu cycles. it's still reporting 0% usage and i've also setup squid, clamav, ntopng and a bunch of other stuff. I think i have possibly built the most awesome diy home firewall ever 🤣🤣🤣
Snort or Suricata?? As Snort blocks Speed test sites.
Suricata
@@LAWRENCESYSTEMS Can I ask why? also you said that a Snort code could also be put in. So can this be used as well as (i.e. side by side) the emerging threats URL?
Been using Suricata for a while so I am more familiar with it.
@@LAWRENCESYSTEMS OK, thanks a lot. Was using Snort, but it blocked far too much. So in your video, you said that I can you a Snort code. As far as I know it is called an Oink code. I have one. Is it worth using it in Suricata setup?
Blocking too much means you need a rule adjustment
Isnt this was Ubiquiti use
En español se puede escuchar?
no hablo español
@@LAWRENCESYSTEMS ,
Gracias
.I can't do anything, Result: failed. Snort GPLv2 Community Rules Not Downloaded Not Downloaded
LOG
Downloading Emerging Threats Open rules md5 file...
Checking Emerging Threats Open rules md5 file...
Emerging Threats Open rules are up to date.
Downloading Snort GPLv2 Community Rules md5 file...
Snort GPLv2 Community Rules md5 download failed.
Server returned error code 403.
Server error message was: 403 Forbidden
Snort GPLv2 Community Rules will not be updated.
Some update video pls =)
Why? Not much has changed. Also I do have one on Snort which mostly uses the same interface ruclips.net/video/2q_g9GgkvWA/видео.htmlsi=nLClOsoipV-sFD2-
Hello
This is not a good guide. Why not just put Suricata in inline mode, use SID management to set rules to drop or set Snort rules policy to security and set action to policy? You won’t need to tune anything after that because setting it to policy bases it on the developer’s drop recoomendation. Also, Suricata can detect encrypted malware using JA3 hashes of TLS signatures. ET open has JA3 rules and you can add custom JA3 rules from abuse.ch sources. Encrypted traffic analytics from Cisco uses this tech and it’s now trickled down to open source tools like suricata. Lawrence, you need to brush up on your Suricata knowledge because Suricata and it’s compatible rulesets have evolved with the proliferation of ubiquitous https.
Is there a video guide or article out there on how to do this ?
20 hackers hit the dislike button
It rather bothers me that Netgate's least powerful system isn't easily capable of handling Snort/Suricata. If you care enough about security that you're buying a dedicated firewall box, it seems to me unreasonable to think the purchaser wouldn't care enough to use an IDS/IPS.
Edit: That said, I just noticed you said you don't use Suricata at home. Given your expertise, why not? I'm not judging, rather, genuinely curious.
I don't have any open ports at home so I am more likely to have false positives than any real meaningful threat intelligence.
Lawrence Systems / PC Pickup I only have port 443 open from external IP forwarding in my home network for UNMS with 2 factor authentication so I hope I am fine? ;) I host it on VM on metal server with UFW firewall on.
Lawrence Systems / PC Pickup Tom does this also mean that it have no function to protect the outbound connection? No blocking intrusion by downloading specific Malware or other crap that can be installed from a website?
@@michnl1772 if the site is encrypted, Suricata does not see into it.
in case you have beefy pfsense server with more than 4GB of ram there might be some more config for the interface:
www.reddit.com/r/PFSENSE/comments/7d8y1o/suricata_will_not_start/dpw1i58/ goes into more detail and worked for me.
Doesnt start...gah
Reinstalled..started from scratch. Boom..shows it started on the interface and then the suricata service explodes.
12/10/2020 -- 14:26:47 - -- HTTP memcap: 67108864 even though i was monitoring memory usage maybe its exploding do to memory?
Installed snort..hasnt crashed yet
if you don't have a NIC that supports netmap, your interface will flap... snort is an alternative, if you'd like an IDS/IPS
Nop. Use LEGACY MODE for NICs without NetMap. Presto!
@@pepeshopping Mine keeps flapping, even when I don't have blocking enabled. Enabling it and setting it to legacy, still flaps... no idea why, but when I moved to snort, no issues.