This is by far the best pfsense suricata tutorial on RUclips. It made me an expert from novice. Kindlly show us how to add custom rules or rules posted in security alerts and not yet updated by Talos. Thanks a million
Great video! Have been running Snort for 10 years now. Thinking of moving to Suricata, as its programmed for multi-core CPUs. P.S. - Disable hardware offload can be done trough the GUI under System, Advanced, Networking. Scroll down, and you have all the options you need. Reboot once to take affect. Set and forget. Cheers!
happy to see these videos while one of my pfsense box running off-grid from LFP battery bank powered by solar. Thank you for your videos. both Solar/Sysadmin
@@a-litte-catnoreplay4316 I have 4x pylontech US3000C batteries which connected to Victron Smart solar mppt controllers. And I use Meanwell DC to DC DIN rail converters to step down from 48v to 12v to feed directly to my mini PC's which running promxox, pfsense and few other things My solar panels charge Battery bank within 3 hours of full sun. and I'm using battery at night time. Solar charge controllers maintain the batteries in day time and feed the power to other systems after battery full.
Excellent, well done! After about 1.5 months of monitoring/researching alerts, I pulled the trigger on inline blocking mode. All 12 of my VLANs went down. I have PfSense on a Dell R410 with dual CPUs/72GB of RAM, IGB interfaces, etc. I activated seven of the same emerging threat rules you did in the SID management. I also disabled all three hardware offloading under system/advance/networking. But you gave me some additional ideas of what I should try to see if the VLANs return.
Thanks! Make sure to check for hardware offloading with ifconfig. Not all options are present under system/advance/networking. The three items I mentioned are not options in the GUI; however, I completely forgot to mention those checkboxes as well in the video.
@@HomeSysAdmin Hi, yes went through your entire process, and in the end, VLANs and NETMAP don't play well together. So I'm abandoning the IPS piece for now. Let me know if you create content that addresses some of the bypassing you mentioned at the start of your video. Thanks.
Thanks for the detailed video, quick question for you. When I click to disable a rule choosing either source or destination (which is added in the suppress list) ... can we manage this type of option with the SID Mgmt lists?
I have a little "problem" I don't know which of the options I enabled because through the command line all the alerts that are being generated are appearing, pretend when a tcpdump is done How do I fix it?
Good IP change 😊 I’m thinking of using an old android phone for banking having only the bank log in on it. What do you think 😅 ( on WiFi) Or is it safe to do baking under the bed 🛌 at this point we don’t know if in person banking is safe 😊
Haha "won't be implemented on your typical home network usage". Not sure the typical home user will be trying to set up Suricata :) I just finished rebuilding my home network with a 10gbe managed L3 switch doing ACLed routing on the switch with pfSense connected through a transit. I didn't expect so many headaches. I thought pfSense would be able to handle routing at 10gbps no problem with a big powerful enterprise server pulling 300 watts - but nope, not even just running the firewall. Running Suricata will decrease the performance by another 20% in legacy mode and by about 80% in inline mode. Trying to run Suricata in inline mode I was getting just a little over 1 gbps with a dual 3ghz xeon server with 5 cores pegged at 100% trying to route 10gbe (I was first experimenting with running it in "router on a stick" configuration). I instead downgraded the CPUs from some of the highest to some of the lowest wattage and pulling half the RAM - in legacy mode it can still route at around 4gbps which is fine. If you have a capable switch and want to push huge data streams, let the switch do the routing. With ACLs and policy based routing you can allow what can be routed via the switch at line speed to and from which VLANs and force anything else through pfSense/Suricata to be inspected. This way you can still get 600 MB/s NAS transfers across your network while forcing other traffic to be inspected. I might run Suricata in inline mode inside my VM network, as a front end for my web servers as they need HAProxy to route between domains anyway. To me that makes more sense (inline inspection on incoming traffic), as you don't want any potential exploits from reaching your servers - plus, for a "home user", it's only going to have to deal with 50 mbps traffic or whatever small limit your ISP gives you :) I didn't think things would be this complicated, but a good learning experience! Also great video, I haven't seen any other tutorials explaining what the SID management section even does.
I'm not sure the throughput I can realistically expect either. It handles my 250mbps just fine, though CPU gets pretty high. By the time I need 10gbps throug the pfsense, I'm sure I'll be well on new hardware. Also, fully agree with offloading routing w/ ACLs to the L3 switch. I'm very close to having a video on that together but one very unfortunate downside to pfsense is that its DHCP service can only operate on vlans which it has an interface on. It won't work across a transit network with a helper address on the switch. How are you handling DHCP with your L3 switch? Or did you just tag all of the vlans back to the pfsense anyway?
@@HomeSysAdmin Pretty much the only reason I needed it was for my NAS. Well, I think technically pfSense could have still handled it (my NAS can only hit ~500 megs a second which is only 4gbits? with HDD in RAID, would have to go to SSD for higher) but it would have been pushing the limit. Certainly not running Suricata. The funny thing is total throughput isn't an issue - if you split 10gbe over 4 stream pfSense will handle it over 4 cores (iperf3 is great for testing). It can push a lot more than 10gbe if it's from many different sources. It's just that no single stream will get much over ~5gbps (well, it seems to highly depend on clock speed, maybe if you stuck a 5ghz chip in it you could hit 8). Guess it depends what you need from it. As for DHCP that is correct, pfSense can't handle it over a transit. A lot of people on STH recommend running a DHCP server somewhere else, but I didn't want to allocate another machine for it, and a VM might not be a great idea for something that critical - but you always could take that approach (for me in a power failure I'd probably want to shut those off first to conserve UPS to keep internet longer). I have an ICX7250 so I just turned the DHCP server in the switch on. It's not exactly fun to manage ... and static assignments are really bad (might as well just use static IPs on the machine), but other than that, it works. Some people say some IOT devices have problems with ICX DHCP servers, but I just put FastIron 9 on the switch and hoped. So far, I've had no issues with it. But like I said ... you have to manage it over the console and it's not fun. I guess once it's "set up" it rarely changes though.
This video answered questions that the Lawrence Systems (multiple) videos didn't do! Great work.
This is by far the best pfsense suricata tutorial on RUclips. It made me an expert from novice. Kindlly show us how to add custom rules or rules posted in security alerts and not yet updated by Talos. Thanks a million
Great video! Have been running Snort for 10 years now. Thinking of moving to Suricata, as its programmed for multi-core CPUs. P.S. - Disable hardware offload can be done trough the GUI under System, Advanced, Networking. Scroll down, and you have all the options you need. Reboot once to take affect. Set and forget. Cheers!
Wow, this video is by best the best in class on pfSense/Suricata.
By far the best tutorial on suricata with clear explanation. well done
happy to see these videos while one of my pfsense box running off-grid from LFP battery bank powered by solar. Thank you for your videos. both Solar/Sysadmin
HA is definitely something I need to add to the list to try!
@@a-litte-catnoreplay4316 I have 4x pylontech US3000C batteries which connected to Victron Smart solar mppt controllers. And I use Meanwell DC to DC DIN rail converters to step down from 48v to 12v to feed directly to my mini PC's which running promxox, pfsense and few other things
My solar panels charge Battery bank within 3 hours of full sun. and I'm using battery at night time. Solar charge controllers maintain the batteries in day time and feed the power to other systems after battery full.
This is a fantastic explanation of Suricata on pfSense, clear and comprehensive. This is the best Suricata video I have seen so far.
I smashed the like button and jumped in the Pool. This topic is over my head, but I still like watching your videos. Thank you.
This is very hendig, now I can bring my security knowledge to the next level.
This channel should have more subscribers. Great explainer!
Excellent, well done!
After about 1.5 months of monitoring/researching alerts, I pulled the trigger on inline blocking mode. All 12 of my VLANs went down. I have PfSense on a Dell R410 with dual CPUs/72GB of RAM, IGB interfaces, etc. I activated seven of the same emerging threat rules you did in the SID management. I also disabled all three hardware offloading under system/advance/networking. But you gave me some additional ideas of what I should try to see if the VLANs return.
Thanks! Make sure to check for hardware offloading with ifconfig. Not all options are present under system/advance/networking. The three items I mentioned are not options in the GUI; however, I completely forgot to mention those checkboxes as well in the video.
@@HomeSysAdmin Hi, yes went through your entire process, and in the end, VLANs and NETMAP don't play well together. So I'm abandoning the IPS piece for now. Let me know if you create content that addresses some of the bypassing you mentioned at the start of your video. Thanks.
1 million thank you!!!!
Excellent video!
Very good
Kick ass dude.
Thanks for the detailed video, quick question for you. When I click to disable a rule choosing either source or destination (which is added in the suppress list) ... can we manage this type of option with the SID Mgmt lists?
I have a little "problem"
I don't know which of the options I enabled because through the command line all the alerts that are being generated are appearing, pretend when a tcpdump is done
How do I fix it?
There's an option on the console to revert recent configuration changes. Maybe give that a try and see if it helps.
Good IP change 😊 I’m thinking of using an old android phone for banking having only the bank log in on it. What do you think 😅 ( on WiFi)
Or is it safe to do baking under the bed 🛌 at this point we don’t know if in person banking is safe 😊
I could see everyone needing a I T pro before going online 😂
snort or suricata?
Haha "won't be implemented on your typical home network usage".
Not sure the typical home user will be trying to set up Suricata :)
I just finished rebuilding my home network with a 10gbe managed L3 switch doing ACLed routing on the switch with pfSense connected through a transit. I didn't expect so many headaches. I thought pfSense would be able to handle routing at 10gbps no problem with a big powerful enterprise server pulling 300 watts - but nope, not even just running the firewall. Running Suricata will decrease the performance by another 20% in legacy mode and by about 80% in inline mode. Trying to run Suricata in inline mode I was getting just a little over 1 gbps with a dual 3ghz xeon server with 5 cores pegged at 100% trying to route 10gbe (I was first experimenting with running it in "router on a stick" configuration).
I instead downgraded the CPUs from some of the highest to some of the lowest wattage and pulling half the RAM - in legacy mode it can still route at around 4gbps which is fine. If you have a capable switch and want to push huge data streams, let the switch do the routing. With ACLs and policy based routing you can allow what can be routed via the switch at line speed to and from which VLANs and force anything else through pfSense/Suricata to be inspected. This way you can still get 600 MB/s NAS transfers across your network while forcing other traffic to be inspected.
I might run Suricata in inline mode inside my VM network, as a front end for my web servers as they need HAProxy to route between domains anyway. To me that makes more sense (inline inspection on incoming traffic), as you don't want any potential exploits from reaching your servers - plus, for a "home user", it's only going to have to deal with 50 mbps traffic or whatever small limit your ISP gives you :)
I didn't think things would be this complicated, but a good learning experience! Also great video, I haven't seen any other tutorials explaining what the SID management section even does.
I'm not sure the throughput I can realistically expect either. It handles my 250mbps just fine, though CPU gets pretty high. By the time I need 10gbps throug the pfsense, I'm sure I'll be well on new hardware. Also, fully agree with offloading routing w/ ACLs to the L3 switch. I'm very close to having a video on that together but one very unfortunate downside to pfsense is that its DHCP service can only operate on vlans which it has an interface on. It won't work across a transit network with a helper address on the switch. How are you handling DHCP with your L3 switch? Or did you just tag all of the vlans back to the pfsense anyway?
@@HomeSysAdmin Pretty much the only reason I needed it was for my NAS. Well, I think technically pfSense could have still handled it (my NAS can only hit ~500 megs a second which is only 4gbits? with HDD in RAID, would have to go to SSD for higher) but it would have been pushing the limit. Certainly not running Suricata.
The funny thing is total throughput isn't an issue - if you split 10gbe over 4 stream pfSense will handle it over 4 cores (iperf3 is great for testing). It can push a lot more than 10gbe if it's from many different sources. It's just that no single stream will get much over ~5gbps (well, it seems to highly depend on clock speed, maybe if you stuck a 5ghz chip in it you could hit 8). Guess it depends what you need from it.
As for DHCP that is correct, pfSense can't handle it over a transit. A lot of people on STH recommend running a DHCP server somewhere else, but I didn't want to allocate another machine for it, and a VM might not be a great idea for something that critical - but you always could take that approach (for me in a power failure I'd probably want to shut those off first to conserve UPS to keep internet longer). I have an ICX7250 so I just turned the DHCP server in the switch on. It's not exactly fun to manage ... and static assignments are really bad (might as well just use static IPs on the machine), but other than that, it works. Some people say some IOT devices have problems with ICX DHCP servers, but I just put FastIron 9 on the switch and hoped. So far, I've had no issues with it. But like I said ... you have to manage it over the console and it's not fun. I guess once it's "set up" it rarely changes though.
..
Did you have a question?