Return to Level1Techs.com

IDS/IPS other than pfSense w/Suricata?

#1

I am new to the world of IDS and IPS. I’ve seen the L1T video about using pfSense with Suricata, but I was wondering what other maybe “out-of-the-box” solutions are popular, or maybe an inline appliance solution for situations where you may not want to replace the existing firewall. I’ve tried searching but can’t seem to find anyone trying to sell me one!

Other than pfSense, the only other kind of firewall I know of are from Fortinet, and probably Cisco though I’m not aware of it.

Edit: re-watched the video and heard Wendell mention that this kind of software from Cisco being $10k, fuck that! Not practical with the type of work I’m doing

0 Likes

#2

You could look at untangle, the free version is okay but you have to pay for the good stuff.

0 Likes

#3

I think Snort is generally considered the primary alternative to Suricata for IDS. I’ve never used it though.

2 Likes

#4

How long has this stuff been around? Seems like there would be more options out there

0 Likes

#5

Snort is very good. Bro is also worth digging into.

Snort’s been around for a long time, and can be used on multiple platforms. Have only used Bro on Linux.

0 Likes

#6

Snort has been around for a long time. Version 3 just dropped.

There are a ton of options out there, but for small business, open source, and cheap to free there are very few. Cisco, Watch Guard, software solutions are out there. But you will sub monthly or pay a few benji’s to get it.

0 Likes

#7

So supposedly the UniFi Security Gateway has an IPS feature which is great since I already am a big fan of their wireless products and a heavy user of the EdgeMAX line. Now I just need to find out if the USG can be used in line with my existing EdgeRouters. Would be a steal at $100 per unit!

0 Likes

#8

Unifi uses a custom Suricata config, and it’s still in beta. There is a considerable bandwidth penalty to enabling it (you lose hardware offloading).

Don’t get a USG just for IPS. You can install Suricata (or Snort I’d imagine) on an EdgeRouter and configure it yourself.

If you want a separate firewall to handle IPS between WAN and your EdgeRouter(s), then I would just add in a Linux or BSD box and configure whatever IPS solution you prefer.

I am actually in the midst of configuring this at home. I have an OPNsense box that will act as firewall/gateway and a USG that will just be a router for the LAN. The only gotcha is that disabling NAT in Unifi isn’t really supported (you can hack it, but meh), so I had to get a /29 set of public IP addresses to implement the gateway and router without double NAT.

0 Likes

#9

Interesting. Sounds like I need to build a pfSense box to test out in my office

1 Like

#10

I went with this and it has been good so far. You might want something more robust eventually, but this an inexpensive way to try it out without committing hundreds of $$.

0 Likes

#11

used linux
iptables + suricata …
suricata is good for me at this moment features such as
-file extraction
-ja3
-tls.event
-as similar rule syntax to snort

0 Likes