IDS/IPS other than pfSense w/Suricata?

anon45066586 · September 11, 2018, 2:17am

I am new to the world of IDS and IPS. I’ve seen the L1T video about using pfSense with Suricata, but I was wondering what other maybe “out-of-the-box” solutions are popular, or maybe an inline appliance solution for situations where you may not want to replace the existing firewall. I’ve tried searching but can’t seem to find anyone trying to sell me one!

Other than pfSense, the only other kind of firewall I know of are from Fortinet, and probably Cisco though I’m not aware of it.

Edit: re-watched the video and heard Wendell mention that this kind of software from Cisco being $10k, fuck that! Not practical with the type of work I’m doing

Dexter_Kane · September 11, 2018, 3:53am

You could look at untangle, the free version is okay but you have to pay for the good stuff.

oO.o · September 11, 2018, 4:06am

I think Snort is generally considered the primary alternative to Suricata for IDS. I’ve never used it though.

anon45066586 · September 11, 2018, 5:36pm

How long has this stuff been around? Seems like there would be more options out there

anon79053375 · September 11, 2018, 5:54pm

Snort is very good. Bro is also worth digging into.

Snort’s been around for a long time, and can be used on multiple platforms. Have only used Bro on Linux.

anon79053375 · September 11, 2018, 5:55pm

Snort has been around for a long time. Version 3 just dropped.

There are a ton of options out there, but for small business, open source, and cheap to free there are very few. Cisco, Watch Guard, software solutions are out there. But you will sub monthly or pay a few benji’s to get it.

anon45066586 · September 11, 2018, 7:45pm

So supposedly the UniFi Security Gateway has an IPS feature which is great since I already am a big fan of their wireless products and a heavy user of the EdgeMAX line. Now I just need to find out if the USG can be used in line with my existing EdgeRouters. Would be a steal at $100 per unit!

oO.o · September 11, 2018, 8:40pm

Unifi uses a custom Suricata config, and it’s still in beta. There is a considerable bandwidth penalty to enabling it (you lose hardware offloading).

Don’t get a USG just for IPS. You can install Suricata (or Snort I’d imagine) on an EdgeRouter and configure it yourself.

If you want a separate firewall to handle IPS between WAN and your EdgeRouter(s), then I would just add in a Linux or BSD box and configure whatever IPS solution you prefer.

I am actually in the midst of configuring this at home. I have an OPNsense box that will act as firewall/gateway and a USG that will just be a router for the LAN. The only gotcha is that disabling NAT in Unifi isn’t really supported (you can hack it, but meh), so I had to get a /29 set of public IP addresses to implement the gateway and router without double NAT.

anon45066586 · September 12, 2018, 4:31pm

Interesting. Sounds like I need to build a pfSense box to test out in my office

oO.o · September 12, 2018, 4:56pm

I went with this and it has been good so far. You might want something more robust eventually, but this an inexpensive way to try it out without committing hundreds of $$.

arora_anne · September 2, 2019, 6:07am

used linux
iptables + suricata …
suricata is good for me at this moment features such as
-file extraction
-ja3
-tls.event
-as similar rule syntax to snort