pfSense: Network Intrusion Detection w/Suricata (pt4) | Level One Techs

pfSense Part 1: The Build and Initial Setup
https://youtu.be/ledv33t6SNE

pfSense Part 2: Secure Yourself with a VPN
https://youtu.be/8jYibgeAV0Y

pfSense part 3: Controlling Routes
https://youtu.be/ekRgAATnIsU



This is a companion discussion topic for the original entry at https://level1techs.com/video/pfsense-network-intrusion-detection-wsuricata-pt4
5 Likes

Could have used more detail, even a short recipe for getting a minimal installation with a backed up settings. It's very easy to get stuck resetting to factory defaults and reloading your last working configuration :wink:.

IDS/IPs is definitely the cool stuff of firewalls. Learning how to bypass ids/ips and waf is what modern hacking is all about 1=1 gets caught by the rule but 42+27 = 60 + 9 no problem :wink:.

In many case all the old bugs are still there right behind the rule sets.

Often the rules are focused on rooting while dumping data and reading files can be missed.

Understanding the open source ids/ips is a huge step in understanding how to defend networks.

All Imo of course but there is some serious fun to be had here if mentors can be found. I would much rather be hacking my own networks than getting in trouble with others.

1 Like

Yeah, unfortunately for me this wasn't a tutorial. Does anyone have any recommended settings or tutorial to get me started on this?

This is obviously a powerful tool but I feel l grasp so little of the terms and options presented to me in the options and I don't want to bite off more than I can chew just messing around.

Did you watch the previous videos in this series??

Let's see.... Yes.

Are you suggesting that the previous videos would provide you with any understanding of Suricata at all? I've been reading most nights for the last few weeks on IDS and just getting to a basic working config is not something that the previous videos are going to provide much insight into.

This video scanned fast over the settings they used but didn't give a steady shot of the base configs for WAN/LAN or core rule sets that won't actually lock you out of your router. It also forgot to point at the nice spot where you can back up all your settings so that when you do get hosed, and you will, that you can start back up from your last known good state. There are many settings in Suricata that are completely obscure. Maybe the developers know what they mean but unless you can read the source code and understand it you are not going to know what happens when you flip the switch. In many case you will not know what happened after you flip the switch either.

I totally appreciate the video but feel like they could have held off a couple of days to accumulate content before publishing because of schedule.

misunderstood... previous person was asking about minimal installation.. I thought of installation/setup of the pfsense server.

I've been running pfSense for over a year now, but I'm new to Suicata. Hoping to learn more about using it, configuring it correctly.

I wouldn't think there would be any advantage to running on both LAN and WAN, running on WAN should be fine as it looks at the inbound and outbound traffic. Unless it works differently to snort.

So I'm one of those guys that went all out on this router/firewall. I'm new to the game so forgive the happiness that this has brought me. My setup is like so: I have a pfsense router running on a 4 core xeon 10 gb ram and 500gb hdd. I have a openvpn server running so I can connect my phone. I also have 2 nordvpn interfaces running for my traffic leaving the router. I have my traffic setup in such a way (as in my rules) that my traffic goes to specific hardware to filter my traffic through the nordvpn interfaces or wan.

Of course, I have my phone that uses openvpn to tunnel through to my nordvpn service at my router to get my vpn service.
That doesn't make sense though right? hahah well my friends I also have Quidsup NoTrack dns/web server blocking any ads or bad sites. This helps with traffic on my network and also works like adaway, if you are familiar with that. So i get my phone to have traffic blocking ads through my web server and then tunnels through to not being tracked with my vpn service running through nordvpn. Works like a champ.

Freaking love it. I also put the firewall rules posted from level1tech for microsoft tracking and that flared my firewall up but this suricata thing basically shut it all down. It sucked. But thats okay. If people got questions, I'm willing to help how I got to my point. However, if you can help with my suricata problem on my network with all the above configurations. I would greatly appreciate it. I want this thing to be a monster.

Peace

PS: If you do ask why I didn't just root my phone or jailbreak it. Well, I'm stuck with verizon and their version of samsung galaxy 7 and that thing doesn't have a good root. So i needed another out before I broke my phone for good. And this tends to be the safest way, unless you have rooted verizon phone that I can go and try doing myself.

you have so many interfaces, you might start with suricata on the lan? and go from there?

If you dont enable blocking, then it should just reporting the things it WOULD block (but wont).

Also, pfblockerng might be a better choice for the microsoft thing and netflix thing. I have been playing around with that since the video so you can setup an alias that updates automatically from a url which seems to be working better.

I like manually doing that myself but I can see why people might want to do it this way.

Yea I'll just trigger the logging instead and watch it the next couple of days. and yeaaaa I started with one interface and then that nordvpn server migrated from atlanta to pheonix. Soooo I needed a server closer by. So I ping a new nordvpn server with their app and found one in dallas. Followed the setup and I had a 2nd vpn interface. aka. It's going to get busy quick.

And then the whole openvpn thing was a trip of it's own to get it to work with my phone. I ended up having to turn off the dns resolver and switch to dns forwarder. Instead of being a funnelling dns, I needed a punching dns that told it better go my way. And I just let that QUIDSUP NOTRACK dns server do the work. haha

I'll definitely check the pfblocking, I'm just glad my router is doing such a good job. I saw a youtube video of dude setting it up that way where it controlled every port so only certain traffic makes it through certain ports. 1 through 65000 ports. It was a good walk through.

Props on your weekly videos by the way. Me and my friend enjoy your content and get educated daily. Helps get us in the mood to do work. You have helped me alot get savvy on my security.

Thanks for your quick responses.

no worries thanks for watching.

Keep us posted on stuff.

Did you install the optional but super handy openvpn client creator? I forget if we covered that yet. the pfsense content was sliced into many easily-digestable tiny pieces

Yea of course. Don't underplay super handy. That thing makes it a breeze to push and install.
That made the whole thing super easy. You covered it. I used the seperate openvpn for android by arne schwabe that allows you configure the settings from the phone. Which makes it easy to adjust dns settings if need be. or adjust the settings from the installation file easily.

1 Like

Do you have a setup tutorial or a forum to point to that told you how to setup your pfblocker like you did?

2 Likes

soon. lol

some folks here may post too

The advantage of Lan is that If you have been compromised you might see pivoting traffic cthat you might not see just by looking out. Much of the time, skilled Blackhats won't set off the ids rules on the way in but you could catch them getting lazy dragging their bags of tricks around looking for admin workstations, jump boxes, VoIP, etc.

That kind of traffic won't go through the lan interface on pfsense, not unless you have multiple local networks anyway. In the case of a simple lan and wan configuration then running it on both interfaces is just doing double the work, although the lan interface will see less traffic as most of the malicious internet traffic will be blocked by the firewall.

I suppose running it on the lan interface as well would allow you to see which computer the traffic came from, but in terms of just blocking (potentialy) malicious hosts them just running on wan (or any other external interfaces) would catch everything coming in or out of your internet connection.

Okay so I think I got it set up except nothing seems to be getting blocked. It just seems to be dumped to the alerts section.

Edit: nvm I fixed it. You guys glossed over the entire setup process too quickly so I didn't realise you enabled "block offenders" in "alert and block settings" within the interfaces. It works now (I think)

2 Likes

Can I ask you to post some screen shots of your config screens with the personal items obscurred?

CAUTION: If you suffer from paranoia, installing an IDS may not be the best decision that you've ever made! In other words, I wasn't paranoid, until I installed Snort, but it promptly pushed me over the edge!!!

I have been tinkering with Snort for a little over a year and I have a few questions:
a) @wendell talked smack on the vid about Snort being ruined by its new owner. What does Suricata do better, or different than Snort, that would persuade me to make the switch?
b) It seems to me that I read that Snort is a single threaded app. Is Suricata multi-threaded and can I expect better performance from it on a low performance D525 Atom CPU?
c) Is there an easy way to import my existing Snort suppression list into Suricata? PLEASE say that there is!!!
d) I still find Snort's operation to be a little murky. I understand it conceptually, but still don't feel confident that I could sit down and bang out my own custom rules. Would you consider Suricata's documentation to be any better? If so, where is a good source for said documentation?