pfSense: Network Intrusion Detection w/Suricata (pt4) | Level One Techs

Good questions. Will try to addresss these if the community doesn't beat me to it. (whicch hopefully they do as I've got my hands full today with random stuff)

Cicso is currently supporting Ajit Pai. Need I say more?

2 Likes

Cisco on people's **** lists for sure with that said.

My most immediate concern was that Cisco is going to close it down, put it behind a paywall and charge a huge subscription fee.

On reflection, knowing how much those infamous 3-letter agencies like to appropriate Cisco gear, it wouldn't surprise me if they haven't already demanded and received a back door into Snort's inner workings. See ... I told you that Snort had pushed me over the edge! Just because I'm paranoid, doesn't mean that the NSA doesn't want to give my network an endoscopy!!!

You beat me to the punch:grinning: I agree Cisco isn't a very secure. Can anyone else suggest a different company for network products and services. I am really a nut for security, and I need suggestions for switches for the Ethernet network I will be installing into my home.

I'm probably already on double secret probation for mentioning the politics that drives so much of the ridiculousness that we observe in the world around us. When it comes to Ajit Pal I also agree with his stated goals of competition, but that horse has already left the barn. To cut to the chase, the ISPs need to loose their monopoly (and their cozy government relationships), or be regulated as an utility. There is no middle ground here.

My unscientific method is this; I look at what the WISPs are currently using. These small operations are necessarily very cost conscious, yet they need good performance, with 99.999% up time. You'll frequently hear them discussing products from MikroTik, Ubiquity and a host of other manufacturers which are not typically household names.

These guys are typically very compelling.

Like many things, Security is a verb not a noun. And similarly good people are still required. IDS/IPS and WAF's (rule based solutions) keep the script kiddies at bay but any patient, skilled attacker can exercise cross-site scripting, sql and files access misconfigurations without ringing the bells very loud. They are good at blocking automated carpet bomb type attacks but keeping out thugs with skills requires having real people reading logs, exercising their own security, and teaching users. Old fashioned spear fishing is still brutally easy if the attacker is trying to own the network. SQL injection is often still sitting right behind the firewall and only takes a little bit of creativity to bypass the rules.

There are going to be times on any network where one patch or misconfiguration is going to open a door. This is why belt and suspenders but it also requires peope to be actively doing security to close that door before the next one opens. If set it and forget it then all of these hardware/software solutions are just a good way to get your PCI compliance checklist complete or provide a line on a board report.

1 Like

I know the best way to protect your self is don't play at all, but why make it easy for them, that is the reason I ask my question? I guess there isn't an easy answer to my question except don't connect your computer to the internet, if you are really concerned about your network being hacked.

anyone having stability issues? Since installing Suricata my router crashes at intermittent times.

Also now the router is giving my static IPv4 IP addressed machines IPv6 addresses.

Digging in a little more, Suricata blew the every living sh*t out of my Splunk license, over 7 gigs in less than one day!!! (Usually syslog from my pfSense box puts out about .001 a day)- and my download, upload, ping graph which is usually pretty steady is all over the place. Suricata basically DOSed (granted somewhat my fault with the log output setup) me with some kind of checksum error.

Even with Suricata set to 'stop', its still blowing up my splunk with some kind of invalid checksum event so aggressively I can see CPU and RAM usage on the pfSense box increase from it. My WAN and LAN output in the graphs was crazy, thing was generating logs like a beast! Welp, uninstalled for now.

Yeah suricata is mulrithreaded and probably does perform better. HOWEVER this does not affect your network performance at all. Suricata and snort do not run inline, they run on a copy of the traffic and anything which is blocked by it, no matter how fast it is, has already hit the firewall and either passed or not. Malicious traffic will be blocked a few milliseconds later which will end the connection but at the very least the first packet will make it. So the only difference that comes from improving the performance of the IPS is that it will block traffic a few milliseconds faster.

Basically whatever performance difference there is between snort and suricata won't make any difference to security or network speed, and the same goes for changing the search method to a higher performance (way more resource intensive) one.

I appreciate the thoughtful response. My question regarding better performance was triggered more by the fact that I am using a relatively low power Atom CPU. I should have been more specific. Perhaps by asking if Suricata was a more "lightweight," or a more "efficient" application than Snort, I could have made myself more clear? Sorry for the confusion.

I use snort but I've tried suricata a few times and in my experience it is probably more resource intensive than snort. You can try it out for yourself, the configuration is virtually identical to snort.

In snort you could try using the AC-BNFA-NQ search method rather than the default AC-BNFA as I'm pretty sure NQ uses less CPU but more RAM, or it could be the other way around. But those are the only two search methods you should use as the others will just waste your RAM and CPU and give you nothing in return.

I have 8GB of RAM, so I'll twiddle the knobs to see what happens.

Great input - thanks a bunch!

1 Like

I just noticed that suricata does have an option for running it inline, in that case the performance of suricata would affect the network performance, so if you were running it inline you would want a pretty fast system so you're either not limiting your network speed or adding too much latency. I would say that if keeping the latency low is important then don't run it inline. The difference in terms of security is that when running it in legacy mode any packets which trigger an alert will still reach their destination until suricata has sent the alert and blocked the traffic on the firewall, whereas inline it wil drop the connection so it is never passed to the firewall. So inline is more secure but will add latency and if the system isn't fast enough it will limit the connection speed.

1 Like

I've was running it inline on 2 cores of a C2750 in a VM, and "heavy" residential traffic added up to ~1000ms latency, packets got delayed, and suricata would show alerts for excessive retransmission of packets. I added 2 more cores for a total of 4, and the latency went down to ~300ms, but it's still noticeable that the network is running in a degraded state.

I've been looking at possible upgrades, but have yet to find hardware recommendations for suricata on something like 500k-1m pps.

2 Likes

Thanks for clearing the Snort / Suricata decision -- with facts.
Uh false positives hurt me plenty.

I attempted to make the switch from Snort to Suricata, but it just completely hosed my entire configuration even when the interface was disabled. I probably did something wrong, but until I see a more detailed setup guide, I think I'm going to stick with my Snort configuration, which was working just fine.

2 Likes

The default configuration should work fine, just check all the boxes it says should be checked. I had to restart the wan interface after setting it up but after that it worked fine. I would keep it on legacy mode (rather than inline) unless you know what you're doing as that can tank your performance.

I had to disable 1:2200075 SURICATA UDPv4 invalid checksum. It was blocking all DNS resolution, as far as I could tell.

This post on the pfsense forum has a great sample disablesid.conf file with some good notation explaining why rules were disabled.

3 Likes

Great find, that will save people a ton of time, especially if you have multiple interfaces and have to disable the same rule multiple times.