Hey guys,
I did the openvpn thing yesterday and my bandwidth is still medium ok.
Setup PFblockerNG
and enabled dnsbl for some ad lists, spammers, malware. Still undecided about blocking geoip as I tend to Skype with folk all over the world.
Can someone point me at a good explanation of all the various feature?
I also started reading up on Suricata last night.... IPS/IDs. I felt like I was in the deep end of the pool very quickly. This seems like a very powerful tool for stateful and deep packet analysis both on the lan and the wan. Real spy-vs-spy stuff BUT most the words didn't make sense to me....
Can someone recommend good reading on stateful and deep packet inspection firewall type stuff? I feel like if I had more context then configuring Suricata would make more sense.
The other challenge might be that I haven't created the use cases in my home lab where all this super cool tool would be used.
Thanks
T
I can't recommend anything as far as reading material goes, but suricatta and snort are functionally very similar so you may have better luck finding info on snort and just adapting it to suricatta.
If you want to try it out the default settings are pretty good. Make sure you set it to block both source and destination ip, kill states when blocking and set the block period to 1 hour (doesn't need to be huge and helps with sorting out false positives or accidentally locking yourself out). Leave the search method on the default, I know snort use bnfa and bnfa-nq, I'm not sure if what options suricatta has but there is not performance advantage to changing it, just more resource usage.
I'd suggest for the rules just using the snort VRT IPS policy which selects rules automatically, I'd suggest setting it to connectivity or balanced (i can't remember if suricatta has this or not) so you don't get too many false positives, but you will have to spend quite a bit of time disabling rules that throw false positives until you get to a point where it works without you having to clear the block list all the time.
Also you only want to set it to run on the wan interface, there's no advantage to running it on both interfaces as it's just looking at the same traffic twice except on the lan interface it's already gone through the firewall so suricatta won't see a lot of the traffic it would otherwise block.