Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020

Рет қаралды 182,591

Күн бұрын

Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 5% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
Forums post about this topic:
forums.lawrencesystems.com/t/...
#pfsense #Firewalls

Пікірлер: 111

@Kieeps 4 жыл бұрын

This is crazy, installed pfsense 2 days ago, installed suricata yesterday and watched your old video this morning... And here we are with a fresh take on that old video :-D Nice job :-)

@greggcollins1821 3 жыл бұрын

Well done and great tips. Glad you explained the value of subscription services, the realities of encrypted traffic, etc. Thanks for the video.

@mattcero1 2 жыл бұрын

Another perfect video to get my PFSense Firewall even better! Thank you.

@michaeljaques77 4 жыл бұрын

Just the video I need. Was thinking of changing from snort just to, because. Your last suricata video was a bit old. Perfect timing! 👍

@mmobini1803 4 жыл бұрын

Thank you Tom. A complete security video would be great.

@hugevibez 4 жыл бұрын

Yeah definitely. Specifically something that runs down the things to consider when setting up your network. Firewall and vlan rules for things like iotcrap (well we get that one now lol), management networks, your web facing services or internal ones.

@charlescc1000 4 жыл бұрын

Wow that was fast. I believe you mentioned you were going to make some videos around this on your podcast/ stream last week! Didn’t expect them so quickly! Interested in these next few videos!

@BillyDickson 4 жыл бұрын

Serracada and Snort are both great products, I visit my logs files once a month to retune, or if my new soft phone doesn’t work as expected, ohh the joys of home working. 🤣

@notpublic7149 4 жыл бұрын

Hey, thanks for this video. It reminded me to look at this. I set it up from your previous videos but, I haven't been tuning it in a while. A revisit was indeed due. (Unrelated, I loves me new T shirt cheers.)

@chromefinch 4 жыл бұрын

Thanks! Very helpful. Took me a min to realize that blocks on one interface block everywhere. Thought it was a glitch.

@sammo7877 3 жыл бұрын

Good video and quality content! you should have way more subscribers

@colt1596 4 жыл бұрын

Omg thank you!! I wanted an updated video lol.

@chrisumali9841 3 жыл бұрын

Thanks for the demo and info, have a great day

@jdizzle6911 4 жыл бұрын

Great video, would love to see how I could setup kubernetes behind my pfsense firewall! Thanks Lawrence.

@Motomurphy 4 жыл бұрын

Always good videos! Thanks Tom.

@esra_erimez 4 жыл бұрын

Nothing about security is ever set it and forget it. Security is a process, not a destination.

@pagefault404 Ай бұрын

The real security was the friends we made along the way

@michnl1772 3 жыл бұрын

Tom again Thank you for this updated video of installing en setup Suricata! I have a question, make it sense to install Clam AV (package in Squid) as an antivirus in PfSense ?

@fredyyessielmoranfrias6689 4 жыл бұрын

Thanks awesome video, I would like to see a video about Suricata in Selks.

@dr573v3 4 жыл бұрын

Awesome, thanks Tom!

@vitran2548 3 жыл бұрын

Thank you for your videos!

@seth2592 2 жыл бұрын

Hi Tom, it seems you want to enable blocking on the WAN interface. If for example someone runs an aggressive NMAP scan against your public address, and you have NAT'd VLANs configured in your network, the corresponding VLAN interface within Suricata will show the source IP of the attack as the private VLAN gateway address and the destination address will be that of the machine with the open port. If you are set to block only on the VLAN interface, then the attacker never gets blocked since the original public source address isn't captured (assuming default pass lists are enabled). Help me understand if I am mistaken here. Love your videos, keep up the great work!

@LAWRENCESYSTEMS 2 жыл бұрын

you can use it on both interfaces at the same time.

@dimaj1 2 жыл бұрын

Thank you, Tom! Would you recommend running Suricata on a home network or is that a complete overkill?

@mmobini1803 4 жыл бұрын

How do we disable rules on a per IP address basis? You may want to allow certain IP addresses but block others for the same rule.

@bullittstarter4408 2 жыл бұрын

The “I AM ROOT” t-shirt made me laugh pretty hard

@troyv808 Жыл бұрын

Thanks for this video, very helpful. Question: If you're not running any type of web services and no server at the office, do you still need any IDS/IPS? Is firewall enough since there is not server to protect?

@brianmccullough4578 4 жыл бұрын

Wooooo! Suricata baby!

@vartanshakhoian9606 2 жыл бұрын

Hey Lawrence, can you please make a video how to configure SID Management and Inline mode in Suricata or Snort ?

@JohnForTheWin Жыл бұрын

Thanks for the video. This helped me get up and running with Suricata on my OPNsense firewall. I can log in to the dashboard and see the alerts, but I wonder if you have a recommendation for gathering logs from multiple devices for monitoring and alerting? This is on my home network with two LANs (one for devices and one for IOT). I'm not looking for a commercial/expensive solution. Just something to alert me when one of my devices gets hacked. Thanks!

@LAWRENCESYSTEMS Жыл бұрын

Graylog

@Nikoolayy1 3 жыл бұрын

Can you make rules based on AD users or AD groups? I don't think there is such an option but I will ask just in case.

@JuanLopez-db4cc 4 жыл бұрын

WONDERFUL!

@ASUSfreak 3 жыл бұрын

Total (Dutch speaking) noob here, but planning to go pfSense with unifi switch/AP's. So both (pfSense and Unifi) have this IDS/IPS options. Should I enable them both or not? Will they conflict/double negative like? Or if enabled at pfSense it will pass it to unifi? Or...??? 😀 Thx... greetings from Belgium!

@MitchellTuckness 2 жыл бұрын

Hi Lawrence, do you have a video, or maybe you could make a video that goes into depth on identifying false positives and how to exclude them. I ask because I have followed your videos on setting this up, and I got all that working. But I get false positives that I cannot figure out and help to learn how to identify ones that start blocking resources after weeks or months would help a lot. Because I can enable block, and it works for weeks, then suddenly it stops something, and I simply cannot figure out how to ID the rule that is the cause. Anyway, I thought it would be a good supplement since you have helped us with the initial setup. Thank you!

@LAWRENCESYSTEMS 2 жыл бұрын

I covered the tuning in that video.

@killickr 3 жыл бұрын

Many thanks for the great videos, particularly on pfSense. Can you tell me how quickly the Suricata plugins for pfSense tend to get updated, after they are released. Many thanks

@matldn2697 3 жыл бұрын

Hello, what is this: "SURICATA UDPv4 invalid checksum" I have installed Suricata as in this video. But get this in my alerts. How can I fix this? also I have a Snort (Oink) code. Is it worth using this in Suricata?

@maninthemiddleground2316 2 жыл бұрын

The developer porting Snort 3.0 has given up based on the netgate forum threads … looks like Suricata is more ported and update for pfSense. However no news on Suricata v6 yet.

@bassjunk3 4 жыл бұрын

Hi Lawrence, what tool do you use to make KZbin vids?

@jeffm2787 2 жыл бұрын

I use it mostly for custom tripwire rules. i.e. touch this port get blocked. I turn off 98% of the built in rules. Right or Wrong, just how I like to use it.

@corycigas4094 4 жыл бұрын

How did you get version 5.x.x? I cant see anything over 4.x.x ?

@RobloxRoblox145 4 жыл бұрын

how many hard drives does freenas support

@lencazero4712 11 ай бұрын

@Lawrence Systems. What type of light background you used. Cool video. thank you

@LAWRENCESYSTEMS 11 ай бұрын

I don't understand the question.

@ivalinapasse2469 3 жыл бұрын

Great,

@TheTF01 2 жыл бұрын

Do you take that much time to tune all your new clients firewalls? Do you have a pre-tuned config that you use for all your clients as a starting point?

@LAWRENCESYSTEMS 2 жыл бұрын

Tuning each.

@xephael3485 4 жыл бұрын

Hello Tom 👍👋

@cbremer83 4 жыл бұрын

On a side note, anyone notice the feeds for pfBlocker no longer seem to update? I get failed to download message for the last few months for pretty much all my feeds.

@LAWRENCESYSTEMS 4 жыл бұрын

Many of the feeds are old and no longer relevant

@yusky03 4 жыл бұрын

Over the past year 90% of my false positives have been on the 'Generic Protocol Command Decode' class. It has gotten to the point where i just white list them as I see them. From what I can find you can't whitelist an entire class which has been very annoying.

@securetechnologyservices3654 Жыл бұрын

Hey Tom, Would you still recommend Suricata over Snort for pfsense?

@LAWRENCESYSTEMS Жыл бұрын

Yes

@pctechjustin Жыл бұрын

2022 update video? Looks like some new rule sets

@pierrepaniagua 2 жыл бұрын

is this necessary for home networks where you arent hosting sites or anything external facing?

@LAWRENCESYSTEMS 2 жыл бұрын

not really

@wipodj 3 жыл бұрын

Eso es un firewall o es para inspeccionar? Quiero instarlo pero no tengo claro como se conectaría a nivel físico.

@FDVFPV 3 жыл бұрын

Es un paquete instalado en PFsense para poder monitorial tus paquete en la red. No hay nivel fisico ya que es basado en la cara o interface. En el caso de el te esplica que si lo usas en la parte de LAN puedes ver lo que pasa dentro de tu red.

@paulg5780 3 жыл бұрын

Would pfsense be a suitable tool to manage multiple suricata instances ?

@LAWRENCESYSTEMS 3 жыл бұрын

@pepeshopping 4 жыл бұрын

Not enabling IPS on the WAN is not smart. You can set it to not block, so you can still keep an eye, or better yet, do blocking for the Emerging Threats, on the SOURCES only!

@GizaDog 4 жыл бұрын

If people / users only really knew what we did and what is happening in the Internet 24/7

@faizmustofa6369 2 жыл бұрын

Can we run snort and suricata together on pfsense?

@LAWRENCESYSTEMS 2 жыл бұрын

@Tiwo1991 3 жыл бұрын

What are the minimum hardware requirements to use Suricata?

@LAWRENCESYSTEMS 3 жыл бұрын

There are not really any but performance will be limited based on hardware and number of packet streams it has process.

@Tiwo1991 3 жыл бұрын

@@LAWRENCESYSTEMS Thank you for the reply. For a home network, with around 8-10 devices and a 250Mbps down and 25Mbps up connection, I suppose something basic will suffice. At the same time I wonder if a home user needs IDS/IPS at all. Is it something a home user should think about implementing?

@M3PH11 2 жыл бұрын

16:05 So i'm watching this as i'm setting up my new box. It's an r5 3400G on a gigabyte A520i AC with 8GB and 250GB Samsung 960 Evo NVME m.2 drive. LOL @ extra cpu cycles. it's still reporting 0% usage and i've also setup squid, clamav, ntopng and a bunch of other stuff. I think i have possibly built the most awesome diy home firewall ever 🤣🤣🤣

@pctechjustin 4 ай бұрын

Do you run Suricata just on the LAN at your office?

@LAWRENCESYSTEMS 4 ай бұрын

Yes

@pctechjustin 4 ай бұрын

You were not lying about tuning! I've been at it for 3 days now@@LAWRENCESYSTEMS

@GisleVanem00 3 жыл бұрын

Excuse my ignorance (I just stumbled across Suricata), but this video gave me the impression it has a built-in Web-server. AFAICS, it has not. But you're setup seems to depend on some (for me) strange pfSense firewall. So it doesn't seems to be an option on Windows-10 to have this really nice web-based user-interface of the Suricata analysis etc. So are there other "web-backends" for Suricata?

@loveneeshkumar8224 3 жыл бұрын

when I click on alerts..I don't get any entries showing there..why this is happening?

@LAWRENCESYSTEMS 3 жыл бұрын

Maybe because you don't have any alerts

@loveneeshkumar8224 3 жыл бұрын

@@LAWRENCESYSTEMS but please tell me how to show alerts ?

@visghost Жыл бұрын

.I can't do anything, Result: failed. Snort GPLv2 Community Rules Not Downloaded Not Downloaded LOG Downloading Emerging Threats Open rules md5 file... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules md5 download failed. Server returned error code 403. Server error message was: 403 Forbidden Snort GPLv2 Community Rules will not be updated.

@Crazy--Clown 3 жыл бұрын

Isnt this was Ubiquiti use

@monicavillao4500 2 жыл бұрын

En español se puede escuchar?

@LAWRENCESYSTEMS 2 жыл бұрын

no hablo español

@monicavillao4500 2 жыл бұрын

@@LAWRENCESYSTEMS , Gracias

@nephets2878 4 жыл бұрын

Hello

@piterbrown1503 3 ай бұрын

Some update video pls =)

@LAWRENCESYSTEMS 3 ай бұрын

Why? Not much has changed. Also I do have one on Snort which mostly uses the same interface kzbin.info/www/bejne/aKLCmGx9nNCpjaMsi=nLClOsoipV-sFD2-

@matldn2697 3 жыл бұрын

Snort or Suricata?? As Snort blocks Speed test sites.

@LAWRENCESYSTEMS 3 жыл бұрын

Suricata

@matldn2697 3 жыл бұрын

@@LAWRENCESYSTEMS Can I ask why? also you said that a Snort code could also be put in. So can this be used as well as (i.e. side by side) the emerging threats URL?

@LAWRENCESYSTEMS 3 жыл бұрын

Been using Suricata for a while so I am more familiar with it.

@matldn2697 3 жыл бұрын

@@LAWRENCESYSTEMS OK, thanks a lot. Was using Snort, but it blocked far too much. So in your video, you said that I can you a Snort code. As far as I know it is called an Oink code. I have one. Is it worth using it in Suricata setup?

@LAWRENCESYSTEMS 3 жыл бұрын

Blocking too much means you need a rule adjustment

@kittysreview9055 3 жыл бұрын

This is not a good guide. Why not just put Suricata in inline mode, use SID management to set rules to drop or set Snort rules policy to security and set action to policy? You won’t need to tune anything after that because setting it to policy bases it on the developer’s drop recoomendation. Also, Suricata can detect encrypted malware using JA3 hashes of TLS signatures. ET open has JA3 rules and you can add custom JA3 rules from abuse.ch sources. Encrypted traffic analytics from Cisco uses this tech and it’s now trickled down to open source tools like suricata. Lawrence, you need to brush up on your Suricata knowledge because Suricata and it’s compatible rulesets have evolved with the proliferation of ubiquitous https.

@MassaKingWOfficial 2 жыл бұрын

Is there a video guide or article out there on how to do this ?

@starfusionmz 3 жыл бұрын

in case you have beefy pfsense server with more than 4GB of ram there might be some more config for the interface: www.reddit.com/r/PFSENSE/comments/7d8y1o/suricata_will_not_start/dpw1i58/ goes into more detail and worked for me.

@RicardoQueirozmyself 3 жыл бұрын

20 hackers hit the dislike button

@AdamPoniatowski 4 жыл бұрын

if you don't have a NIC that supports netmap, your interface will flap... snort is an alternative, if you'd like an IDS/IPS

@pepeshopping 4 жыл бұрын

Nop. Use LEGACY MODE for NICs without NetMap. Presto!

@AdamPoniatowski 4 жыл бұрын

@@pepeshopping Mine keeps flapping, even when I don't have blocking enabled. Enabling it and setting it to legacy, still flaps... no idea why, but when I moved to snort, no issues.

@ruellerz 3 жыл бұрын

Doesnt start...gah

@ruellerz 3 жыл бұрын

Reinstalled..started from scratch. Boom..shows it started on the interface and then the suricata service explodes.

@ruellerz 3 жыл бұрын

12/10/2020 -- 14:26:47 - -- HTTP memcap: 67108864 even though i was monitoring memory usage maybe its exploding do to memory?

@ruellerz 3 жыл бұрын

Installed snort..hasnt crashed yet

@scbtripwire 4 жыл бұрын

It rather bothers me that Netgate's least powerful system isn't easily capable of handling Snort/Suricata. If you care enough about security that you're buying a dedicated firewall box, it seems to me unreasonable to think the purchaser wouldn't care enough to use an IDS/IPS. Edit: That said, I just noticed you said you don't use Suricata at home. Given your expertise, why not? I'm not judging, rather, genuinely curious.

@LAWRENCESYSTEMS 4 жыл бұрын

I don't have any open ports at home so I am more likely to have false positives than any real meaningful threat intelligence.

@TomBabula 4 жыл бұрын

Lawrence Systems / PC Pickup I only have port 443 open from external IP forwarding in my home network for UNMS with 2 factor authentication so I hope I am fine? ;) I host it on VM on metal server with UFW firewall on.

@michnl1772 3 жыл бұрын

Lawrence Systems / PC Pickup Tom does this also mean that it have no function to protect the outbound connection? No blocking intrusion by downloading specific Malware or other crap that can be installed from a website?

@LAWRENCESYSTEMS 3 жыл бұрын

@@michnl1772 if the site is encrypted, Suricata does not see into it.