This is crazy, installed pfsense 2 days ago, installed suricata yesterday and watched your old video this morning... And here we are with a fresh take on that old video :-D Nice job :-)
@mmobini18034 жыл бұрын
Thank you Tom. A complete security video would be great.
@hugevibez4 жыл бұрын
Yeah definitely. Specifically something that runs down the things to consider when setting up your network. Firewall and vlan rules for things like iotcrap (well we get that one now lol), management networks, your web facing services or internal ones.
@esra_erimez4 жыл бұрын
Nothing about security is ever set it and forget it. Security is a process, not a destination.
@pagefault4045 ай бұрын
The real security was the friends we made along the way
@ASUSfreak3 жыл бұрын
Total (Dutch speaking) noob here, but planning to go pfSense with unifi switch/AP's. So both (pfSense and Unifi) have this IDS/IPS options. Should I enable them both or not? Will they conflict/double negative like? Or if enabled at pfSense it will pass it to unifi? Or...??? 😀 Thx... greetings from Belgium!
@greggcollins18214 жыл бұрын
Well done and great tips. Glad you explained the value of subscription services, the realities of encrypted traffic, etc. Thanks for the video.
@mattcero13 жыл бұрын
Another perfect video to get my PFSense Firewall even better! Thank you.
@aqilfikri-eq3bsКүн бұрын
such a great video.... but i have some question, can we test a any dataset to suricata or other ids tool to check the false positive rate? i want to do it as my final year project 🙂
@LAWRENCESYSTEMS14 сағат бұрын
Not that I am aware of.
@michaeljaques774 жыл бұрын
Just the video I need. Was thinking of changing from snort just to, because. Your last suricata video was a bit old. Perfect timing! 👍
@BillyDickson4 жыл бұрын
Serracada and Snort are both great products, I visit my logs files once a month to retune, or if my new soft phone doesn’t work as expected, ohh the joys of home working. 🤣
@seth25923 жыл бұрын
Hi Tom, it seems you want to enable blocking on the WAN interface. If for example someone runs an aggressive NMAP scan against your public address, and you have NAT'd VLANs configured in your network, the corresponding VLAN interface within Suricata will show the source IP of the attack as the private VLAN gateway address and the destination address will be that of the machine with the open port. If you are set to block only on the VLAN interface, then the attacker never gets blocked since the original public source address isn't captured (assuming default pass lists are enabled). Help me understand if I am mistaken here. Love your videos, keep up the great work!
@LAWRENCESYSTEMS3 жыл бұрын
you can use it on both interfaces at the same time.
@dimaj13 жыл бұрын
Thank you, Tom! Would you recommend running Suricata on a home network or is that a complete overkill?
@charlescc10004 жыл бұрын
Wow that was fast. I believe you mentioned you were going to make some videos around this on your podcast/ stream last week! Didn’t expect them so quickly! Interested in these next few videos!
@JohnForTheWin2 жыл бұрын
Thanks for the video. This helped me get up and running with Suricata on my OPNsense firewall. I can log in to the dashboard and see the alerts, but I wonder if you have a recommendation for gathering logs from multiple devices for monitoring and alerting? This is on my home network with two LANs (one for devices and one for IOT). I'm not looking for a commercial/expensive solution. Just something to alert me when one of my devices gets hacked. Thanks!
@LAWRENCESYSTEMS2 жыл бұрын
Graylog
@troyv808 Жыл бұрын
Thanks for this video, very helpful. Question: If you're not running any type of web services and no server at the office, do you still need any IDS/IPS? Is firewall enough since there is not server to protect?
@dabneyoffermein5953 ай бұрын
you do not need it
@mmobini18034 жыл бұрын
How do we disable rules on a per IP address basis? You may want to allow certain IP addresses but block others for the same rule.
@TheTF012 жыл бұрын
Do you take that much time to tune all your new clients firewalls? Do you have a pre-tuned config that you use for all your clients as a starting point?
@LAWRENCESYSTEMS2 жыл бұрын
Tuning each.
@MitchellTuckness2 жыл бұрын
Hi Lawrence, do you have a video, or maybe you could make a video that goes into depth on identifying false positives and how to exclude them. I ask because I have followed your videos on setting this up, and I got all that working. But I get false positives that I cannot figure out and help to learn how to identify ones that start blocking resources after weeks or months would help a lot. Because I can enable block, and it works for weeks, then suddenly it stops something, and I simply cannot figure out how to ID the rule that is the cause. Anyway, I thought it would be a good supplement since you have helped us with the initial setup. Thank you!
@LAWRENCESYSTEMS2 жыл бұрын
I covered the tuning in that video.
@securetechnologyservices36542 жыл бұрын
Hey Tom, Would you still recommend Suricata over Snort for pfsense?
@LAWRENCESYSTEMS2 жыл бұрын
Yes
@michnl17724 жыл бұрын
Tom again Thank you for this updated video of installing en setup Suricata! I have a question, make it sense to install Clam AV (package in Squid) as an antivirus in PfSense ?
@bullittstarter44082 жыл бұрын
The “I AM ROOT” t-shirt made me laugh pretty hard
@chromefinch4 жыл бұрын
Thanks! Very helpful. Took me a min to realize that blocks on one interface block everywhere. Thought it was a glitch.
@lencazero4712 Жыл бұрын
@Lawrence Systems. What type of light background you used. Cool video. thank you
@LAWRENCESYSTEMS Жыл бұрын
I don't understand the question.
@maninthemiddleground23163 жыл бұрын
The developer porting Snort 3.0 has given up based on the netgate forum threads … looks like Suricata is more ported and update for pfSense. However no news on Suricata v6 yet.
@sammo78773 жыл бұрын
Good video and quality content! you should have way more subscribers
@bassjunk34 жыл бұрын
Hi Lawrence, what tool do you use to make KZbin vids?
@paulg57803 жыл бұрын
Would pfsense be a suitable tool to manage multiple suricata instances ?
@LAWRENCESYSTEMS3 жыл бұрын
no
@jdizzle69114 жыл бұрын
Great video, would love to see how I could setup kubernetes behind my pfsense firewall! Thanks Lawrence.
@yusky034 жыл бұрын
Over the past year 90% of my false positives have been on the 'Generic Protocol Command Decode' class. It has gotten to the point where i just white list them as I see them. From what I can find you can't whitelist an entire class which has been very annoying.
@jeffm27873 жыл бұрын
I use it mostly for custom tripwire rules. i.e. touch this port get blocked. I turn off 98% of the built in rules. Right or Wrong, just how I like to use it.
@pctechjustin7 ай бұрын
Do you run Suricata just on the LAN at your office?
@LAWRENCESYSTEMS7 ай бұрын
Yes
@pctechjustin7 ай бұрын
You were not lying about tuning! I've been at it for 3 days now@@LAWRENCESYSTEMS
@Nikoolayy13 жыл бұрын
Can you make rules based on AD users or AD groups? I don't think there is such an option but I will ask just in case.
@wipodj4 жыл бұрын
Eso es un firewall o es para inspeccionar? Quiero instarlo pero no tengo claro como se conectaría a nivel físico.
@FDVFPV3 жыл бұрын
Es un paquete instalado en PFsense para poder monitorial tus paquete en la red. No hay nivel fisico ya que es basado en la cara o interface. En el caso de el te esplica que si lo usas en la parte de LAN puedes ver lo que pasa dentro de tu red.
@recon0x7f168 ай бұрын
How do u upload custom .xml rules to suricata through open sense
@pierrepaniagua2 жыл бұрын
is this necessary for home networks where you arent hosting sites or anything external facing?
@LAWRENCESYSTEMS2 жыл бұрын
not really
@vartanshakhoian96062 жыл бұрын
Hey Lawrence, can you please make a video how to configure SID Management and Inline mode in Suricata or Snort ?
@matldn26973 жыл бұрын
Hello, what is this: "SURICATA UDPv4 invalid checksum" I have installed Suricata as in this video. But get this in my alerts. How can I fix this? also I have a Snort (Oink) code. Is it worth using this in Suricata?
@notpublic71494 жыл бұрын
Hey, thanks for this video. It reminded me to look at this. I set it up from your previous videos but, I haven't been tuning it in a while. A revisit was indeed due. (Unrelated, I loves me new T shirt cheers.)
@colt15964 жыл бұрын
Omg thank you!! I wanted an updated video lol.
@over-there2 күн бұрын
What you call a false positive, I call operator error for not finding and adjusting rules depending on what they want to do, the rules work and are not false
@killickr4 жыл бұрын
Many thanks for the great videos, particularly on pfSense. Can you tell me how quickly the Suricata plugins for pfSense tend to get updated, after they are released. Many thanks
@GisleVanem003 жыл бұрын
Excuse my ignorance (I just stumbled across Suricata), but this video gave me the impression it has a built-in Web-server. AFAICS, it has not. But you're setup seems to depend on some (for me) strange pfSense firewall. So it doesn't seems to be an option on Windows-10 to have this really nice web-based user-interface of the Suricata analysis etc. So are there other "web-backends" for Suricata?
@RobloxRoblox1454 жыл бұрын
how many hard drives does freenas support
@chrisumali98413 жыл бұрын
Thanks for the demo and info, have a great day
@fredyyessielmoranfrias66894 жыл бұрын
Thanks awesome video, I would like to see a video about Suricata in Selks.
@faizmustofa63692 жыл бұрын
Can we run snort and suricata together on pfsense?
@LAWRENCESYSTEMS2 жыл бұрын
No
@corycigas40944 жыл бұрын
How did you get version 5.x.x? I cant see anything over 4.x.x ?
@pctechjustin2 жыл бұрын
2022 update video? Looks like some new rule sets
@Tiwo19913 жыл бұрын
What are the minimum hardware requirements to use Suricata?
@LAWRENCESYSTEMS3 жыл бұрын
There are not really any but performance will be limited based on hardware and number of packet streams it has process.
@Tiwo19913 жыл бұрын
@@LAWRENCESYSTEMS Thank you for the reply. For a home network, with around 8-10 devices and a 250Mbps down and 25Mbps up connection, I suppose something basic will suffice. At the same time I wonder if a home user needs IDS/IPS at all. Is it something a home user should think about implementing?
@dabneyoffermein5953 ай бұрын
@@Tiwo1991 No
@Motomurphy4 жыл бұрын
Always good videos! Thanks Tom.
@matldn26973 жыл бұрын
Snort or Suricata?? As Snort blocks Speed test sites.
@LAWRENCESYSTEMS3 жыл бұрын
Suricata
@matldn26973 жыл бұрын
@@LAWRENCESYSTEMS Can I ask why? also you said that a Snort code could also be put in. So can this be used as well as (i.e. side by side) the emerging threats URL?
@LAWRENCESYSTEMS3 жыл бұрын
Been using Suricata for a while so I am more familiar with it.
@matldn26973 жыл бұрын
@@LAWRENCESYSTEMS OK, thanks a lot. Was using Snort, but it blocked far too much. So in your video, you said that I can you a Snort code. As far as I know it is called an Oink code. I have one. Is it worth using it in Suricata setup?
@LAWRENCESYSTEMS3 жыл бұрын
Blocking too much means you need a rule adjustment
@kittysreview90554 жыл бұрын
This is not a good guide. Why not just put Suricata in inline mode, use SID management to set rules to drop or set Snort rules policy to security and set action to policy? You won’t need to tune anything after that because setting it to policy bases it on the developer’s drop recoomendation. Also, Suricata can detect encrypted malware using JA3 hashes of TLS signatures. ET open has JA3 rules and you can add custom JA3 rules from abuse.ch sources. Encrypted traffic analytics from Cisco uses this tech and it’s now trickled down to open source tools like suricata. Lawrence, you need to brush up on your Suricata knowledge because Suricata and it’s compatible rulesets have evolved with the proliferation of ubiquitous https.
@The_Waraba2 жыл бұрын
Is there a video guide or article out there on how to do this ?
@pepeshopping4 жыл бұрын
Not enabling IPS on the WAN is not smart. You can set it to not block, so you can still keep an eye, or better yet, do blocking for the Emerging Threats, on the SOURCES only!
@dabneyoffermein5953 ай бұрын
it should be on your LAN, not your WAN.
@cbremer834 жыл бұрын
On a side note, anyone notice the feeds for pfBlocker no longer seem to update? I get failed to download message for the last few months for pretty much all my feeds.
@LAWRENCESYSTEMS4 жыл бұрын
Many of the feeds are old and no longer relevant
@vitran25483 жыл бұрын
Thank you for your videos!
@loveneeshkumar82243 жыл бұрын
when I click on alerts..I don't get any entries showing there..why this is happening?
@LAWRENCESYSTEMS3 жыл бұрын
Maybe because you don't have any alerts
@loveneeshkumar82243 жыл бұрын
@@LAWRENCESYSTEMS but please tell me how to show alerts ?
@GizaDog4 жыл бұрын
If people / users only really knew what we did and what is happening in the Internet 24/7
@dr573v34 жыл бұрын
Awesome, thanks Tom!
@brianmccullough45784 жыл бұрын
Wooooo! Suricata baby!
@Crazy--Clown3 жыл бұрын
Isnt this was Ubiquiti use
@xephael34854 жыл бұрын
Hello Tom 👍👋
@monicavillao45002 жыл бұрын
En español se puede escuchar?
@LAWRENCESYSTEMS2 жыл бұрын
no hablo español
@monicavillao45002 жыл бұрын
@@LAWRENCESYSTEMS , Gracias
@ivalinapasse24693 жыл бұрын
Great,
@visghost2 жыл бұрын
.I can't do anything, Result: failed. Snort GPLv2 Community Rules Not Downloaded Not Downloaded LOG Downloading Emerging Threats Open rules md5 file... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules md5 download failed. Server returned error code 403. Server error message was: 403 Forbidden Snort GPLv2 Community Rules will not be updated.
@M3PH113 жыл бұрын
16:05 So i'm watching this as i'm setting up my new box. It's an r5 3400G on a gigabyte A520i AC with 8GB and 250GB Samsung 960 Evo NVME m.2 drive. LOL @ extra cpu cycles. it's still reporting 0% usage and i've also setup squid, clamav, ntopng and a bunch of other stuff. I think i have possibly built the most awesome diy home firewall ever 🤣🤣🤣
@piterbrown15037 ай бұрын
Some update video pls =)
@LAWRENCESYSTEMS7 ай бұрын
Why? Not much has changed. Also I do have one on Snort which mostly uses the same interface kzbin.info/www/bejne/aKLCmGx9nNCpjaMsi=nLClOsoipV-sFD2-
@JuanLopez-db4cc4 жыл бұрын
WONDERFUL!
@scbtripwire4 жыл бұрын
It rather bothers me that Netgate's least powerful system isn't easily capable of handling Snort/Suricata. If you care enough about security that you're buying a dedicated firewall box, it seems to me unreasonable to think the purchaser wouldn't care enough to use an IDS/IPS. Edit: That said, I just noticed you said you don't use Suricata at home. Given your expertise, why not? I'm not judging, rather, genuinely curious.
@LAWRENCESYSTEMS4 жыл бұрын
I don't have any open ports at home so I am more likely to have false positives than any real meaningful threat intelligence.
@TomBabula4 жыл бұрын
Lawrence Systems / PC Pickup I only have port 443 open from external IP forwarding in my home network for UNMS with 2 factor authentication so I hope I am fine? ;) I host it on VM on metal server with UFW firewall on.
@michnl17724 жыл бұрын
Lawrence Systems / PC Pickup Tom does this also mean that it have no function to protect the outbound connection? No blocking intrusion by downloading specific Malware or other crap that can be installed from a website?
@LAWRENCESYSTEMS4 жыл бұрын
@@michnl1772 if the site is encrypted, Suricata does not see into it.
@pizzle8082 ай бұрын
sarah catta :)
@nephets28784 жыл бұрын
Hello
@AdamPoniatowski4 жыл бұрын
if you don't have a NIC that supports netmap, your interface will flap... snort is an alternative, if you'd like an IDS/IPS
@pepeshopping4 жыл бұрын
Nop. Use LEGACY MODE for NICs without NetMap. Presto!
@AdamPoniatowski4 жыл бұрын
@@pepeshopping Mine keeps flapping, even when I don't have blocking enabled. Enabling it and setting it to legacy, still flaps... no idea why, but when I moved to snort, no issues.
@dabneyoffermein5953 ай бұрын
what's the easiest way to tell if the NIC supports netmap. I realize that everyone says use INTEL, but I'm not sure if pfSense tells me the exact chipset of the NIC
@RicardoQueirozmyself3 жыл бұрын
20 hackers hit the dislike button
@ruellerz4 жыл бұрын
Doesnt start...gah
@ruellerz4 жыл бұрын
Reinstalled..started from scratch. Boom..shows it started on the interface and then the suricata service explodes.
@ruellerz4 жыл бұрын
12/10/2020 -- 14:26:47 - -- HTTP memcap: 67108864 even though i was monitoring memory usage maybe its exploding do to memory?
@ruellerz4 жыл бұрын
Installed snort..hasnt crashed yet
@starfusionmz3 жыл бұрын
in case you have beefy pfsense server with more than 4GB of ram there might be some more config for the interface: www.reddit.com/r/PFSENSE/comments/7d8y1o/suricata_will_not_start/dpw1i58/ goes into more detail and worked for me.
@dabneyoffermein5953 ай бұрын
if you're going to use Suricata, you need a lot of RAM, this is a stateful firewall, that alone is taking tons of RAM