This is crazy, installed pfsense 2 days ago, installed suricata yesterday and watched your old video this morning... And here we are with a fresh take on that old video :-D Nice job :-)

Thank you Tom. A complete security video would be great.

@hugevibez

4 жыл бұрын

Yeah definitely. Specifically something that runs down the things to consider when setting up your network. Firewall and vlan rules for things like iotcrap (well we get that one now lol), management networks, your web facing services or internal ones.

Just the video I need. Was thinking of changing from snort just to, because. Your last suricata video was a bit old. Perfect timing! 👍

Another perfect video to get my PFSense Firewall even better! Thank you.

Well done and great tips. Glad you explained the value of subscription services, the realities of encrypted traffic, etc. Thanks for the video.

Wow that was fast. I believe you mentioned you were going to make some videos around this on your podcast/ stream last week! Didn’t expect them so quickly! Interested in these next few videos!

Omg thank you!! I wanted an updated video lol.

Thanks! Very helpful. Took me a min to realize that blocks on one interface block everywhere. Thought it was a glitch.

Hey, thanks for this video. It reminded me to look at this. I set it up from your previous videos but, I haven't been tuning it in a while. A revisit was indeed due. (Unrelated, I loves me new T shirt cheers.)

Thanks for the demo and info, have a great day

Always good videos! Thanks Tom.

Serracada and Snort are both great products, I visit my logs files once a month to retune, or if my new soft phone doesn’t work as expected, ohh the joys of home working. 🤣

The “I AM ROOT” t-shirt made me laugh pretty hard

Good video and quality content! you should have way more subscribers

Awesome, thanks Tom!

Great video, would love to see how I could setup kubernetes behind my pfsense firewall! Thanks Lawrence.

Thank you for your videos!

Thanks awesome video, I would like to see a video about Suricata in Selks.

Wooooo! Suricata baby!

Nothing about security is ever set it and forget it. Security is a process, not a destination.

@pagefault404

2 ай бұрын

The real security was the friends we made along the way

WONDERFUL!

Tom again Thank you for this updated video of installing en setup Suricata! I have a question, make it sense to install Clam AV (package in Squid) as an antivirus in PfSense ?

How do we disable rules on a per IP address basis? You may want to allow certain IP addresses but block others for the same rule.

Thank you, Tom! Would you recommend running Suricata on a home network or is that a complete overkill?

Thanks for this video, very helpful. Question: If you're not running any type of web services and no server at the office, do you still need any IDS/IPS? Is firewall enough since there is not server to protect?

Hi Tom, it seems you want to enable blocking on the WAN interface. If for example someone runs an aggressive NMAP scan against your public address, and you have NAT'd VLANs configured in your network, the corresponding VLAN interface within Suricata will show the source IP of the attack as the private VLAN gateway address and the destination address will be that of the machine with the open port. If you are set to block only on the VLAN interface, then the attacker never gets blocked since the original public source address isn't captured (assuming default pass lists are enabled). Help me understand if I am mistaken here. Love your videos, keep up the great work!

@LAWRENCESYSTEMS

2 жыл бұрын

you can use it on both interfaces at the same time.

Hello Tom 👍👋

Great,

Total (Dutch speaking) noob here, but planning to go pfSense with unifi switch/AP's. So both (pfSense and Unifi) have this IDS/IPS options. Should I enable them both or not? Will they conflict/double negative like? Or if enabled at pfSense it will pass it to unifi? Or...??? 😀 Thx... greetings from Belgium!

Hi Lawrence, what tool do you use to make KZread vids?

Hey Lawrence, can you please make a video how to configure SID Management and Inline mode in Suricata or Snort ?

Can you make rules based on AD users or AD groups? I don't think there is such an option but I will ask just in case.

Hello, what is this: "SURICATA UDPv4 invalid checksum" I have installed Suricata as in this video. But get this in my alerts. How can I fix this? also I have a Snort (Oink) code. Is it worth using this in Suricata?

How did you get version 5.x.x? I cant see anything over 4.x.x ?

Thanks for the video. This helped me get up and running with Suricata on my OPNsense firewall. I can log in to the dashboard and see the alerts, but I wonder if you have a recommendation for gathering logs from multiple devices for monitoring and alerting? This is on my home network with two LANs (one for devices and one for IOT). I'm not looking for a commercial/expensive solution. Just something to alert me when one of my devices gets hacked. Thanks!

@LAWRENCESYSTEMS

Жыл бұрын

Graylog

how many hard drives does freenas support

Many thanks for the great videos, particularly on pfSense. Can you tell me how quickly the Suricata plugins for pfSense tend to get updated, after they are released. Many thanks

I use it mostly for custom tripwire rules. i.e. touch this port get blocked. I turn off 98% of the built in rules. Right or Wrong, just how I like to use it.

How do u upload custom .xml rules to suricata through open sense

Do you take that much time to tune all your new clients firewalls? Do you have a pre-tuned config that you use for all your clients as a starting point?

@LAWRENCESYSTEMS

2 жыл бұрын

Tuning each.

Hi Lawrence, do you have a video, or maybe you could make a video that goes into depth on identifying false positives and how to exclude them. I ask because I have followed your videos on setting this up, and I got all that working. But I get false positives that I cannot figure out and help to learn how to identify ones that start blocking resources after weeks or months would help a lot. Because I can enable block, and it works for weeks, then suddenly it stops something, and I simply cannot figure out how to ID the rule that is the cause. Anyway, I thought it would be a good supplement since you have helped us with the initial setup. Thank you!

@LAWRENCESYSTEMS

2 жыл бұрын

I covered the tuning in that video.

The developer porting Snort 3.0 has given up based on the netgate forum threads … looks like Suricata is more ported and update for pfSense. However no news on Suricata v6 yet.

@Lawrence Systems. What type of light background you used. Cool video. thank you

@LAWRENCESYSTEMS

11 ай бұрын

I don't understand the question.

Hey Tom, Would you still recommend Suricata over Snort for pfsense?

@LAWRENCESYSTEMS

Жыл бұрын

Yes

is this necessary for home networks where you arent hosting sites or anything external facing?

@LAWRENCESYSTEMS

2 жыл бұрын

not really

Would pfsense be a suitable tool to manage multiple suricata instances ?

@LAWRENCESYSTEMS

3 жыл бұрын

no

Eso es un firewall o es para inspeccionar? Quiero instarlo pero no tengo claro como se conectaría a nivel físico.

@FDVFPV

3 жыл бұрын

Es un paquete instalado en PFsense para poder monitorial tus paquete en la red. No hay nivel fisico ya que es basado en la cara o interface. En el caso de el te esplica que si lo usas en la parte de LAN puedes ver lo que pasa dentro de tu red.

Over the past year 90% of my false positives have been on the 'Generic Protocol Command Decode' class. It has gotten to the point where i just white list them as I see them. From what I can find you can't whitelist an entire class which has been very annoying.

On a side note, anyone notice the feeds for pfBlocker no longer seem to update? I get failed to download message for the last few months for pretty much all my feeds.

@LAWRENCESYSTEMS

4 жыл бұрын

Many of the feeds are old and no longer relevant

If people / users only really knew what we did and what is happening in the Internet 24/7

2022 update video? Looks like some new rule sets

16:05 So i'm watching this as i'm setting up my new box. It's an r5 3400G on a gigabyte A520i AC with 8GB and 250GB Samsung 960 Evo NVME m.2 drive. LOL @ extra cpu cycles. it's still reporting 0% usage and i've also setup squid, clamav, ntopng and a bunch of other stuff. I think i have possibly built the most awesome diy home firewall ever 🤣🤣🤣

Do you run Suricata just on the LAN at your office?

@LAWRENCESYSTEMS

4 ай бұрын

Yes

@pctechjustin

4 ай бұрын

You were not lying about tuning! I've been at it for 3 days now@@LAWRENCESYSTEMS

Can we run snort and suricata together on pfsense?

@LAWRENCESYSTEMS

2 жыл бұрын

No

What are the minimum hardware requirements to use Suricata?

@LAWRENCESYSTEMS

3 жыл бұрын

There are not really any but performance will be limited based on hardware and number of packet streams it has process.

@Tiwo1991

3 жыл бұрын

@@LAWRENCESYSTEMS Thank you for the reply. For a home network, with around 8-10 devices and a 250Mbps down and 25Mbps up connection, I suppose something basic will suffice. At the same time I wonder if a home user needs IDS/IPS at all. Is it something a home user should think about implementing?

Some update video pls =)

@LAWRENCESYSTEMS

3 ай бұрын

Why? Not much has changed. Also I do have one on Snort which mostly uses the same interface kzread.info/dash/bejne/ZKWTyZuAl87ch6Q.htmlsi=nLClOsoipV-sFD2-

Not enabling IPS on the WAN is not smart. You can set it to not block, so you can still keep an eye, or better yet, do blocking for the Emerging Threats, on the SOURCES only!

Hello

when I click on alerts..I don't get any entries showing there..why this is happening?

@LAWRENCESYSTEMS

3 жыл бұрын

Maybe because you don't have any alerts

@loveneeshkumar8224

3 жыл бұрын

@@LAWRENCESYSTEMS but please tell me how to show alerts ?

Snort or Suricata?? As Snort blocks Speed test sites.

@LAWRENCESYSTEMS

3 жыл бұрын

Suricata

@matldn2697

3 жыл бұрын

@@LAWRENCESYSTEMS Can I ask why? also you said that a Snort code could also be put in. So can this be used as well as (i.e. side by side) the emerging threats URL?

@LAWRENCESYSTEMS

3 жыл бұрын

Been using Suricata for a while so I am more familiar with it.

@matldn2697

3 жыл бұрын

@@LAWRENCESYSTEMS OK, thanks a lot. Was using Snort, but it blocked far too much. So in your video, you said that I can you a Snort code. As far as I know it is called an Oink code. I have one. Is it worth using it in Suricata setup?

@LAWRENCESYSTEMS

3 жыл бұрын

Blocking too much means you need a rule adjustment

Excuse my ignorance (I just stumbled across Suricata), but this video gave me the impression it has a built-in Web-server. AFAICS, it has not. But you're setup seems to depend on some (for me) strange pfSense firewall. So it doesn't seems to be an option on Windows-10 to have this really nice web-based user-interface of the Suricata analysis etc. So are there other "web-backends" for Suricata?

Isnt this was Ubiquiti use

.I can't do anything, Result: failed. Snort GPLv2 Community Rules Not Downloaded Not Downloaded LOG Downloading Emerging Threats Open rules md5 file... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules md5 download failed. Server returned error code 403. Server error message was: 403 Forbidden Snort GPLv2 Community Rules will not be updated.

En español se puede escuchar?

@LAWRENCESYSTEMS

2 жыл бұрын

no hablo español

@monicavillao4500

2 жыл бұрын

@@LAWRENCESYSTEMS , Gracias

This is not a good guide. Why not just put Suricata in inline mode, use SID management to set rules to drop or set Snort rules policy to security and set action to policy? You won’t need to tune anything after that because setting it to policy bases it on the developer’s drop recoomendation. Also, Suricata can detect encrypted malware using JA3 hashes of TLS signatures. ET open has JA3 rules and you can add custom JA3 rules from abuse.ch sources. Encrypted traffic analytics from Cisco uses this tech and it’s now trickled down to open source tools like suricata. Lawrence, you need to brush up on your Suricata knowledge because Suricata and it’s compatible rulesets have evolved with the proliferation of ubiquitous https.

@MassaKingWOfficial

2 жыл бұрын

Is there a video guide or article out there on how to do this ?

in case you have beefy pfsense server with more than 4GB of ram there might be some more config for the interface: www.reddit.com/r/PFSENSE/comments/7d8y1o/suricata_will_not_start/dpw1i58/ goes into more detail and worked for me.

20 hackers hit the dislike button

Doesnt start...gah

@ruellerz

3 жыл бұрын

Reinstalled..started from scratch. Boom..shows it started on the interface and then the suricata service explodes.

@ruellerz

3 жыл бұрын

12/10/2020 -- 14:26:47 - -- HTTP memcap: 67108864 even though i was monitoring memory usage maybe its exploding do to memory?

@ruellerz

3 жыл бұрын

Installed snort..hasnt crashed yet

It rather bothers me that Netgate's least powerful system isn't easily capable of handling Snort/Suricata. If you care enough about security that you're buying a dedicated firewall box, it seems to me unreasonable to think the purchaser wouldn't care enough to use an IDS/IPS. Edit: That said, I just noticed you said you don't use Suricata at home. Given your expertise, why not? I'm not judging, rather, genuinely curious.

@LAWRENCESYSTEMS

4 жыл бұрын

I don't have any open ports at home so I am more likely to have false positives than any real meaningful threat intelligence.

@TomBabula

4 жыл бұрын

Lawrence Systems / PC Pickup I only have port 443 open from external IP forwarding in my home network for UNMS with 2 factor authentication so I hope I am fine? ;) I host it on VM on metal server with UFW firewall on.

@michnl1772

4 жыл бұрын

Lawrence Systems / PC Pickup Tom does this also mean that it have no function to protect the outbound connection? No blocking intrusion by downloading specific Malware or other crap that can be installed from a website?

@LAWRENCESYSTEMS

4 жыл бұрын

@@michnl1772 if the site is encrypted, Suricata does not see into it.

if you don't have a NIC that supports netmap, your interface will flap... snort is an alternative, if you'd like an IDS/IPS

@pepeshopping

4 жыл бұрын

Nop. Use LEGACY MODE for NICs without NetMap. Presto!

@AdamPoniatowski

4 жыл бұрын

@@pepeshopping Mine keeps flapping, even when I don't have blocking enabled. Enabling it and setting it to legacy, still flaps... no idea why, but when I moved to snort, no issues.