Archive > 16.1 Legacy Series

[CALL FOR TESTING] Suricata 3.0

(1/6) > >>

aldocorleone:
Good afternoon everyone,

First off, I like the opnsense feel and while it still has a common feel to pfsense, I like the tweaks that have been done to it.

I have a couple of questions about it thought.

I mistakenly thought that the suricata implementation provides intrusion prevention (IPS) services, but it does not.  I saw a couple forum hits in that there is some work going on this.  I'm just wondering if there is a rough idea of when this will be made available?

Also, in PFSENSE, there is pfblockerng, is this something that could be ported over to opnsense?

Thank you all.

AdSchellevis:
Hi,

We're currently working on a full inline IPS option using suricata and netmap, most of the code is already in GitHub and the 16.1 release will contain the final product.
If you want to test the development version, I can add some notes later today on how to install this (a dev package will be available later this week).

As for pfblockerng, pfSense packages are not compatible with OPNsense and we don't want to include any (new) code from pfSense into our codebase for both licensing issues and lack of code quality.
Is there any particular feature your missing at the moment? You can add urls in the alias feature as well, maybe extending that a bit would solve the missing part as well. 

Regards,

Ad

AdSchellevis:
Hi,

We have been working on the Suricata integration further today and I wanted to give you a sneak preview for what is coming in 16.1 and will be available as beta in the next release (15.7.20).

Enabling this new feature will be very easy, just mark the ips option in "Intrusion Detection":


(Enabling IPS automatically switches the system to use high performance netmap)

The new overview shows the behaviour per rule, enabled/disabled and alert or drop:


Finally you can choose to change the defaults:


I tested it on one of our midrange machines today and have seen throughputs up to 500Mbps using a standard mtu size of 1500 bytes.

** How to install (as of 15.7.20-devel, or using github) **

** SEE BELOW **

Regards,

Ad

aldocorleone:
Thanks! I might give this a shot.  How's the stability so far? 

As for the pfblocker item.  Using those blacklists was handy, as it would cron update the blacklists so (Spambots, Malware, etc)

It also does deduplication, which I find handy as well.  If this is something that could be added, or alternatives, that would be handy.

I think with Suricata being in IPS mode would help alleviate these concerns a lot, as the default rules has dshield, and will help a lot on the security ends of things.

Thank you for your help!

AdSchellevis:
I spend a couple of days testing and so far it's looking great.

The url aliases also support updating (Update Freq. (days)), but probably no de-duplication (not sure though).

Navigation

[0] Message Index

[#] Next page