Suricata IPS Mode

[nicholaswkc]

Dear All,

I had configure the suricata in ips mode using netmap Intel NIC igb driver but I can't seems to have drop/block tab on the Web UI.

I cannot download the ET Pro rules, it takes few hours but still cannot finished download the rules. What is the problem?

Hope someone can enlighten on this.

[nicholaswkc]

Anyone willing to pin point what is the problem?? Please help. Thanks.

[peterwkc]

Anyone please help? Thanks.

[Vilhonator]

Check the logs for any errors.

If there are no errors, then depending on your internet speed and hardware of your server or firewall, it can take literally hours to download all the rulesets.

You can also install plugins and go to surricatas website, follow instructions on how to fetch rulesets on BSD and manually do things via SSH which will display the progress in realtime, just locations differ in opnsense from the guide.

[peterwkc]

You can also install plugins and go to surricatas website, follow instructions on how to fetch rulesets on BSD and manually do things via SSH which will display the progress in realtime, just locations differ in opnsense from the guide.

What plugin? Is there any reference guide to fetch rules on BSD?

[Vilhonator]

You can also install plugins and go to surricatas website, follow instructions on how to fetch rulesets on BSD and manually do things via SSH which will display the progress in realtime, just locations differ in opnsense from the guide.

What plugin? Is there any reference guide to fetch rules on BSD?

For free version, first go to https://shop.opnsense.com/product/etpro-telemetry/, add product into cart (costs nothing, they just need your real e-mail where to send token key)

Then CAREFULLY read instructions at https://docs.opnsense.org/manual/etpro_telemetry.html

If you don't have much knowledge on how to handle these types of things, then I would recommend Zenarmor. Suricata IPS/IDS is enterprise level service, which also prevents you from accessing VPN services, torrents, speedtest and such, if you just enable all rules, without checking what types of connections to protect your network from

[rickygm]

but zenarmor does not  IPS

[Vilhonator]

but zenarmor does not  IPS

Zenarmor is IPS, though you have to buy at least home license to use all of it's features.

The features on the picture are what IPS does, kills connections on known malicious sources, it isn't as advanced and doesn't necessarilly have as wide database, but as private individual, you don't need more secure IPS than Zenarmor.

Without proper configuration, Suricata might block you from using VPN (sole purpose for people to use VPN is to bypass firewall and DNS blocks which allow them to watch netflix movies, released in other countries), it also can block traffic for some online games because some of their servers have been compromised and so on.

IPS (Intrusion prevention system) is what the name implies, system which blocks known threats and connections.

[Vilhonator]

Suricata and IPS in general is also quite heavy on resources.

For example Zenarmor hardware requirements (https://www.sunnyvalley.io/docs/introduction/hardware-requirements) state:

If you're running a 100 Mbps link (about 100 devices) which is quite active during the daytime and idle rest of the day, you may calculate the space needed as follows:

    5 MB x 12 hours x 100 Mbps = 6 GB per day.
    6 GB x 7 days a week = 42 GB per week.
    2 x 4 weeks a month = 164 GB per month

Other than that, hardware wise it's not that demanding for home use, though you do need to keep in mind, that storage and RAM required for it, doesn't count what opnsense uses, so you need to check how much RAM and storage your Opnsense is using on average, and add that to calculations.

Suricata is nice thing to work with, but it's not particulary beginner friendly and if you're not into such stuff, quite easilly will just annoy you.

[jorglodita]

Suricata and IPS in general is also quite heavy on resources.
...

Just one opinion about your last post. You are totally right in that point and would like to add something. At the beggining I was a bit fan of IPS but after months and months I realized its draining a lot of resources and...just for a very bit protection!

Right now IPS just watches for non encrypted traffic (please tell me if this has changed on OPNsense), with a very heavy resource cost. I think there is no official number but people on reddit usually are ok with the "90% encrypted, 10% non encrypted" idea.

What I always recommend is not using IPS but IP blocklists. Blocklists will just block all the unwanted traffic of the used IPs (remember to use good and updated lists). With IPS you will have to pray for two things: for that "bad traffic" to be non encrypted and to have an active rule for that kind of attack in case the traffic is non encrypted.

Blocklist resource cost is totally negligible.

[Vilhonator]

Suricata and IPS in general is also quite heavy on resources.
...

Just one opinion about your last post. You are totally right in that point and would like to add something. At the beggining I was a bit fan of IPS but after months and months I realized its draining a lot of resources and...just for a very bit protection!

Right now IPS just watches for non encrypted traffic (please tell me if this has changed on OPNsense), with a very heavy resource cost. I think there is no official number but people on reddit usually are ok with the "90% encrypted, 10% non encrypted" idea.

What I always recommend is not using IPS but IP blocklists. Blocklists will just block all the unwanted traffic of the used IPs (remember to use good and updated lists). With IPS you will have to pray for two things: for that "bad traffic" to be non encrypted and to have an active rule for that kind of attack in case the traffic is non encrypted.

Blocklist resource cost is totally negligible.

IPS does check HTTP and HTTPs traffic, but it is based on same general idea than for example IP blocks are. Only addition that IPS has, it can support TTLS inspection and Certificate blocking (you can block websites which certificate is signed for x domain and it's subdomains)

[rickygm]

but zenarmor does not  IPS

Zenarmor is IPS, though you have to buy at least home license to use all of it's features.

The features on the picture are what IPS does, kills connections on known malicious sources, it isn't as advanced and doesn't necessarilly have as wide database, but as private individual, you don't need more secure IPS than Zenarmor.

Without proper configuration, Suricata might block you from using VPN (sole purpose for people to use VPN is to bypass firewall and DNS blocks which allow them to watch netflix movies, released in other countries), it also can block traffic for some online games because some of their servers have been compromised and so on.

IPS (Intrusion prevention system) is what the name implies, system which blocks known threats and connections.

I am not yet a Zenarmor user, I have many years using pfSenSe , And opnsense very little , but I am in a situation when looking for the replacement of pfBlockerNG, I found AdGuard Home I have put it in my opnsense to filter pornography in my house for my daughters and some malware and Ads pages, but it does not work at all because I can not bypass some ip or a whitelist , so it does not apply those policies I have posted it here https://forum.opnsense.org/index.php?topic=22162.165 but without any result.

[rickygm]

Suricata and IPS in general is also quite heavy on resources.
...

Just one opinion about your last post. You are totally right in that point and would like to add something. At the beggining I was a bit fan of IPS but after months and months I realized its draining a lot of resources and...just for a very bit protection!

Right now IPS just watches for non encrypted traffic (please tell me if this has changed on OPNsense), with a very heavy resource cost. I think there is no official number but people on reddit usually are ok with the "90% encrypted, 10% non encrypted" idea.

What I always recommend is not using IPS but IP blocklists. Blocklists will just block all the unwanted traffic of the used IPs (remember to use good and updated lists). With IPS you will have to pray for two things: for that "bad traffic" to be non encrypted and to have an active rule for that kind of attack in case the traffic is non encrypted.

Blocklist resource cost is totally negligible.

I have worked with snort for many years, I think the first few months it is a bit difficult to manage, you will have to add many false positives and whitelists, but I think it is not easy to live without it, especially when you have many published services (wan).