Tom, the quality of your content is just simply amazing, the explanations of what, when, why & how are extremely helpful. You really are a credit to this community.. Thank you. 👍
@@LAWRENCESYSTEMS Hi TOM!!, Do you think pfsense on an old Dell Precision quad core would run ok? it's got 24GB RAM , here's what BSD (pfSense) says about my CPU: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz 4 CPUs: 1 package(s) x 4 core(s) AES-NI CPU Crypto: No QAT Crypto: No
Tom, a reality check on the "slow" Celeron processor you're using there: it may not be all that quick for general purpose work, but in my experience it has key capabilities that are far more important for good performance in modern data flow and packet analysis: the CPU has all of the latest *hardware* instructions enabling high performance. No need for software based encryption etc. This can be seen in two ways: 1) Scroll down on the Passmark page you showed. This CPU can encrypt/decrypt at 1.7GB/sec. That's a one-number summary telling me it will be Just Fine. :-D 2) I always search online for ark + cpu name. The Ark link for this Celeron CPU is given below. Scroll to the end of the page. It has AES-NI (most crucial), plus all of the VT-* instructions, which enable rapid context switching (yes and VM ;) ), and scrolling up a bit, SSE4.2 -- a rather advanced/modern set of instructions. Compare this, for example, to Core i7-860. Also Passmark 2974 (same as the J4125. It even is 4 core, 8 thread! BUT: no AES-NI. Data Encryption speed: 551MB/sec, about 1/4 of the J4125. Most likely it would be inadequate for gigabit. (This is why no Raspberry Pi can come close...) J4125 on Ark: ark.intel.com/content/www/us/en/ark/products/197305/intel-celeron-processor-j4125-4m-cache-up-to-2-70-ghz.html
youtube has annoying popups about ad blockers now so since that pause STOPs the video altogether expect views to go down at some point. I was the first upvote and that's a first for me. Thank you for this video about snort, I needed that.
Great Vid as always. I set up Suricata on my HP T620 plus box I built. It was constantly at 100% CPU. Building a new router now to handle it. But then again I do run a lot of other stuff on that router.
Excellent explanation! I wish I had this when I was a new Information Security analyst. Oops, that was before UA-cam. I learned it anyway so I know that this video is spots on.
Great video! Had been helpful with a video explaining best practices to secure a small business environment or a home lab that has self-hosted services like web servers, mail servers, game servers, media serves etc. publicly accessible. And how Snort or Suricata can be used to detect and stop intrusion and hacking attempts and block generally “bad” traffic towards your services.
Interesting video again Tom. Thank you. Question How does one decide which interface should have snort/suricata enabled? Do i want it watching on my guest network? Surely my DMZ. Whats the checklist one should go through to decide?
Thank you Tom for the informative video as ever. At the beginning you mentioned you don't enable it for the WAN interface, which makes sense if you've not got ports open etc. However if you are hosting things with ports open you enable it, but have to spend the extra time refining and tuning the rules etc.
This was interesting, but what I would like to know is what kind/size of network do you need this. I have just a small home network, it basically only myself on it, both wired and wireless connection and a bunch of IOT devices. Are IOT devices a trigger for using this kind of security? Is this even necessary for this type of network. What threats should a small home network be concerned vs a larger business network. Maybe you have this, but a higher level discussion on the type of threats and security technology a home network should deploy particularly concerning IOT devices.
Fantastic video! :) You mention that several services are self-hosted at your offices. Do you also self-host an opensource remote desktop service for internal use, and if so, which? Would love a video from you showing the service and suggested setup. :D
Do you mean remote management (and access) like TeamViewer, or simply RDP? RDP would work in your OS when connected to the VPN. I'd recommend looking up Rust Desk for the former and also wouldn't mind a video about it, even though I'm already using it.
Thank you as always for your detailed videos. As a home user of Pfsense CE not sure if suricata or snort would be easier to use. Which intrusion detection system is the most self sufficient and easiest to maintain. Thanks again @lawrencesystems
I moved over to "inline" mode, just a heads up that since NTOP is used in this model Alert's don't block IP's but just put alerts in the log file. There is an option to use the metadata of the rule where you would see the verb: "Drop". If a rule is set to Drop only that packet is dropped vs. blocking of the IP address of the source system. Running this on a Protectli FW4C system and the impact to CPU is less in this mode then in Legacy. Maybe an updated or amended video could be created to demonstrate and compare Legacy vs Inline and the requirements of running Inline.
Again very informative! just wondering what sort of tips do you have if i were to have multiple VLANs against this interface? I am using the unifi switches. Ideally i want to be as tight on rules with my IoT devices and guest networks and allow my main lan servers that would constantly be doing stuff but for my main lan i would force disable lesser of these rules?
I was hoping you will mention that Snort on pfsense is only single thread? Because it is still V2. So the CPU load that you monitored would not show all threads loaded by Snort. With J4125's 4 cores/threads - Snort would only use 1 thread or 25%.
but if you can install such great firewall, but still will be attacked by ransomware, dont you think such a waste, can such firewall pfsense top up with some anti-ransonware at end-point, since you are expert in this field will appreciate you come with such video full firewall protection and ransomware protection. thank you
@@impactsoft2928 as I stated above., firewalls are not the right tool to stop ransomware. End point protection tools are the way to do that here in 2023
@LAWRENCESYSTEMS Yes, that is completely true. This is a must-have if you want to do an SSL inspection. This gives you 100% look into the payloads. With that being said, you are much more aware of what's happening. DPI is done on good endpoint protection software ;)
The problem with TLS inspection is that many sites can detect it and will break. Then you start having to build an exceptionally long list of exceptions to TLS inspection. By the time you get done building setlist, you are allowing about 80 to 90% of encrypted traffic the pass through. So the trouble you have to go through to break the encryption to inspect the traffic really isn't worth it. The best way to do traffic inspection is at the client side. The other days of the unified threat management at the edge are long since gone.
@hescominsoon its not true what you said about exceptions, etc. Licensed devices have very good implemented all DPI things and yes there are some sites that will tell you "hey you cant see whats inside"(gov and banks) but all rest is barely noticeable, so definitely not 50% or even 80%. Have a lincensed device this is what you are paying for. Someone spend time and resources to makenit work as expected. Doing DPI on endpoints is exactly the same situation ;)
@@RK-ly5qj unless you're breaking the encryption, you're not going to see anything. So and in my experience from when TLS was first started until today, unless even with you running a trusted certificates, banks and many financial sites can still detect the interception and will break and stop you from accessing them. So that's the main reason I don't worry about sericata or snort at the edge. It's not worth it to intercept TLS for the problems that it's going to cause. Now. If you're experience is different that's great, but mine continues to be the same over a decade later since encrypting everything first even began to be a thing 🙂
Hello, I am new to this thread and was not sure where to post. I used Edgerouter ER-X, but now not working, any all-wired modem recommendations, please?
Would you still run these if you have EDR running? Seems like a lot of tweaking if they are performing similar functions. Do you enable these on your clients or for specific reasons?
hello sir. I want to ask about pfsense and snort, i am studying attacks on the lan port on pfsense, i have a pc with 2 nics (lan and wan) that have pfsense installed, and installed packet snort. after that I paired the lan port on the hAP lite (ID: RB941-2n0-TC) on port 1, on ports 2 and 3 I paired the laptop and PC. I tested the attack on the laptop to the PC but it couldn't be read. but on the laptop to PC pfsense is read. How do I get snort to read attacks on my laptop to my PC? I ask for your help. Thank You
Cool .. played with that few years back - unfortunately if there's no much to protect (my case) not worth the resources.... but in a middle size network and small business - it works fine. However - this was never been solution for a guy who is not a network or Linux admin (or at least geek/enthusiast). If you want it set up properly - catch someone who knows what he is doing. (Well we can exclude the most of people here :-) IMHO )
I don't have much to protect in my network either and I have no use case for IDS/IPS. Currently I have Pi-Hole setup in my network in order to avoid any kind of malicious advertisements and I use NoScript in Firefox to prevent bad code from getting in my web browser of choice. This may not be related to IDS/IPS, but when it comes to email, especially phishing emails, I have about 250 email addresses and my email provider, StartMail, allows me to create as many aliases as I want that forwards to my main inbox. I'm not taking any chances when it comes to protecting my devices in my network and that is for that reason why I do not need an IDS/IPS.
It's hard to understand the value of something when it starts off with many false alarms, and your first actions are to suppress most of them. This is not a criticism of Snort, it's a limitation of human nature and the reality of calibrating detection of rare events that can vary a lot. I'm left wondering if there will be much left to detect anomalies after the tuning phase, even without considering the affect of TLS. Is there a special test, similar in principle to the EICAR anti-virus test file?
coming from the ModSecurity world, it's considered bad practice to outright disable the rules, your supposed to disable a rule with another rule only under certain conditions. Outright disabling rules seems like a bad idea, after all those rules were created for a reason and not just for the sake of annoying you. Is this not common for NIPS solutions?
@@LAWRENCESYSTEMS So there's no way to disable other rules by creating another rule like in ModSecurity like for example ctl:ruleRemoveTargetById=1000;ARGS:foo that's a shame, not a good solution but what can you do if that's your only option
It's a shame that pfsense bolted snort 2 on to the side. Having TLS interception, snort 3 and the Cisco Firepower approach to snort rule management would make it much more useful. Currently with an Haproxy pf install, at best you would have to terminate the TLS on HA then feed it out an interface to a backend, but sadly snort is before this instead of after the scan. Even if you could scan it, snort wouldn't have the correct IP address unless it could be patched to look at the x-forwarded-for header. Tbh, its depressing product, but so are "enterprise" ngfw prices. Can't win!
I'm likely to get told by someone who doesn't understand actual security; that I need to install an IDS or IPS system ($10 says they don't even know the difference). As useless as it is going to be; I'm thinking I may go with Snort on my PFSense edge firewalls running on some surplus hardware. Long live the 8350!
Tom, the quality of your content is just simply amazing, the explanations of what, when, why & how are extremely helpful. You really are a credit to this community.. Thank you. 👍
Wow, thank you!
@@LAWRENCESYSTEMS Hi TOM!!, Do you think pfsense on an old Dell Precision quad core would run ok? it's got 24GB RAM , here's what BSD (pfSense) says about my CPU: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: No
QAT Crypto: No
@@dabneyoffermein595 yes
@@LAWRENCESYSTEMS thank you sir. means a lot that you get back to people (forever subscriber!)
The most comprehensive tutorial on pfSense on youtube. Thank you very much for your hard work
This video is not better timed, I just had the itch to work on IT security at home again. Much appreciated for the work you do, Tom!
Tom, a reality check on the "slow" Celeron processor you're using there: it may not be all that quick for general purpose work, but in my experience it has key capabilities that are far more important for good performance in modern data flow and packet analysis: the CPU has all of the latest *hardware* instructions enabling high performance. No need for software based encryption etc. This can be seen in two ways:
1) Scroll down on the Passmark page you showed. This CPU can encrypt/decrypt at 1.7GB/sec. That's a one-number summary telling me it will be Just Fine. :-D
2) I always search online for ark + cpu name. The Ark link for this Celeron CPU is given below. Scroll to the end of the page. It has AES-NI (most crucial), plus all of the VT-* instructions, which enable rapid context switching (yes and VM ;) ), and scrolling up a bit, SSE4.2 -- a rather advanced/modern set of instructions.
Compare this, for example, to Core i7-860. Also Passmark 2974 (same as the J4125. It even is 4 core, 8 thread! BUT: no AES-NI. Data Encryption speed: 551MB/sec, about 1/4 of the J4125. Most likely it would be inadequate for gigabit. (This is why no Raspberry Pi can come close...)
J4125 on Ark: ark.intel.com/content/www/us/en/ark/products/197305/intel-celeron-processor-j4125-4m-cache-up-to-2-70-ghz.html
As always, an excellent video. Thanks to your videos, I can now handle our small IT department with as much understanding and testing as possible.
youtube has annoying popups about ad blockers now so since that pause STOPs the video altogether expect views to go down at some point. I was the first upvote and that's a first for me. Thank you for this video about snort, I needed that.
Great Vid as always.
I set up Suricata on my HP T620 plus box I built. It was constantly at 100% CPU. Building a new router now to handle it. But then again I do run a lot of other stuff on that router.
Tom is THE Pfsense authority on the web/youtube.
Amazing Video! The Content just gets better and better!
Excellent explanation! I wish I had this when I was a new Information Security analyst. Oops, that was before UA-cam. I learned it anyway so I know that this video is spots on.
Thank you for this video! I try Snort but it block a lot of stuff I didn't want it to... This video help out a ton!
Great video!
Had been helpful with a video explaining best practices to secure a small business environment or a home lab that has self-hosted services like web servers, mail servers, game servers, media serves etc. publicly accessible. And how Snort or Suricata can be used to detect and stop intrusion and hacking attempts and block generally “bad” traffic towards your services.
Interesting video again Tom. Thank you. Question
How does one decide which interface should have snort/suricata enabled? Do i want it watching on my guest network? Surely my DMZ. Whats the checklist one should go through to decide?
Do you care about or want to manage the alerts on the guest networks?
@@LAWRENCESYSTEMS lol I don’t
Thank you Tom for the informative video as ever. At the beginning you mentioned you don't enable it for the WAN interface, which makes sense if you've not got ports open etc. However if you are hosting things with ports open you enable it, but have to spend the extra time refining and tuning the rules etc.
It will examine the interface that the things you are hosting are on.
Hello Tom, You should have done one for Suricata since you already have done a couple with Snort. Great Content. Congrats. Thank you
My old videos were on Suricata, not Snort.
Oh, good to know Tom, I will take a look at your videos... @@LAWRENCESYSTEMS
This was interesting, but what I would like to know is what kind/size of network do you need this. I have just a small home network, it basically only myself on it, both wired and wireless connection and a bunch of IOT devices. Are IOT devices a trigger for using this kind of security? Is this even necessary for this type of network. What threats should a small home network be concerned vs a larger business network. Maybe you have this, but a higher level discussion on the type of threats and security technology a home network should deploy particularly concerning IOT devices.
You're my hero Tom, thanks for great video!
Fantastic video! :)
You mention that several services are self-hosted at your offices. Do you also self-host an opensource remote desktop service for internal use, and if so, which? Would love a video from you showing the service and suggested setup. :D
Do you mean remote management (and access) like TeamViewer, or simply RDP? RDP would work in your OS when connected to the VPN.
I'd recommend looking up Rust Desk for the former and also wouldn't mind a video about it, even though I'm already using it.
Thank you as always for your detailed videos. As a home user of Pfsense CE not sure if suricata or snort would be easier to use. Which intrusion detection system is the most self sufficient and easiest to maintain. Thanks again @lawrencesystems
Either is fine.
Hi Tom! Thanks for the great video!
Amazing Video Tom, thanks!
Great as always! Thanks Tom!
Hey Tom ,
Great Tutorial as always :)
I moved over to "inline" mode, just a heads up that since NTOP is used in this model Alert's don't block IP's but just put alerts in the log file. There is an option to use the metadata of the rule where you would see the verb: "Drop". If a rule is set to Drop only that packet is dropped vs. blocking of the IP address of the source system. Running this on a Protectli FW4C system and the impact to CPU is less in this mode then in Legacy. Maybe an updated or amended video could be created to demonstrate and compare Legacy vs Inline and the requirements of running Inline.
Again very informative! just wondering what sort of tips do you have if i were to have multiple VLANs against this interface? I am using the unifi switches. Ideally i want to be as tight on rules with my IoT devices and guest networks and allow my main lan servers that would constantly be doing stuff but for my main lan i would force disable lesser of these rules?
My hero, thank you so much!
Thanks Tom! What about snort vs Suricata? 🤔
Suricata VS Snort
www.netgate.com/blog/suricata-vs-snort
I was hoping you will mention that Snort on pfsense is only single thread? Because it is still V2. So the CPU load that you monitored would not show all threads loaded by Snort. With J4125's 4 cores/threads - Snort would only use 1 thread or 25%.
Great tutorial as always😃
mate good vid as always do you have vid on qos
Great video!
Tom, I'm interested to know your opinion on OPNsense vs PFsense? Which would you reccomend? Thanks!
PFsense
i cant see any snort alerts on my pfsense firewall. how do i test for snort?
but if you can install such great firewall, but still will be attacked by ransomware, dont you think such a waste, can such firewall pfsense top up with some anti-ransonware at end-point, since you are expert in this field will appreciate you come with such video full firewall protection and ransomware protection. thank you
Firewalls are not the right tool to stop ransomeware.
@@impactsoft2928 as I stated above., firewalls are not the right tool to stop ransomware. End point protection tools are the way to do that here in 2023
Tom 1.3 can be intercepted on L7 ngfs :)
They can only if they have a trust certificate installed in each device that is connected and break the TLS 1.3 perfect forward secrecy.
@LAWRENCESYSTEMS Yes, that is completely true. This is a must-have if you want to do an SSL inspection.
This gives you 100% look into the payloads. With that being said, you are much more aware of what's happening. DPI is done on good endpoint protection software ;)
The problem with TLS inspection is that many sites can detect it and will break. Then you start having to build an exceptionally long list of exceptions to TLS inspection. By the time you get done building setlist, you are allowing about 80 to 90% of encrypted traffic the pass through. So the trouble you have to go through to break the encryption to inspect the traffic really isn't worth it. The best way to do traffic inspection is at the client side. The other days of the unified threat management at the edge are long since gone.
@hescominsoon its not true what you said about exceptions, etc. Licensed devices have very good implemented all DPI things and yes there are some sites that will tell you "hey you cant see whats inside"(gov and banks) but all rest is barely noticeable, so definitely not 50% or even 80%. Have a lincensed device this is what you are paying for. Someone spend time and resources to makenit work as expected.
Doing DPI on endpoints is exactly the same situation ;)
@@RK-ly5qj unless you're breaking the encryption, you're not going to see anything. So and in my experience from when TLS was first started until today, unless even with you running a trusted certificates, banks and many financial sites can still detect the interception and will break and stop you from accessing them. So that's the main reason I don't worry about sericata or snort at the edge. It's not worth it to intercept TLS for the problems that it's going to cause. Now. If you're experience is different that's great, but mine continues to be the same over a decade later since encrypting everything first even began to be a thing 🙂
Do you have videos on protecting endpoints?
Hello, I am new to this thread and was not sure where to post. I used Edgerouter ER-X, but now not working, any all-wired modem recommendations, please?
Would you still run these if you have EDR running? Seems like a lot of tweaking if they are performing similar functions. Do you enable these on your clients or for specific reasons?
We run SentinelOne, Huntress, and Blumira for our clients.
isn't it ironic that Tom has a video about Snort while he sounds terribly congested?
*APPLAUSE*
when i start the interface it just disables its for both WAN and LAN
hello sir. I want to ask about pfsense and snort, i am studying attacks on the lan port on pfsense, i have a pc with 2 nics (lan and wan) that have pfsense installed, and installed packet snort. after that I paired the lan port on the hAP lite (ID: RB941-2n0-TC) on port 1, on ports 2 and 3 I paired the laptop and PC. I tested the attack on the laptop to the PC but it couldn't be read. but on the laptop to PC pfsense is read. How do I get snort to read attacks on my laptop to my PC? I ask for your help. Thank You
So having pfsense/snort on VM with 4vcpu and 8 GB Ram will fly like jet
Cool .. played with that few years back - unfortunately if there's no much to protect (my case) not worth the resources.... but in a middle size network and small business - it works fine. However - this was never been solution for a guy who is not a network or Linux admin (or at least geek/enthusiast).
If you want it set up properly - catch someone who knows what he is doing.
(Well we can exclude the most of people here :-) IMHO )
I don't have much to protect in my network either and I have no use case for IDS/IPS. Currently I have Pi-Hole setup in my network in order to avoid any kind of malicious advertisements and I use NoScript in Firefox to prevent bad code from getting in my web browser of choice. This may not be related to IDS/IPS, but when it comes to email, especially phishing emails, I have about 250 email addresses and my email provider, StartMail, allows me to create as many aliases as I want that forwards to my main inbox. I'm not taking any chances when it comes to protecting my devices in my network and that is for that reason why I do not need an IDS/IPS.
It's hard to understand the value of something when it starts off with many false alarms, and your first actions are to suppress most of them. This is not a criticism of Snort, it's a limitation of human nature and the reality of calibrating detection of rare events that can vary a lot. I'm left wondering if there will be much left to detect anomalies after the tuning phase, even without considering the affect of TLS. Is there a special test, similar in principle to the EICAR anti-virus test file?
coming from the ModSecurity world, it's considered bad practice to outright disable the rules, your supposed to disable a rule with another rule only under certain conditions. Outright disabling rules seems like a bad idea, after all those rules were created for a reason and not just for the sake of annoying you. Is this not common for NIPS solutions?
Some rules will consistently match good traffic so the only solution is to disable the rule and ideally submit a bug report.
@@LAWRENCESYSTEMS So there's no way to disable other rules by creating another rule like in ModSecurity like for example
ctl:ruleRemoveTargetById=1000;ARGS:foo
that's a shame, not a good solution but what can you do if that's your only option
Can i use both lan and wan sir for snort?
Yes
@@LAWRENCESYSTEMS how can i do it sir? is it the same config for WAN?
@@Myst876 Yes, just choose that interface
@@LAWRENCESYSTEMS thank you sir appreciate your help
it's a waste of CPU cycle(s) unless you install SSL certificates.
Great video, can you do one for Suricata.
ua-cam.com/video/S0-vsjhPDN0/v-deo.html
It's a shame that pfsense bolted snort 2 on to the side. Having TLS interception, snort 3 and the Cisco Firepower approach to snort rule management would make it much more useful.
Currently with an Haproxy pf install, at best you would have to terminate the TLS on HA then feed it out an interface to a backend, but sadly snort is before this instead of after the scan.
Even if you could scan it, snort wouldn't have the correct IP address unless it could be patched to look at the x-forwarded-for header. Tbh, its depressing product, but so are "enterprise" ngfw prices. Can't win!
to seed... linux iso
Slows my pfsense😅
I'm likely to get told by someone who doesn't understand actual security; that I need to install an IDS or IPS system ($10 says they don't even know the difference). As useless as it is going to be; I'm thinking I may go with Snort on my PFSense edge firewalls running on some surplus hardware. Long live the 8350!