Tom, the quality of your content is just simply amazing, the explanations of what, when, why & how are extremely helpful. You really are a credit to this community.. Thank you. 👍

The most comprehensive tutorial on pfSense on youtube. Thank you very much for your hard work

As always, an excellent video. Thanks to your videos, I can now handle our small IT department with as much understanding and testing as possible.

This video is not better timed, I just had the itch to work on IT security at home again. Much appreciated for the work you do, Tom!

Amazing Video! The Content just gets better and better!

Great Vid as always. I set up Suricata on my HP T620 plus box I built. It was constantly at 100% CPU. Building a new router now to handle it. But then again I do run a lot of other stuff on that router.

Thank you for this video! I try Snort but it block a lot of stuff I didn't want it to... This video help out a ton!

Hi Tom! Thanks for the great video!

Great as always! Thanks Tom!

Hey Tom , Great Tutorial as always :)

You're my hero Tom, thanks for great video!

Great video! Had been helpful with a video explaining best practices to secure a small business environment or a home lab that has self-hosted services like web servers, mail servers, game servers, media serves etc. publicly accessible. And how Snort or Suricata can be used to detect and stop intrusion and hacking attempts and block generally “bad” traffic towards your services.

Amazing Video Tom, thanks!

Great tutorial as always😃

My hero, thank you so much!

Excellent explanation! I wish I had this when I was a new Information Security analyst. Oops, that was before KZfaq. I learned it anyway so I know that this video is spots on.

Great video!

Thank you Tom for the informative video as ever. At the beginning you mentioned you don't enable it for the WAN interface, which makes sense if you've not got ports open etc. However if you are hosting things with ports open you enable it, but have to spend the extra time refining and tuning the rules etc.

Tom is THE Pfsense authority on the web/youtube.

Tom, a reality check on the "slow" Celeron processor you're using there: it may not be all that quick for general purpose work, but in my experience it has key capabilities that are far more important for good performance in modern data flow and packet analysis: the CPU has all of the latest *hardware* instructions enabling high performance. No need for software based encryption etc. This can be seen in two ways: 1) Scroll down on the Passmark page you showed. This CPU can encrypt/decrypt at 1.7GB/sec. That's a one-number summary telling me it will be Just Fine. :-D 2) I always search online for ark + cpu name. The Ark link for this Celeron CPU is given below. Scroll to the end of the page. It has AES-NI (most crucial), plus all of the VT-* instructions, which enable rapid context switching (yes and VM ;) ), and scrolling up a bit, SSE4.2 -- a rather advanced/modern set of instructions. Compare this, for example, to Core i7-860. Also Passmark 2974 (same as the J4125. It even is 4 core, 8 thread! BUT: no AES-NI. Data Encryption speed: 551MB/sec, about 1/4 of the J4125. Most likely it would be inadequate for gigabit. (This is why no Raspberry Pi can come close...) J4125 on Ark: ark.intel.com/content/www/us/en/ark/products/197305/intel-celeron-processor-j4125-4m-cache-up-to-2-70-ghz.html

Hello Tom, You should have done one for Suricata since you already have done a couple with Snort. Great Content. Congrats. Thank you

Again very informative! just wondering what sort of tips do you have if i were to have multiple VLANs against this interface? I am using the unifi switches. Ideally i want to be as tight on rules with my IoT devices and guest networks and allow my main lan servers that would constantly be doing stuff but for my main lan i would force disable lesser of these rules?

mate good vid as always do you have vid on qos

Fantastic video! :) You mention that several services are self-hosted at your offices. Do you also self-host an opensource remote desktop service for internal use, and if so, which? Would love a video from you showing the service and suggested setup. :D

Interesting video again Tom. Thank you. Question How does one decide which interface should have snort/suricata enabled? Do i want it watching on my guest network? Surely my DMZ. Whats the checklist one should go through to decide?

Thank you as always for your detailed videos. As a home user of Pfsense CE not sure if suricata or snort would be easier to use. Which intrusion detection system is the most self sufficient and easiest to maintain. Thanks again @lawrencesystems

Do you have videos on protecting endpoints?

This was interesting, but what I would like to know is what kind/size of network do you need this. I have just a small home network, it basically only myself on it, both wired and wireless connection and a bunch of IOT devices. Are IOT devices a trigger for using this kind of security? Is this even necessary for this type of network. What threats should a small home network be concerned vs a larger business network. Maybe you have this, but a higher level discussion on the type of threats and security technology a home network should deploy particularly concerning IOT devices.

Tom, I'm interested to know your opinion on OPNsense vs PFsense? Which would you reccomend? Thanks!

Hello, I am new to this thread and was not sure where to post. I used Edgerouter ER-X, but now not working, any all-wired modem recommendations, please?

Would you still run these if you have EDR running? Seems like a lot of tweaking if they are performing similar functions. Do you enable these on your clients or for specific reasons?

Thanks Tom! What about snort vs Suricata? 🤔

hello sir. I want to ask about pfsense and snort, i am studying attacks on the lan port on pfsense, i have a pc with 2 nics (lan and wan) that have pfsense installed, and installed packet snort. after that I paired the lan port on the hAP lite (ID: RB941-2n0-TC) on port 1, on ports 2 and 3 I paired the laptop and PC. I tested the attack on the laptop to the PC but it couldn't be read. but on the laptop to PC pfsense is read. How do I get snort to read attacks on my laptop to my PC? I ask for your help. Thank You

youtube has annoying popups about ad blockers now so since that pause STOPs the video altogether expect views to go down at some point. I was the first upvote and that's a first for me. Thank you for this video about snort, I needed that.

i cant see any snort alerts on my pfsense firewall. how do i test for snort?

I was hoping you will mention that Snort on pfsense is only single thread? Because it is still V2. So the CPU load that you monitored would not show all threads loaded by Snort. With J4125's 4 cores/threads - Snort would only use 1 thread or 25%.

So having pfsense/snort on VM with 4vcpu and 8 GB Ram will fly like jet

when i start the interface it just disables its for both WAN and LAN

but if you can install such great firewall, but still will be attacked by ransomware, dont you think such a waste, can such firewall pfsense top up with some anti-ransonware at end-point, since you are expert in this field will appreciate you come with such video full firewall protection and ransomware protection. thank you

Tom 1.3 can be intercepted on L7 ngfs :)

It's hard to understand the value of something when it starts off with many false alarms, and your first actions are to suppress most of them. This is not a criticism of Snort, it's a limitation of human nature and the reality of calibrating detection of rare events that can vary a lot. I'm left wondering if there will be much left to detect anomalies after the tuning phase, even without considering the affect of TLS. Is there a special test, similar in principle to the EICAR anti-virus test file?

Cool .. played with that few years back - unfortunately if there's no much to protect (my case) not worth the resources.... but in a middle size network and small business - it works fine. However - this was never been solution for a guy who is not a network or Linux admin (or at least geek/enthusiast). If you want it set up properly - catch someone who knows what he is doing. (Well we can exclude the most of people here :-) IMHO )

Can i use both lan and wan sir for snort?

isn't it ironic that Tom has a video about Snort while he sounds terribly congested?

Great video, can you do one for Suricata.

coming from the ModSecurity world, it's considered bad practice to outright disable the rules, your supposed to disable a rule with another rule only under certain conditions. Outright disabling rules seems like a bad idea, after all those rules were created for a reason and not just for the sake of annoying you. Is this not common for NIPS solutions?

it's a waste of CPU cycle(s) unless you install SSL certificates.

It's a shame that pfsense bolted snort 2 on to the side. Having TLS interception, snort 3 and the Cisco Firepower approach to snort rule management would make it much more useful. Currently with an Haproxy pf install, at best you would have to terminate the TLS on HA then feed it out an interface to a backend, but sadly snort is before this instead of after the scan. Even if you could scan it, snort wouldn't have the correct IP address unless it could be patched to look at the x-forwarded-for header. Tbh, its depressing product, but so are "enterprise" ngfw prices. Can't win!

to seed... linux iso

I'm likely to get told by someone who doesn't understand actual security; that I need to install an IDS or IPS system ($10 says they don't even know the difference). As useless as it is going to be; I'm thinking I may go with Snort on my PFSense edge firewalls running on some surplus hardware. Long live the 8350!

Slows my pfsense😅