This is crazy, installed pfsense 2 days ago, installed suricata yesterday and watched your old video this morning... And here we are with a fresh take on that old video :-D Nice job :-)

Thank you Tom. A complete security video would be great.

Another perfect video to get my PFSense Firewall even better! Thank you.

Serracada and Snort are both great products, I visit my logs files once a month to retune, or if my new soft phone doesn’t work as expected, ohh the joys of home working. 🤣

Well done and great tips. Glad you explained the value of subscription services, the realities of encrypted traffic, etc. Thanks for the video.

Just the video I need. Was thinking of changing from snort just to, because. Your last suricata video was a bit old. Perfect timing! 👍

Nothing about security is ever set it and forget it. Security is a process, not a destination.

The “I AM ROOT” t-shirt made me laugh pretty hard

Hi Tom, it seems you want to enable blocking on the WAN interface. If for example someone runs an aggressive NMAP scan against your public address, and you have NAT'd VLANs configured in your network, the corresponding VLAN interface within Suricata will show the source IP of the attack as the private VLAN gateway address and the destination address will be that of the machine with the open port. If you are set to block only on the VLAN interface, then the attacker never gets blocked since the original public source address isn't captured (assuming default pass lists are enabled). Help me understand if I am mistaken here. Love your videos, keep up the great work!

Wow that was fast. I believe you mentioned you were going to make some videos around this on your podcast/ stream last week! Didn’t expect them so quickly! Interested in these next few videos!

How do we disable rules on a per IP address basis? You may want to allow certain IP addresses but block others for the same rule.

Total (Dutch speaking) noob here, but planning to go pfSense with unifi switch/AP's. So both (pfSense and Unifi) have this IDS/IPS options. Should I enable them both or not? Will they conflict/double negative like? Or if enabled at pfSense it will pass it to unifi? Or...??? 😀 Thx... greetings from Belgium!

Thanks! Very helpful. Took me a min to realize that blocks on one interface block everywhere. Thought it was a glitch.

Good video and quality content! you should have way more subscribers

Omg thank you!! I wanted an updated video lol.

Great video, would love to see how I could setup kubernetes behind my pfsense firewall! Thanks Lawrence.

The developer porting Snort 3.0 has given up based on the netgate forum threads … looks like Suricata is more ported and update for pfSense. However no news on Suricata v6 yet.

Hey, thanks for this video. It reminded me to look at this. I set it up from your previous videos but, I haven't been tuning it in a while. A revisit was indeed due. (Unrelated, I loves me new T shirt cheers.)

Tom again Thank you for this updated video of installing en setup Suricata! I have a question, make it sense to install Clam AV (package in Squid) as an antivirus in PfSense ?

How do u upload custom .xml rules to suricata through open sense

Thanks for the demo and info, have a great day

Thanks for the video. This helped me get up and running with Suricata on my OPNsense firewall. I can log in to the dashboard and see the alerts, but I wonder if you have a recommendation for gathering logs from multiple devices for monitoring and alerting? This is on my home network with two LANs (one for devices and one for IOT). I'm not looking for a commercial/expensive solution. Just something to alert me when one of my devices gets hacked. Thanks!

Hi Lawrence, do you have a video, or maybe you could make a video that goes into depth on identifying false positives and how to exclude them. I ask because I have followed your videos on setting this up, and I got all that working. But I get false positives that I cannot figure out and help to learn how to identify ones that start blocking resources after weeks or months would help a lot. Because I can enable block, and it works for weeks, then suddenly it stops something, and I simply cannot figure out how to ID the rule that is the cause. Anyway, I thought it would be a good supplement since you have helped us with the initial setup. Thank you!

Thanks awesome video, I would like to see a video about Suricata in Selks.

Thank you, Tom! Would you recommend running Suricata on a home network or is that a complete overkill?

Can you make rules based on AD users or AD groups? I don't think there is such an option but I will ask just in case.

Over the past year 90% of my false positives have been on the 'Generic Protocol Command Decode' class. It has gotten to the point where i just white list them as I see them. From what I can find you can't whitelist an entire class which has been very annoying.

Hey Lawrence, can you please make a video how to configure SID Management and Inline mode in Suricata or Snort ?

Hello, what is this: "SURICATA UDPv4 invalid checksum" I have installed Suricata as in this video. But get this in my alerts. How can I fix this? also I have a Snort (Oink) code. Is it worth using this in Suricata?

Always good videos! Thanks Tom.

I use it mostly for custom tripwire rules. i.e. touch this port get blocked. I turn off 98% of the built in rules. Right or Wrong, just how I like to use it.

Many thanks for the great videos, particularly on pfSense. Can you tell me how quickly the Suricata plugins for pfSense tend to get updated, after they are released. Many thanks

Thank you for your videos!

Awesome, thanks Tom!

Thanks for this video, very helpful. Question: If you're not running any type of web services and no server at the office, do you still need any IDS/IPS? Is firewall enough since there is not server to protect?

@Lawrence Systems. What type of light background you used. Cool video. thank you

Wooooo! Suricata baby!

how many hard drives does freenas support

How did you get version 5.x.x? I cant see anything over 4.x.x ?

2022 update video? Looks like some new rule sets

Do you take that much time to tune all your new clients firewalls? Do you have a pre-tuned config that you use for all your clients as a starting point?

is this necessary for home networks where you arent hosting sites or anything external facing?

Great,

Hey Tom, Would you still recommend Suricata over Snort for pfsense?

Eso es un firewall o es para inspeccionar? Quiero instarlo pero no tengo claro como se conectaría a nivel físico.

Would pfsense be a suitable tool to manage multiple suricata instances ?

On a side note, anyone notice the feeds for pfBlocker no longer seem to update? I get failed to download message for the last few months for pretty much all my feeds.

Hi Lawrence, what tool do you use to make KZfaq vids?

WONDERFUL!

Can we run snort and suricata together on pfsense?

Do you run Suricata just on the LAN at your office?

Excuse my ignorance (I just stumbled across Suricata), but this video gave me the impression it has a built-in Web-server. AFAICS, it has not. But you're setup seems to depend on some (for me) strange pfSense firewall. So it doesn't seems to be an option on Windows-10 to have this really nice web-based user-interface of the Suricata analysis etc. So are there other "web-backends" for Suricata?

If people / users only really knew what we did and what is happening in the Internet 24/7

16:05 So i'm watching this as i'm setting up my new box. It's an r5 3400G on a gigabyte A520i AC with 8GB and 250GB Samsung 960 Evo NVME m.2 drive. LOL @ extra cpu cycles. it's still reporting 0% usage and i've also setup squid, clamav, ntopng and a bunch of other stuff. I think i have possibly built the most awesome diy home firewall ever 🤣🤣🤣

Hello Tom 👍👋

What are the minimum hardware requirements to use Suricata?

Some update video pls =)

when I click on alerts..I don't get any entries showing there..why this is happening?

Not enabling IPS on the WAN is not smart. You can set it to not block, so you can still keep an eye, or better yet, do blocking for the Emerging Threats, on the SOURCES only!

.I can't do anything, Result: failed. Snort GPLv2 Community Rules Not Downloaded Not Downloaded LOG Downloading Emerging Threats Open rules md5 file... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Downloading Snort GPLv2 Community Rules md5 file... Snort GPLv2 Community Rules md5 download failed. Server returned error code 403. Server error message was: 403 Forbidden Snort GPLv2 Community Rules will not be updated.

Isnt this was Ubiquiti use

This is not a good guide. Why not just put Suricata in inline mode, use SID management to set rules to drop or set Snort rules policy to security and set action to policy? You won’t need to tune anything after that because setting it to policy bases it on the developer’s drop recoomendation. Also, Suricata can detect encrypted malware using JA3 hashes of TLS signatures. ET open has JA3 rules and you can add custom JA3 rules from abuse.ch sources. Encrypted traffic analytics from Cisco uses this tech and it’s now trickled down to open source tools like suricata. Lawrence, you need to brush up on your Suricata knowledge because Suricata and it’s compatible rulesets have evolved with the proliferation of ubiquitous https.

Snort or Suricata?? As Snort blocks Speed test sites.

En español se puede escuchar?

sarah catta :)

Hello

in case you have beefy pfsense server with more than 4GB of ram there might be some more config for the interface: www.reddit.com/r/PFSENSE/comments/7d8y1o/suricata_will_not_start/dpw1i58/ goes into more detail and worked for me.

20 hackers hit the dislike button

Doesnt start...gah

It rather bothers me that Netgate's least powerful system isn't easily capable of handling Snort/Suricata. If you care enough about security that you're buying a dedicated firewall box, it seems to me unreasonable to think the purchaser wouldn't care enough to use an IDS/IPS. Edit: That said, I just noticed you said you don't use Suricata at home. Given your expertise, why not? I'm not judging, rather, genuinely curious.

if you don't have a NIC that supports netmap, your interface will flap... snort is an alternative, if you'd like an IDS/IPS