Suricata IDS/IPS on pfSense

Detecting and preventing threats Introduction To provide security in a network you can deploy IDS or IPS systems. The difference is on the second letter, D stands for detection and P for prevention. First you start a system in IDS mode and only then you configure it to become IPS system. Enabling Suricata in IPS mode from the start could be confusing. It is advisable to see what’s going on…

Geo location with Filebeat on Elasticsearch 7, HAProxy and NGINX

Display geo location map for NGINX traffic logs in Kibana Summary There are 3 things to remember and configure in order to have geo location map working: Use “forwardfor” option on pfSense HAProxy TLS frontend Enable filebeat NGINX module and point particular log files Define custom NGINX log format This guide relates to Ubuntu Linux setup. Elasticsearch 7 First install Elasticsearch 7 as follows. Note: for more resilent setup install…

growfs fsck required (pfSense)

In case you’ve managed to overcome other issues with system unable to boot, disk size not updated then there might be still one problem left. Sometimes resizing with gpart works fine but file system resize does not. I’ve encountered such issue and frankly speaking I’m not quite sure what is root cause of it. Is says that file system is dirty and I should run fsck which can be executed…

Azure FreeBSD (pfSense) not able to pick boot partition after disk resize

Following previous struggles on pfSense FreeBSD on Azure. After resizing disk Microsoft starts at some point adding an another drive which is temporary one. I do not need this by any means. It seems that NetGate pfSense template is also not quite compatible with cloud-init as the platform tries to execute systemctl which is not present here. The problem with this is that FreeBSD will not be able to pick…

Resize drive and partition on FreeBSD 12 (pfSense)

Recently I described how to increase drive, partition and filesystem on FreeBSD in Azure virtual machine. It turned out that this scenario was little bit different from a virtual machine running on top of VMware. First of all, with or without vm-tools I was not able to get updated drive size: It gives messages that rescanning was successful, but actually it did not apply new values. However we can check…

Recover pfSense from out of disk space and config.xml corruption

I use NetGate pfSense+ version 22 based on FreeBSD 21. I encountered a problem of running out of disk space because of packet logging enable in Suricata. Out of a sudden there was high traffic and therefore high logs production. Disk space utilization was over 100%. Now there is a problem with /config/config.xml file, there is no VPN, Suricata, pf configuration available from the UI. Dashboard is corrupted also. However…

Disabling uncategorized internal Suricata rules in pfSense

I want to enable only particular rules categories. Do not want to have all these internal Suricate rules as they cover too broad variaty of cases including loads of false-positive. If one would like to go for deep traffic analysis then they would be fine, but in case you see “STUN Binding Request On Non-Standard High Port” and know that is your P2P camera in the LAN then it’s worth…

WordPress Appliance - Powered by TurnKey Linux