Detecting and preventing threats Introduction To provide security in a network you can deploy IDS or IPS systems. The difference is on the second letter, D stands for detection and P for prevention. First you start a system in IDS mode and only then you configure it to become IPS system. Enabling Suricata in IPS mode from the start could be confusing. It is advisable to see what’s going on first on a network to be sure not to generate too many false-positive alerts and blocks. Why IDS/IPS? You may ask why do I need intrusion detection or prevention system.
Display geo location map for NGINX traffic logs in Kibana Summary There are 3 things to remember and configure in order to have geo location map working: Use “forwardfor” option on pfSense HAProxy TLS frontend Enable filebeat NGINX module and point particular log files Define custom NGINX log format This guide relates to Ubuntu Linux setup. Elasticsearch 7 First install Elasticsearch 7 as follows. Note: for more resilent setup install more than one Elasticsearch server node and enable basic security. For sake of clarity I will skip these two aspects which will be covered by another article. Kibana Then install
In case you’ve managed to overcome other issues with system unable to boot, disk size not updated then there might be still one problem left. Sometimes resizing with gpart works fine but file system resize does not. I’ve encountered such issue and frankly speaking I’m not quite sure what is root cause of it. Is says that file system is dirty and I should run fsck which can be executed from console selecting number 5 and then F letter. System reboots and makes file system check. It says that the file system is fine, so it’s quite confusing. Solution for
Following previous struggles on pfSense FreeBSD on Azure. After resizing disk Microsoft starts at some point adding an another drive which is temporary one. I do not need this by any means. It seems that NetGate pfSense template is also not quite compatible with cloud-init as the platform tries to execute systemctl which is not present here. The problem with this is that FreeBSD will not be able to pick which partition it should start from. Fix for this is pretty simple. Just go and edit /etc/fstab and instead of pointing to some virtual labels. In my case it was
Recently I described how to increase drive, partition and filesystem on FreeBSD in Azure virtual machine. It turned out that this scenario was little bit different from a virtual machine running on top of VMware. First of all, with or without vm-tools I was not able to get updated drive size: It gives messages that rescanning was successful, but actually it did not apply new values. However we can check new drive size with the following command: If on your system you get same results, then you need to reboot. There is also a difference of having swap space. First
I use NetGate pfSense+ version 22 based on FreeBSD 21. I encountered a problem of running out of disk space because of packet logging enable in Suricata. Out of a sudden there was high traffic and therefore high logs production. Disk space utilization was over 100%. Now there is a problem with /config/config.xml file, there is no VPN, Suricata, pf configuration available from the UI. Dashboard is corrupted also. However there is /config/backup folder with backed up configuration files. I’ve taken the last known good with proper file size and put it in place. After reboot it works just fine.
I want to enable only particular rules categories. Do not want to have all these internal Suricate rules as they cover too broad variaty of cases including loads of false-positive. If one would like to go for deep traffic analysis then they would be fine, but in case you see “STUN Binding Request On Non-Standard High Port” and know that is your P2P camera in the LAN then it’s worth disabling all of that things at once. To disable them it is a little bit tricky on pfSense installation. Go to Interfaces and selected desired one. Be sure to uncheck