Security & Intrusion Detection With pfsense, Suricata, pfblocker and blocking what's missed

At this point I search for something on TH-cam and as soon as I see it's a Lawrence Systems Video, I like and comment for the algo. Other way I might forget. I know it's gonna be good. Great videos guys!

Loved this video. Its for the first time I have commented on your video, though I am a long time subscriber. This video was totally worth it, tons of important info. Great quality content you have covered Sir.

Suricata or Snort? I know you have a recent video on Snort and how it has changed so I'm wondering which would be easier to operate on a day by day basis. I'm on a private LAN at a college, and connect back to the college through a pfSense box. Right now I have all incoming connections blocked, but I need to open a few ports for some services that we want to roll out for our students so they can do work at home. This means getting IDS/IPS up and running. I'm leaning toward Suricata because it seems to be the newer style and will use multiple processors/threads (which I have), not sure if Snort updated to have this feature yet.
I'll have to look into pfblocker a bit more, not sure if I want to lock out too many regions because we do have a Shoutcast server running and I wouldn't want to block people who may have students in our program "on the air" on our station. We have had many people listen to their kids from military bases around the world and I'd hate to deprive them.
And thanks for the great videos, you've really helped out a lot.

You've once again delivered great, quality content. Thanks Tom for the time and effort you put on this channel; it is a great source of information and what I like the most, you talk about the 'internals' for a more technical audience. Finally a great technical channel.. thanks!

TOM = SUPER HERO OF THE INTERNET

Hello Lawrence Systems, TOM!.
It called me an attention that Suricata was blocking Google and Gmail and acting up on linkedln after watch one of your videos on how to setup pfblockerng and Suricata and I setup on my box.
After a lot of researching, going to block list and IPs, I found out on Reddit u/buildsrc that Suricata could possible share and compete the same ET emerging rules. Would be make a video explaining which ET Rules should we all enable on pFblocker and which one should enable/disable on Suricata? So that way alleviate the CPU and Mem on pfsense boxes
We love your videos! Thanks very much!

With the block rule set, is pfblocker or suricata necessary to have in your pfsense?

You always inspire me to move into IT.

Nice! Lot's of good stuff here, thanks!

Loved the video Lawrence any chance you can do a tutorial of Suricata 5.03? I have tried with snort paid rules and still won't work?

shodan is good at finding open VNC, IP cameras, Barix boxes (used for things like sudio-transmitter links for radio stations), PLCs that are open to the internet....Good thing to but your own networks in there periodically to make sure nothing is exposed that shouldn't be...

With a good backup & HA policy, I fully support auto updates. It's people that have gotten bit in the ass from their own lack of foresight that tend to get their panties in a bunch about it.

Good video Tom! Have you set up (or considered) a central syslog server for log collection, rotation, and analysis? Maybe throwing syslog-ng and logrotate on your Zabbix server? Along with GoAccess, GreyLog looks interesting. Logstash and Fluentd look pretty powerful. I'm just recently starting to get to the point where SSHing into each box to check logs is starting to feel tedious and I'm poking my head out to see what approaches others have had success with (particularly with FOSS/low-cost yet still capable solutions.) Remote syslog with logrotate is pretty straight forward, but I'm a bit overwhelmed with the analysis options. Any insight you or others could offer?

I have the same notification. Ha ha too funny!!!

excellent ... really good info to go further on.

What interface should we be setting Suricata on? WAN or LAN, or both?

Hi, how can i allow an IP range or whole domains (for example all the AnyDesk IPs)? Thank you.

You should check the IPs in question over at AbuseIPDB.com also. They have a huge database of attackers.

The ip which was beating your server with GET, couldn't it be like a RSS service or someone using a program to get notified when your page change?

Hi Tom, ever work with open source extended Berkeley Packet Filtering (eBPF/BPF) to scrub DDoS attempts?

Nice, good stuff! MXtoolbox found IP blocked a year later :)

Finally, I was just looking for this

Great stuff Tom, thanks for sharing.

would enjoy seeing pfsense hooked into a open source SIEM ...

Good stuff as always - I would be interested in a video in how to setup GoAccess with Suricata or Snort if you get time. Thanks.... Jid

Remember to report these IPs

Interesting.

Very helpful :)

Your grate

"Secuirty"? :)

Suricata 4.1.4_5 wont start for me once I install it and create the categories and update the packages . it shows a red x on the interface. anyone know how to get this to start ?

how i git goaccess to work with pfsense ???