I’ve watched several of Tom’s videos and have heard the warning about IDS/IPS’ false positives and limited detection ability due to encrypted traffic. In 2024, is it still worthwhile to deploy Snort/Suricata and if so, does it need to be done with a proxy configuration allowing Snort/Suricata to inspect encrypted traffic? Is there a better mouse trap?
It is usually best do this on the client itself and not on the firewall. Not worth your time in setting up a CA and installing certificates.
1 Like
xMaxIMUSx, thanks for the feedback. Can you elaborate (as if I’m a 5th grader) what you mean by “on the client”? Is there a solution you have in mind?
Some antivirus products have the ability to do deep packet inspections. We use bitdefender to do our categories (ads, adult content, so on) for our enterprise. I know Tom have mention sentinel one for their MSP.
I would say, it is not woth looking at north-south traffic (inbound traffic) (a) because it is mostly encrypted and (b) you can expect attacks there, but what would you do about it?
I see 2 use cases for a NIDS like Suricata or Snort:
(1) monitoring of DMZ traffic, regarding north-south traffic it can only make sense to check if the pfBlocker settings are as effective as you ant it to be.
(2) it absolutely makes sense to monitor east-west traffic (internal traffic) to be able to detect a breach when it has happened. Depending on the environment, a lot less of this traffic is encrypted. You can expect to have to tune the alerts a lot in the beginning.
A NIDS alone is kind of hard to make use of if you have no additional capabilities to investigate the alerts it throws at you.
Therefore you may want to have a NSM like Zeek in addition to a NIDS so that you have a traffic history and can do some network forensics. It is very helpful being able to go back in time to understand what happened. Personally I consider this an indispensible capability to be able to triage NIDS alerts.
You can do all this using Security Onion CE. It supports Suricata and Zeek and offers a ready-to-use sensor image including both. Another option I use is Gravwell CE. If you have Zeek you can throw in RITAv5 or AC-Hunter CE to detect beaconing and long running connecting in north-south traffic (possibly indicative of some post breach RAT).
If you cannot devote resources to a SIEM, at least record all DNS traffic so that you have ability to do historical reverse resolution.
Additionally you need more context on what you are seeing, i.e. Cyber Threat Intelligence. At the least some indicator feeds that you can query automatically and manually, i.e. using IntelOwl or MISP.
1 Like
I’ll just say I disagree. If you have the CPU and RAM to support it, and the time to go through and remove the false positives, run it. Note that this only applies if you have exposed ports.
Also mentioned that east-west scanning can be nice and I’ve caught a few oddities this way.
@Greg_E can you elaborate with exactly what you do disagree and why?
Because Suricata in my system still catches a few things and blocks them. If it caught nothing, then I might agree. While it is still catching a few things, it’s worth the time to keep it running because it costs me nothing more than some time to watch it and clean up the false positives right now. Mostly it runs in alert until I go in and decide to block the offender.
Zenarmor is catching the majority of east-west and LAN to WAN “problems” right now, and part of that is that Suricata is running on my WAN and Zenarmor is running on the LANs. I need to look into what Crowdsec is doing, I don’t think I have it configured properly. Yes a lot of tools for something that may not be that important. I do also have endpoint protection running that seems to work really well.
Now let me blaspheme for a moment, I’m running OPNsense and some things are different from when I was running PFsense.
So I still need to guess: You are referring to (1) north-south traffic? If Suricata is catching anything there you’re probably not using pfBlocker-ng. If you were, you would not see anything or maybe something every week apart. If you run Suricata in addition to pfBlocker-ng for north-south traffic, Suricata mainly has the role of checking whether pfBlocker-ng is still working well.
You need to consider that Suricata requires significant resources, so just having it running while not getting much out of it for north-south is not economical. But hey, you’re king of your castle.
Having said that, pfBlocker certainly also eats a lot of resources. One could say that exposed machines need to be hardened anyway, so filtering and observing north-south traffic is a moot point. The important part is that you detect when a breach into you internal network happens (east-west traffic).
Thank you. A lot to digest and investigate.
Thank you.
We do use pfBlocker primarily for outbound traffic, but, for example, Comcast sometimes hijacks the DNS and limits pfblocker to IP filtering. I’ve realized that N-S traffic is mainly encrypted so little value there. Even internal traffic is highly encrypted (https). I will need to spend time with wireshark and collect some data.
If I assume most of the internal traffic is encrypted, is Suricata worth deploying? Is there a better mouse trap or implementation?
for E-W traffic you can deploy the certificates with Suricata to let it decrypt the traffic. I never did that so don’t beat me. I suppose the same applies to Zeek / Corelight.
You may want to explore pfBlocker also for incoming traffic, depending on the org profile geo blocking may be appropriate or not. Using the threat feeds is useful in my experience.
As said before, having Zeek in place for internal traffic is a great time machine for network forensics. It will also feed into AC-Hunter… also mentioned above.