We are running Crowdsec on a Linux server that doesn’t have ports open to the Internet; running just to get the blocklist, which we then import into pfsense. Crowdsec has announced a version for pfsense, although that is not yet officially approved by Netgate. I’m curious if anyone has tried it on a Netgate pfsense appliance and, if so, in which of the three configurations. I’m particularly curious about running the entire application collection on pfsense and what the resulting CPU/memory load is. Anyone risked it yet?
What does Crowdsec get you that Suricata or Snort with the ET ruleset don’t get you? Asking because I don’t know the answer and want to understand using one tool over the other. The basic detection and blocking that I see in on their site suggest that I’m already getting that with Suricata and the free ET rules. How is Crowdsec different or better?
Installing unofficial packages isn’t really a big deal. The only downside is that you lose the package when you upgrade the OS, but normally the data stays so easy enough to just reinstall the application and get it running. I wouldn’t stress too much over it. You might also look and see what OPNsense users are saying, it’s in their package tree and since OPN is a fork, the performance impact of this tool on OPN might be fairly close to pfsense.
Good question! We’re running pfBlockerNG with the ET ruleset, too. Crowdsec is much closer to real time and blocks new threats shortly after they appear. Crowdsec adds a few hundred sites a day to the blocklist, and drops a somewhat smaller number. On a typical day, Crowdsec will block close to 50 IPs that would otherwise have been allowed. It’s the dynamic aspect that makes it valuable. What would help us even more is if it also contained a dynamic list of phishing sites, because that’s one of the places where we observe rapid site replacement.
Reading this blog post https://www.crowdsec.net/blog/suricata-vs-crowdsec they suggest Suricata + Crowdsec and I’m starting to understand why. Crowdsec seems to just block from a list/log, where Suricata looks at what is happening and then blocks things. I’m thinking that Crowdsec suggests running Suricata to look at the traffic, and if it decides to alert into the log, then Crowdsec will block it. That way you get the crowd created block list, plus the “inspection” and reputation list from Snort or ET rules and then Suricata alerts get pushed off to Crowdsec to generate more data into the block lists.
The above is a guess on how both of those work together, I’d like a deeper rundown if anyone is doing this. I also note that Crowdsec has some free training on their site, I’ve signed up and will spend some time with these courses and see what I can learn.
Another thing I need to look into is Zenarmor which claims it can do all this stuff, but a reply to a recent post suggests that Zenarmor isn’t really doing things the way the marketing suggests. Lots of things to consider for my rebuilt firewall, which includes evaluate OPNsense to contrast with the pfsense I’ve been using. Crowdsec, e2guardian, and Zenarmor are in the official packages for OPN which might make it easier to recover from a catastrophe.
Crowdsec running on pfsense does the same thing. Looks at the logs, starting with the pfsense logs but including any other logs you choose, and adding to the blocklist. The value of Crowdsec is that the resulting data is shared across the community, rapidly, so even if your set of firewall rules don’t block an intrusion attempt, someone else’s rules may catch the probe. (We run Snort on the pfsense box in addition to pfBlockerNG. It’s amazing how many intrusion attempts we get and how many times every day we are scanned.) In the current world, where it seems to be more profitable to scam people than to work for a living, I’ll take all the defenses I can get, even if they are redundant. They don’t cost much, and are far, far less expensive than just one ransomware attack.