PFSense Suricata Intrusion Detection and Prevention, Installation Guide 

This is by far the best pfsense suricata tutorial on RU-vid. It made me an expert from novice. Kindlly show us how to add custom rules or rules posted in security alerts and not yet updated by Talos. Thanks a million

This video answered questions that the Lawrence Systems (multiple) videos didn't do! Great work.

By far the best tutorial on suricata with clear explanation. well done

Wow, this video is by best the best in class on pfSense/Suricata.

Great video! Have been running Snort for 10 years now. Thinking of moving to Suricata, as its programmed for multi-core CPUs. P.S. - Disable hardware offload can be done trough the GUI under System, Advanced, Networking. Scroll down, and you have all the options you need. Reboot once to take affect. Set and forget. Cheers!

This is a fantastic explanation of Suricata on pfSense, clear and comprehensive. This is the best Suricata video I have seen so far.

I smashed the like button and jumped in the Pool. This topic is over my head, but I still like watching your videos. Thank you.

happy to see these videos while one of my pfsense box running off-grid from LFP battery bank powered by solar. Thank you for your videos. both Solar/Sysadmin

This channel should have more subscribers. Great explainer!

This is very hendig, now I can bring my security knowledge to the next level.

Excellent video!

Excellent, well done! After about 1.5 months of monitoring/researching alerts, I pulled the trigger on inline blocking mode. All 12 of my VLANs went down. I have PfSense on a Dell R410 with dual CPUs/72GB of RAM, IGB interfaces, etc. I activated seven of the same emerging threat rules you did in the SID management. I also disabled all three hardware offloading under system/advance/networking. But you gave me some additional ideas of what I should try to see if the VLANs return.

1 million thank you!!!!

Very good

Kick ass dude.

Thanks for the detailed video, quick question for you. When I click to disable a rule choosing either source or destination (which is added in the suppress list) ... can we manage this type of option with the SID Mgmt lists?

I have a little "problem" I don't know which of the options I enabled because through the command line all the alerts that are being generated are appearing, pretend when a tcpdump is done How do I fix it?

Good IP change 😊 I’m thinking of using an old android phone for banking having only the bank log in on it. What do you think 😅 ( on WiFi) Or is it safe to do baking under the bed 🛌 at this point we don’t know if in person banking is safe 😊

snort or suricata?

Haha "won't be implemented on your typical home network usage". Not sure the typical home user will be trying to set up Suricata :) I just finished rebuilding my home network with a 10gbe managed L3 switch doing ACLed routing on the switch with pfSense connected through a transit. I didn't expect so many headaches. I thought pfSense would be able to handle routing at 10gbps no problem with a big powerful enterprise server pulling 300 watts - but nope, not even just running the firewall. Running Suricata will decrease the performance by another 20% in legacy mode and by about 80% in inline mode. Trying to run Suricata in inline mode I was getting just a little over 1 gbps with a dual 3ghz xeon server with 5 cores pegged at 100% trying to route 10gbe (I was first experimenting with running it in "router on a stick" configuration). I instead downgraded the CPUs from some of the highest to some of the lowest wattage and pulling half the RAM - in legacy mode it can still route at around 4gbps which is fine. If you have a capable switch and want to push huge data streams, let the switch do the routing. With ACLs and policy based routing you can allow what can be routed via the switch at line speed to and from which VLANs and force anything else through pfSense/Suricata to be inspected. This way you can still get 600 MB/s NAS transfers across your network while forcing other traffic to be inspected. I might run Suricata in inline mode inside my VM network, as a front end for my web servers as they need HAProxy to route between domains anyway. To me that makes more sense (inline inspection on incoming traffic), as you don't want any potential exploits from reaching your servers - plus, for a "home user", it's only going to have to deal with 50 mbps traffic or whatever small limit your ISP gives you :) I didn't think things would be this complicated, but a good learning experience! Also great video, I haven't seen any other tutorials explaining what the SID management section even does.

..