pfSense Gold Subscription

Author Topic: Pfsense has 40 percent free ram and 10 percent swap usage  (Read 523 times)

0 Members and 1 Guest are viewing this topic.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4947
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: Pfsense has 40 percent free ram and 10 percent swap usage
« Reply #30 on: November 20, 2017, 01:47:15 pm »
It is still running great, but as I run this I realize there is a small feature that would be nice to have.

Right now you can suppress rules, which gets the noise off your alerts page, but also causes the rule to not drop anything.

For things that really do need to be dropped, but at the same time are so constant that you don't want to look at them all the time in your log, it would be nice to be able to supress the alert, but not supress the "drop". 

That way, I could see if something new was chewing on the firewall without it being lost in a zillion alerts you know to expect already.

An example of this is my son has a Chinese phone, and it is forever trying to contact Chinese servers and Chinese servers are forever trying to ping it.

Its locked down.  I want it to keep doing its thing and dropping those packets, but I want that alert out of my face. 

Maybe a bridge too far?  Not sure. 

However, it is working great.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3148
  • Karma: +815/-0
    • View Profile
Re: Pfsense has 40 percent free ram and 10 percent swap usage
« Reply #31 on: November 20, 2017, 05:56:11 pm »
It is still running great, but as I run this I realize there is a small feature that would be nice to have.

Right now you can suppress rules, which gets the noise off your alerts page, but also causes the rule to not drop anything.

For things that really do need to be dropped, but at the same time are so constant that you don't want to look at them all the time in your log, it would be nice to be able to supress the alert, but not supress the "drop". 

That way, I could see if something new was chewing on the firewall without it being lost in a zillion alerts you know to expect already.

An example of this is my son has a Chinese phone, and it is forever trying to contact Chinese servers and Chinese servers are forever trying to ping it.

Its locked down.  I want it to keep doing its thing and dropping those packets, but I want that alert out of my face. 

Maybe a bridge too far?  Not sure. 

However, it is working great.

Unfortunately that's not a feature supported by the underlying binary source code of Suricata (dropping but not alerting).  To most folks that would be counter-intuitive any way.  You would have traffic being blocked but have no idea why it was blocked or by what if it was not logged.

If you want to do detailed log analysis and have a high traffic network, you should consider one of the third-party open source tools out there that can accept EVE JSON logs from Suricata.  The alerts/drops get stored in a MySQL or equivalent database on a separate server and then analytics packages are run against the data to produce nice charts and reports with all sorts of filtering options available.

Bill

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4947
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: Pfsense has 40 percent free ram and 10 percent swap usage
« Reply #32 on: November 20, 2017, 09:10:44 pm »
I could probably filter out a list of known offenders to see what is new with a simple script.  Thanks.