 So we're going to talk today about PF Sense and Sericata. Now Sericata is a free and open source, well-developed intrusion prevention, intrusion protection system, and it also offers network security monitoring through the offline PCAP file. If you're not favorite PCAP file, a lot of different systems can post-analyze that. It's basically like a full downloading capture of your network traffic. We're going to really just cover setting up Sericata, tuning Sericata, and some of the features in it, getting a little bit more in-depth, especially the tuning part because that's really important to security. If you have too many false positives, you're not really doing any good. You just have a bunch of noise and you didn't improve your situation any in terms of security. Now the difference between a security prevention system or IDS or IPS systems or whether or not they're active. So you can have an intrusion detection system that basically just creates alerts and reports, but does not actively act on it. This can go a step further and do inline prevention, which means alert created blocked IP address that was sending the packet so you can just drop them. Where this really comes in and where any IDS or IPS system comes in is when you do have ports open because the firewall simply says, can port ADB open, for example? Can traffic pass through there? It does not make any assessments of the traffic other than it doesn't port ADB forward through the firewall to where it goes. That's it. Now, Suricada or any intrusion detection system like Snort or Suricada, they go a step further and look at the arrangement of packets and see if they match certain patterns. For example, a SQL injection attack or some other mail formed header information or mail formed packets that are coming through the firewall and that need to be broken up and go, okay, this is not the pattern. This is not a standard get or post web request. This is asking for something that matches this known threat pattern. Now, that is where these intrusion detection systems really shine. So if you put them to protect your mail server that's behind the firewall, whatever the services are behind the firewall when you have open ports, this gives you insight into there. Now, in addition to that, you can use this on your internal network interfaces. So the internal facing ones, you can use it to also help determine what's going on inside your network. And you can then find a machine that's doing something else that it can identify the traffic and go, that machine's doing something that matches these patterns. So you may have a computer, a bad actor on your network internally and start the tracing process from there. So Suricada lets you do that so you both can look at the external threats and the internal threats. Now, of course, even if you're not blocking any ports, the internal threats can be an important reason to do this. And there's facilities in here by which you can block these things. So let's start taking a look at the system. I've already got it installed. That's not why you came here. That's the basic stuff. It's a really slick system, but it's really easy in PF Sense to install it. You go over to the system package manager, you'll see it's the only package I have installed right now. When I set up my demo systems, I usually just do a complete reset, fully load it and load just the things we're going to talk about unless I'm stacking something together. So here it is. Do the one click install. Then you go over here to services where it shows up, go to Suricada. There's no interfaces set up already. Go to the global settings and turn on a couple rules and then go to updates and hit update. And we're going to force it to update right this minute. So we have all the rules. Now, the rules I have in here, I have the ET open source Suricada rules for coverage, which is a little bit more limited than the ET pro. When we have the ET pro over here, yeah, right here, I don't like the fact that you receive a complimentary trial or demo. I don't know, please give me some pricing without me, you know, signing up for your newsletter snorts a little more open. They have, you know, rules and they have prices for these rules that you get. You know, Suricada is an open source product, but the real feet, it's just a framework. All the workhorse is the rules. The rules are the sauce that make this thing work. And these rules are put together by groups of security researchers and they're non-arbitrary. This is a lot of work keeping up with these rules. So they have, you know, you can get the rules 30 days faster here with the personal $3.99 for business and a per-sensor basis. And you do have to call for pricing for some of their larger packages. But it's a good system and you're funding not just the product, but the security researchers have put together the sauce that makes this thing understand vulnerabilities because there's a lot of time that goes into understanding packet rules and looking for threats and understanding what these mail form packets do. So this can then follow through and understand that as well. So I'm just using the free rules for demonstration. I imagine a lot of you are doing this at home, but if you're doing it for business, it's not hard to do. If you have the paid subscriber rules, you simply can throw in the file name. You can throw in the, your oink master code. Same with the E.T. Pro, just there's your subscription configuration. So you sign up for account. They give you a subscription number and a way you're in. Now update interval. I have it set to 12 hours. You can set this to shorter is a little six as long as every 30 days. You want to get new rules. Kind of leave it up to you. Don't beat up on their servers too hard. I mean, six hours, maybe. I mean, this is just another layer of protection on here. I mean, if you're running production environment, you want it set faster, but for the most part, this seems to be fine. Now I leave this off by default, but this is the live rule swap on update. That's the default settings on there. It's just so you can push them in without doing a restart of the services, not the server, just the service itself. Remove blocked host interval. Now they say in here recommend an hour. It just depends on kind of your preferences. But what you do is if the IDS system says, I'm going to block this IP address. This is how long before it just falls out of the block list. I mean, you can manually remove it from the block list, but this is the automatic fall off and you want this to be rational. An hour is not bad. The downside is if you're doing some testing from home against your firewall or your outside your firewall doing testing, you can end up on a block list. So how long do you want to wait, especially when you're testing? At first, you really want this to be never, not never block, but you want it to be a low number and then you can increase it later to make sure that you don't lock yourself out. So we're going to go ahead and hit save here. First thing we got to do is add an interface. Now, it has the option to send alerts to system logs. You don't really need this because there's an entire logging system in Sericot itself under logs view that you can dig into this. So I don't send anything extra alerts over to there. I keep them all consolidated here. There's enough noise in my log files. We're going to turn on DNS log, stats log. It's up to you. The statistics can be appended when you're restarting it. You can default, not check that personal preference. HTTP log, append HTTP log, extended HTTP info, TLS log. Now, this is not being able to see into the TLS encrypted traffic. This is just creating the TLS log. So you can start looking at the details of the certificates that may have been accepted. This is nice to turn on. Something to make sure you have some hard drive space and a decent computer. Actually, a decent system to run this is important because as the traffic starts stacking up, it starts sucking up processing power. So if you have a really, you're like, hey, I grabbed this 10-year-old box to build my PF sense with, you're going to have a hard time running this. If the box isn't fast enough or doesn't have some memory, it's going to have issues. For example, with our production box, it's got four gigs of RAM to be able to run this just on three interfaces without running out of memory. It does consume a decent amount of memory whenever there's a high amount of traffic. And if you don't want to compromise speed, you got to have a reasonable multi-core processor. Now this supports multi-core processing too. So if you have like a six-core, eight-core CPU running this, great, it will take advantage of it. Now you can store and log the actual certificates so you can go deeper, start taking up a lot of room. Tracked files log. That's also a couple of things you can do. You can enable a file store and a packet log and a JSON log. And what these allow you to do is if you're going to start exporting to other devices, like I think LogStash is one of the ones that people recommended, I haven't really looked into it, but you can then use the data feed from this and bring it in, which is really cool. So for better visuals and analysis, we're just going to leave these things at default here. Plus we're not going to just try and grab every file. This is one of the things it can do. It can start grabbing all the files it sees that are not encrypted and start pulling them in logging stuff. So really cool features, especially if you're doing some security analysis where you go just turn everything on because I want to watch all the things. Now this is where you, especially when you're starting out, don't do this. This is where you can block offenders and you can just drop them right away as they produce alerts. Back to that false positives thing. If you're producing a whole lot of false positives, you are going to fill this up and you're going to block everything, the even stuff you're like, hey, wait, I can't even get to Google anymore. Yeah, I'd seen some type of mail form packet and perceived it as a threat because you didn't fine tune it. We're going to get to the fine tuning part, but when you're starting out, don't do that. Detect engine profile, I do keep this on high because I care about performance and I have four gigs of RAM. It will work if you set this to low and a lower memory machine that will consume less memory. Memory is not expensive. Now four gigs of RAM just doesn't cost that much. So put this in with a four gig of RAM machine. Then we have increase recursion limit. I don't really mess with these much. I've list all these at default and I've not really had any problems. This figures out your home net, external net. Well, it kind of figures that out automatically based on the interfaces we create and we'll show you what we're doing here. So we're going to click save. So now the interface is created. Go ahead and look over here. It's not started, but we still have more things to do. All right, so let's start looking at the categories and rules. This is the WAN category and WAN rules. This is more the category summary and this is the fine grain detail of the rule. So the first thing we do is resolve the flow bits and then we're going to go down here and I'm just going to hit select all that way we have everything. Now, what flow bits are is, for example, a packet may come through, but there's multiple pieces. They can't just take one packet. So one packet kicked off one thing and there's a couple packets behind it that are hoping that the first packet would trip something to put the other things in motion. For example, when they stack threats together. So the latest WannaCry was a stacked threat where first we're going to attack the Samba and then we start delivering the payload. So flow bits does is look through and follows through the multiple rules that a packet stream would turn on. And it's kind of slick because what you're seeing is the whole stream of it and says, okay, it hits this rule, this rule, and this rule. So now we can perceive this as a stacked alert and do that. So this is a great thing to have turned on is the flow bits. So we're going to save. Oh, and I selected all for the other rules. This is that findering control I was talking about where you can start seeing here and then you can actually click it and it jumps to that segment of the rules under the WAN rules. Now let's look at the categories real quick. You may or may not want all these categories. This is kind of self preference. I mean, some people are like, I just want all the things because it'll protect me from everything. It'll actually drive you crazy. It will not just protect you, but it'll also cause all kinds of tuning. It's harder to tune a system that has everything enabled because you may say, you know, I don't mind some of the chat rules because for example, I notice it flags any of the chat things going across the network. Same thing goes with PDP rules. You're like, hold on, I use torrent for things, but if you have all the PDP rules on there, it's going to start flagging them and it'll even tell you things like policy rules. Then we have game rules. You may have a problem with games being on your network or you go, wait a minute, you know, I don't care that a user has had a flag. This is flagging like battle net, received whisper message. I mean, it's just great if you have a corporate network and you go, I don't want anything on this network and you can start just blocking everything. You know when playing games, but especially for home users, if you check all of these and then turn on blocking, you're going to find out that your network is really secure because it won't do anything. It'll just like, wait, I can't play my games and I can't watch my Netflix. So you do have to kind of fine tune all these rules and I'll show you later the rules that I'm using in my network that seem to be pretty good about blocking things without, you know, overdoing it because well, I do use Torrent here. This is how we download even the latest ISOs for different things. So you don't want to go crazy with all these rules sets, but hey, for fun in getting this started, we're going to go ahead and do this. So like I said, this is your fine grain one and the custom rules and the auto flow book rules. These will start showing up as we're when we turn the interface on. There's more fine tuning you can do for bind to addresses. Everything's fine for me. I've not had a problem running it all stock, but if you have some special use case, you can go through and start doing this. Maybe if you get into a very large corporate environment with gigabit speeds and a fiber connection, there might be some tuning that needs to be done. That goes beyond the scope of this talk here. This is also different UDP parsers. You can turn off functionality. I mean, they give you a lot without dropping to adding anything custom pass through to the settings. You can tune a lot of different things in here. And they have a little recommendations for things like that for the different like, you know, global memcap limit. You can also add different variables to these in case you want to really get specific on a few things. Now it does support the Barnier too. As in you can send this to, I'm gonna turn to show you what to unblocks these and enable my SQL logging. You can take all the data and then push it to another system. Now there's plenty of systems out there that support capture, a lot of paid ones that can create help dashboards. And especially if you're in a multi firewall environment or you're managing a series of sites, you can then consolidate all your threats across those sites or across those firewalls and endpoints to kind of build a picture of what's going on in your network. And use IP reputation list default does not check which is actually wrong because the default is checked. I noticed that it says that, but anyways, this is just more, you can assign categories and IP reputation lists. So let's get back to turning on the interface. Go ahead and click start. All right, now all the settings that we put in for there, we didn't get too detailed, we pretty much hit select all, but one of the really cool things is if you're configuring multiple LAN, multiple LAN interfaces, and you do a lot of customization, easy way to duplicate that customization is just to go here and what it did, it found the next interface. The only interface I have here is LAN and literally all the same options I checked are now applied to this interface. Kind of a nice feature when you have multiple because I configured my LANs slightly differently than I configured my LAN. I have more rules turned on, but no blocking on my LAN, it's more for analysis. So once I configured one of my LANs, we have more than one, I just duplicated it over to the other one. And start the interface. One nice thing to note is if you don't have enough memory, and I didn't at first when I was playing with this in the demo, you start loading it up, it kills it gracefully. It just says, wow, you ran out of memory. So we're just gonna stop this service from running. So it's kind of interesting that it does that. It's nice because it doesn't crash or lock up the firewall. It goes, whoop, you just kind of ran out of memory. So we're gonna turn it off. I've got four gigs allocated to this in a virtual box to alleviate those problems. All right, so let's see what it's doing. And we've right away started creating alerts. And what it's doing is looking at different things that are going across the network and saying, hey, this looks like a bit torrent paying, even right here, potential corporate privacy violation. This is just different things that's seen running on the network and calls that are going out. So let's go ahead and make some noise on a network. And I'm downloading a new copy of the tails. I might do another new demo next. They have a new release. And let's go ahead and let it turn this on and see what kind of noise this makes on a network that causes the system to start bugging me. All right, now we're generating some traffic. And this will also make the CPU jump up because it's got a lot of packets to sort through. Torrents are kind of good for load testing on servers because the volume of packets they generate, not just the speed at which you may be downloading really fast, but they also generate generally a lot of noise on the network for the system to take a look at. So we'll look at the LAN side and it's seeing all kinds of fun stuff going on. So it sees mine going to here. Apparently this is any threat intelligence, poor reputation out of window. You just start getting all kinds and out of the decode series of commands. Apparently there's some things in here that Seracata finds suspicious, but after doing some reading, it turns out are within the rights of the protocol, but maybe uncommonly use, and maybe things like P2P software uses that. So because of that, it starts creating even more false positives. And I'll show you how we start mitigating these here in just a second. So here's the LAN side and it's filling up pretty fast with all kinds of things. Now, right now we've got so much noise just on this Seracata UDPv4 invalid checksum, and we want to eliminate that. So this is where the fine tuning comes in. So we're on the LAN side and you can tune it the same way, LAN or LAN or any interface side. And what we have here is this little X. And this is the forced disable this rule and remove it from the cool current rule set. This is pretty slick because there's a couple options here. We can suppress this rule, add to suppress list, which means don't tell me about it anymore, or turn the rule off that's flagging it. So the suppress list is gonna add it by IP address so we can ignore something. Also, this right here is to resolve the host. So we can figure out where it is. So ns1.pfmechanics.com, wherever that's going, invalid checksum. So we're gonna go ahead and do this and we're gonna get rid of all the invalid checksums. It was refreshing at the same time. So we click this. All right, now the state for rule and it's got the rules, it's been modified, lively rule, and we'll see it wait 15 seconds before toggling additional rules. This is really slick because what it's doing is live reloading rules, you don't have to restart the service and it can then push them in and now we're gonna look at what that rule looks like now. They're yellow. What that means is you've already done it. You can click again and you can say, whoops, I didn't mean to do that and I wanna turn that rule back on. And this allows you to quit and start fine tuning and making sure that this doesn't come through anymore. So now it won't generate any more alerts for that particular rule. And this is the fine tuning process. I've heard some people say it takes a week. I guess it really depends on your network. If you have the regular things running, let's say on a Monday through Friday network with your office, you could probably quickly within only a day or two determine what's the noisy things that people are doing unless they have certain things you're doing certain days that may flag this. But this is that fine tuning process is turning off all the alerts that don't matter. Now, how do you know if they don't matter? That's always a common question. That's actually pretty easy because Google, you right click and do a search for Google. Yeah, it's that simple. And you can start run through the forums. You can start going, drop all going traffic, taming the beast, a blueprint. This is cool. Someone wrote some of these here of things you can do. It's a lot of reading and this is really what separates your paid UTM IDS systems from maybe a corporate company where it's all kind of magical and automatic. You say, I want these things blocked. What you're paying for and the reason those are so expensive isn't just the rule sets, which it's actually a deal getting rule sets for like 300 a year from Snort. You're talking about a team that works on this at some of these firewall companies, you know, Barakota, Sophos or any of them and they are applying this in real time. I mean, you still have some control on the UTM devices, but that's part of the expense of those devices is they're taking care of this and figuring out what needs to or not be done to keep these things going without driving a crazy and just blocking all the traffic. I mean, obviously you're safe if you block all the traffic, but you know, you don't want to just block it all. You want to actually have a working internet connection and firewall, but depending on if you're in a corporate environment you probably don't want people torrenting things behind there. So you can leave this as an alert and you can go through start blocking it, but it also can serve as an order on the LAN side. We're gonna switch over to LAN here real quick, because that allows you to start looking at it internally and going, who's using it? And my IP address is here, this dot nine. So let's sort of how you trace some of this out. So if you notice, there's a little plus right here and we can see source, port, source, that's an H address. And this is how you can start filtering the traffic going, all right, who's the person generally alerted? Notice this dot nine and then you can filter for just the traffic related to that. Now I'm the only one on this little subnet so I'm the only one here, but this becomes very careful, very, I was very quick to go through and nail down, okay, I need this IP address, or I just wanna know things on this port. So let's look at everything that's coming across source port 443. We're gonna, you can stack filters and have multiple things in here. We're just gonna filter just for 443 though. And we can look at any 443 traffic and we can see that it's constantly generating a stream close weight out of window. And then we can see, it's gonna go and Google search it real quick. I'm not afraid to say I Google search a lot of things, but this starts letting you find recovering. This is sounds fun. Tower security, digital security, and it's recovering from suricata gone wild. It sounds like there's some troubleshooting here for probably a lot of false positives. And that's something, like I said, especially in the beginning, you're gonna get a lot of false positives in here. And that's where you go, okay, is this something I care to have in my alert? And you can't just say yes to all of it or you have so much digital noise, you'll never find it, it's needle in the haystack. You wanna figure out, these are the things that I wanna allow on my network. I'm gonna go ahead and suppress them. And then that way when something is in the alerts, it's something you should be concerned with. This is the most important thing for an IDS. This is also why at the beginning I said, don't just block everything, you're gonna have a bad time if you do that because you'll end up shutting down all your services. So that's kind of the overview for a lot of that functionality. Now let's look at the log view for each one. So land, this is what I talk about, you don't need to push things over to the logging inside of here because this is the logs facility for it. So here's the actual alerts log kind of in the raw and it has the file path for it. So you can start looking at the raw logs here, DNS resolve log here. So you can see what was looked up and it's kind of fun. I mean, you can start dumping these into different tools and start parsing them and go, okay, what's being looked up on here? We don't have the files log HTTP log, which nothing, I guess we didn't do anything HTTP. So stats log. So you can start looking at statistics for what was gone through in here. So it's pretty cool. What was checked, flow cues, the Sericata engine itself log. So you can find out what was done with Sericata as you reloaded or error codes that come in here. So you can kind of start going through here. Something else I'm gonna point out though. Now we're just gonna run an apt-get update. Oh, details. So we did this and then we're gonna go ahead and see if there's any other upgrades to the system. Okay, nothing new, nothing to install. So we did that real quick. Let me see, that should have showed up and we'll look in the LAN side real quick and we'll look into HTTP logs. And you can see what it just did. Went to the HTTP get protocols were because that went over a standard, not an SSL connection. So you can see into what was actually grabbed there. So now we have something in HTTP log. This also, if I'm not mistaken, generates an alert. Yes, it even alerts the fact that I did a user agent outbound likely related to package management. Once again, not suspicious traffic but still generated alerts and it generated a lot of alerts. All those alerts is just from one single computer. So obviously with even my own network when I turned this Sericata on and was fine tuning it this is why I just didn't turn everything on because I have several Linux servers that are checking for daily security updates and applying them, I can't have that blocked. I mean, if you're not thinking about it and you have it on the block list, next thing you know, I've literally insecure my network by stopping updates to my servers because this decided to flag it. So if you're not watching this and you turned on blocking right away, like I said, you can actually end up in securing your own networks that's something to think about. And of course, I would then go, well, let's add this to the don't bother it. Now the other side of this, so let's go over to the LAN side and something else you can do going, you know, I'm fine if it goes to this server. So let's see where this server is. This is nine one servers, we'll click this and it's a canonical server. So, you know, I like canonical. Let's go ahead and add them to the suppress list. So we click this and it's an entry, suppress gen ID, say blah, blah, blah. Well, let's look at what that actually looks like. What these are is this is the LAN suppress list. It'll also generate one automatically for the LAN, for the WAN. And then you can edit these rules and they're plain text, so to speak. My auto spell thinks things are spelled wrong or not grammatically correct. That's my grammar really plug in. Anyways, ET policy, GNU Linux app user upon likely suppress gen and what this does is means just don't put these in the alerts anymore. So it starts going, okay, this is your suppression list as in you want them to flag this activity. So it's still a rule, but don't flag it for this IP address. So that's another way to look at it where that's the difference between suppress and changing a rule set. Changing rule means don't enable this rule anymore versus suppress means don't annoy me because I know it goes to this IP address and that's perfectly fine. So kind of give you an idea how that works. So back to the interface list and look at the WAN categories and rules. Like I said, here's all the rules that are enabled that are generating that. And let's see, let's turn on blocking. Just to show you what it looks like. Automatically blocked. Now that actually has a couple different modes of inline mode and it has to do with whether or not there's a functionality. I believe some of the high end networks have it. I don't even gonna bother trying it because I'm running this in a virtual box session that it'll work, but it's basically how it does that on there. So we're gonna go ahead and hit save. And so we can start blocking things and showing you how the block list works. Here's a quick look at the block list on our production machine. You can see the IPs that are being blocked. They fell into threat reputation problems or whatever. And oh look, it's somewhere in, I think it's Denmark. So you can quickly look up where the IPs, it works much the same. And you can see what got blocked. If you wanna remove them from the block list, you can just click this and remove them. Save, refresh, download the block list. And it's a really straightforward and simple, not too big of a deal. I don't think it's really easy to do to manage a block list on here. And like I said, you can also suppress to keep them in a white list because maybe something you really like keeps getting blocked for one reason or another, but you wanna keep the rule on. And these fall off based on those rules we talked about earlier for how long before they automatically just fall off the block list. And having it tuned means only things on here for the most part, I don't worry about. There are things that I, you know, I have poor intelligence or poor reputation. I want them blocked. So back to the other machine. It's hard to show you what the block list looks like on a demo machine. So this is my actual production facing the outside network. All right, and we'll go ahead and do this, ycar.org, so we'll do this. And what these are is ycar.org is just for testing. But you can see what it logged right away. So that's me going to the ycar website. And here's your shellcode comment heap spray sting. So you can look at what these are, but these are each simulated attacks that I was just doing. And you can see it right away generated. So here's the shell execute function, ET current events, CT exploit possible, Internet Explorer, VB, that's one of the ones I did click on. You can see how it generated all these. Let's look on the LAN side. And we kind of have the same thing. It sees it on the LAN side. So we can, you know, start tracing it down and where all this data was going back and forth. So let's close all this wonderful stuff that I got open and show you my production environment and how I'm fine tuning it a little bit differently there and what rules I have turned on. So here's our firewall and some of the things that we have turned on for our, in our WAN categories. Now, because we, you know, our retail store for one and business MSP, if we turn all these on, I learned that every sensor we have just flags it and causes some problems. I didn't feel like tuning everything. So I turned it down a little bit and came up with the ones that I feel generate alerts that are very valid. And we're also, by the way, using PF Blocker. So that actually keeps this down quite a bit. But this adds IPs that are on bad lists to like known attack sources to this list. So things that are coming in because we do have some ports open our firewall. For example, we use Screen Connect locally hosted. So when things are hitting my web server, it helps take and add another layer of shielding, so to speak on there. So the rules that we're using is emerging attack response to bot CC, bot CC rules, CI Army, emerging compromise, current event rules, denial of service, DShield, exploit, mailware, mailvertizers, Trojan rules and worm rules. I found these to be good enough to kind of view what's going on. And I also am still using the flow bits like I talked to you before. Now, generally speaking, there's very few alerts or blocks that I'm running into in our system. And it only took me, I don't know, a couple days of tuning for our network during normal business usage. Started in like a Monday, by Wednesday or Thursday, I feel as though I had it pretty well tuned without too many things getting blocked. It also has noticed some different attacks from different places, but most of the time it's reputation management stuff that's in there. Let's see if there's anything in the logs right now. A couple of things. So DShield Block listed source group. And it almost always, if I look at these IP addresses, apparently this one is scan11kshaddleserver.org and I can look up what shadowserver.org is maybe later, but I kind of like this little DNS lookup you can do to maybe if they have listed something that is. I'm kind of curious, what is shadow server? So apparently shadow server is a place that gathers intelligence. Now, this is where it gets kind of fuzzy, should I let them on there? But they're saying basically they were scanning miscellaneous attack, and they're actually probing for attacks. So you can see with these things in here, listed source group one, source group one, and active threat intelligence, poor reputation, group 14. What these generally are is this place is to start probing and scanning. And you can see what ports they're looking at. Sorry I had to blur some of this out, but you can see what ports they're looking at on each one of my public facing IP addresses. That way you can kind of determine what they're trying to do, what they're trying to look for, and things that are open. So kind of cool the way that works, but these are like I said, this keeps me sane because I don't mind blocking these guys. I'm not compromised, at least I hope I'm not. It's always a good question. So far there's nothing in here that tells me I am. But this is where, like I said, doing this narrower list of services helps you quite a bit in doing this. So you're not going insane trying to sort everything out. So that's it for intrusion detection with Sericata. I'm sure there's things that maybe I didn't uncover. There's so much more to it. Like maybe I will get into some of the how to export to third parties and set that up. That's maybe, it's on my to-do list because I'd like to have a cool dashboard for all this rather than looking at it from just a log standpoint. But it works really well. I've been happy with it. The performance of it's good. RPF sets box in case you're wondering. Spec wise, we're running the, this was an AMD X4, so four core 840 processor. People ask sometimes why I built it that way. I'm like, I had it. We had one of these laying around with four gigs of ram in it. And that is able, we have a 50 meg circuit. We host behind it. We occasionally torn it behind it for different downloads and things. And we also have in here several other services running. For example, open VPM and end top. And it handles this fine with four gigs of ram. So it's not like it's a super high end machine, but it's good. It's definitely good enough and fast enough to do this with four gigs of ram. We do run it all on a solid state because I like things booting up instantly. And we are using that Intel network carbon. But it works really well. Cercada doesn't seem to bog down the system. Actually end top is more demanding on the system than Cercada, which there's another video I did. You can find in my PF sense list here for that. But thank you again for watching. If you like the content here, like and subscribe. If there's some questions or maybe I need to do a follow up video on a specific function in here or something maybe I was wrong about. I don't mind being called an idiot. Just let me know what I'm an idiot about so I can correct and further myself here. Cause someone seems to always have an opinion and security is a really tough topic. I try to do my best to edit, but I won't lie. There's no way to know everything. Actually the more you learn about it, you're like, wow, I thought I knew a lot. And anyways, so if you liked the content here, like and subscribe and thanks for watching.