[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pfsense-discussion
Subject:    Re: [pfSense] Snort or Suricata
From:       Daniel Eschner <daniel () linux-nerd ! de>
Date:       2016-06-13 19:52:04
Message-ID: 7120916F-4653-44FC-9E36-1AA36F3B67E8 () linux-nerd ! de
[Download RAW message or body]

I am runiing it now like this.
I will push all alerts to my Kibina now and will check that for a couple of weeks to \
get a good overview.


> Am 13.06.2016 um 21:48 schrieb compdoc <compdoc@hotrodpc.com>:
> 
> > How do you have Snort configured to differentiate between incoming and outgoing \
> > traffic?
> 
> 
> 
> I guess used a poor choice of words. It's mainly 'HTTP Inspect' that's the problem. \
> It watches any http traffic, which is mainly outgoing in our case.  
> 
> 
> On the Services / Snort / Interfaces page, edit your interface. And then click the \
> 'WAN Preprocs' tab.  
> 
> 
> I used to just disable HTTP Inspect, but at some point in time snort in pfSense \
> started displaying a large warning.  
> 
> 
> So, in that section there's a 'Server Configurations' option. I have one \
> configuration named 'default', and you might have the same.  
> 
> 
> Edit default, and there's a Ports area where you specify an alias which contains \
> the ports snort should watch for HTTP traffic. I use port 10, but can be any unused \
> port. Now snort listens on port 10 for HTTP traffic and never hears any.  
> 
> 
> Also on the WAN Preprocs tab, there's an option 'Portscan Detection' which I \
> enable. I think I leave most of the other options on defaults. 
> 
> 
> Mine is configured for the VRT rules, GPLv2 Community Rules, Emerging Threats (ET) \
> Rules, and a list named 'emerging-compromised-ips.txt' on IP lists tab.  
> 
> 
> However, I edit the snort interface and check 'Use IPS Policy' and then choose 'IPS \
> Policy Selection: Connectivity'. I believe when you do this, snort decides which \
> one of the rulesets it will use. 
> 
> 
> Occasionally, as rules get updated snort will start blocking something that it \
> wasn't blocking before, and you have to add those rules to the suppress list. This \
> doesn't happen too often, though.  
> 
> 
> 
> 
> 
> 
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic