[prev in list] [next in list] [prev in thread] [next in thread]
List: pfsense-discussion
Subject: Re: [pfSense] Snort or Suricata
From: Daniel Eschner <daniel () linux-nerd ! de>
Date: 2016-06-13 19:52:04
Message-ID: 7120916F-4653-44FC-9E36-1AA36F3B67E8 () linux-nerd ! de
[Download RAW message or body]
I am runiing it now like this.
I will push all alerts to my Kibina now and will check that for a couple of weeks to \
get a good overview.
> Am 13.06.2016 um 21:48 schrieb compdoc <compdoc@hotrodpc.com>:
>
> > How do you have Snort configured to differentiate between incoming and outgoing \
> > traffic?
>
>
>
> I guess used a poor choice of words. It's mainly 'HTTP Inspect' that's the problem. \
> It watches any http traffic, which is mainly outgoing in our case.
>
>
> On the Services / Snort / Interfaces page, edit your interface. And then click the \
> 'WAN Preprocs' tab.
>
>
> I used to just disable HTTP Inspect, but at some point in time snort in pfSense \
> started displaying a large warning.
>
>
> So, in that section there's a 'Server Configurations' option. I have one \
> configuration named 'default', and you might have the same.
>
>
> Edit default, and there's a Ports area where you specify an alias which contains \
> the ports snort should watch for HTTP traffic. I use port 10, but can be any unused \
> port. Now snort listens on port 10 for HTTP traffic and never hears any.
>
>
> Also on the WAN Preprocs tab, there's an option 'Portscan Detection' which I \
> enable. I think I leave most of the other options on defaults.
>
>
> Mine is configured for the VRT rules, GPLv2 Community Rules, Emerging Threats (ET) \
> Rules, and a list named 'emerging-compromised-ips.txt' on IP lists tab.
>
>
> However, I edit the snort interface and check 'Use IPS Policy' and then choose 'IPS \
> Policy Selection: Connectivity'. I believe when you do this, snort decides which \
> one of the rulesets it will use.
>
>
> Occasionally, as rules get updated snort will start blocking something that it \
> wasn't blocking before, and you have to add those rules to the suppress list. This \
> doesn't happen too often, though.
>
>
>
>
>
>
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic