@volga629:
Hello Everyone,
Thank you for reply, I found and it working.
Is possible use snort based on firewall rules ? It will be narrow down which probes to use and it will be allow be very specific on which traffic to filter instead whole interface.
For example:
If I need protect http server, I like to create firewall rule which allow connect to the port and in advance settings select snort profile in this case will be HTTP ( contain checks for HTTP, and web languages) and action instead default pass will be pass with IDS/IPS.
No, Snort is not that tightly integrated with the firewall. However, you can configure what the Snort package on pfSense calls "engines" on the PREPROCESSORS tab for each interface. An "engine" is a single host or multiple hosts, or network block or multiple network blocks, that are used to target the Snort inspection. For example, for web servers, you might have all of them in a specific subnet. On the PREPROCESSORS tab in the section for the HTTP_INSPECT preprocessor, you would create an engine for the subnet containing your web servers. You first need to create an alias under Firewall…Aliases, then use that alias as the "destination" address for the engine. Once the engine is created, you can edit many parameters associated with it including which ports to inspect as HTTP. This way Snort does not waste time and energy inspecting all the ports for web traffic if only say ports 80 and 443 are actually listening.
Read up on preprocessor configuration details in the online manual at snort.org. Then play around with the setting on the PREPROCESSOR tab for the various engines (frag3, stream5 and http_inspect, etc.).
Bill
