@BBcan177 Thanks for chiming in. I didn't want to hijack the thread ;) but in my case I'm looking forward to more insights of the per VLAN/subnet setting. Our use case would be to protect various customer project networks, all separated into different VLANs/subnets that are routed via our Firewall. All those networks get connected via our DC WAN line. But as only two or three customers ask about IDS/IPS usage, we'd like to setup snort (or suricata for that matte) in a way, it listens on WAN but only intercepts/filters/blocks traffic belonging to those customers and leave all other traffic alone. As different customers may have different needs a per customer (-> per public IP/per VLAN) configuration would be needed for that (IMHO), so that's the question I have if such a setup is possible at all. Greets

I'm currently only monitoring to fine-tune the ruleset since its been a while since I used snort. It alerted on a couple of IPv6 packets for 1:2018959  ET POLICY PE EXE or DLL Windows file download HTTP

look like your machine making normal domain name queries to ns3.google.com

Hi At my Snort > Preprocessors and Flow > LAN > Portscan Detection Enable: X Protocol: all Scan Type: all Sensitivity: medium Memory Cap: 10000000 Ignore Scanners: Ignore Scanned: I did a nmpap scan over the pfSense LAN IP: nmap -T4 -A -v 192.168.0.254 … Discovered open port 443/tcp on 192.168.0.254 Discovered open port 53/tcp on 192.168.0.254 Discovered open port 22/tcp on 192.168.0.254 ... And at Snort, LAN alerts: 2016-11-17 20:37:39 3 TCP Unknown Traffic 192.168.0.254   8081 192.168.0.12   51052 120:3   (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 2016-11-17 20:37:10 3 TCP Unknown Traffic 192.168.0.254   8081 192.168.0.12   50965 120:3   (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE And other nmap scan from one host at LAN to remote host at Inet, none alert!!! OK, I will try what you say … Regards

Same traffic. Fresh squid install, pf 2.3.2, squid 0.4.23_1 Antivirus breaks the internet with the aforementioned error message on numerous sites (most, actually) Tried to run the a/v update, get this in the realtime tab: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock: No such file or directory a/v disabled for now, which is really too bad…...

What ttblum post is all you really need and everything else is self explanatory but here is the pass list: https://doc.pfsense.org/index.php/Snort_passlist

First I try to answer your questions in your first post: 1, E.g. Imagine one day a zero day vulnerability is discovered in the openvpn software. With your updated snort ruleset you can protect your unpatched device against disclosing this vulnerability. 2, The example above applies here again. Because the manner TCP connections work snort will block the answer (reply to a LAN connection) coming to your WAN interface if a rule is matching the packet. So in this situation it "doesn't matter" whether a port is closed on your firewall or not. 3, E.g. You accidently or by mistake click to a link in an email message that points to a crypto malware file that would encrypt your whole disk. Snort will block the connection and save you from a catastrophic situation. 4, Pfblockerng will broaden the IPS function by blocking known malicious, attacking IP addresses and DNS addresses thus further protecting your network against malware, spam, ransomware and other threats. As far as I can tell by reading your second post, that you are not sure why to protect the traffic coming from the LAN interface. Your network could be attacked not just from the Internet. E.g. someone connects an infected USB drive to a computer in your network which spreads over all the machines. This infection could send private data out of your network BUT snort could block this too.

The source on mine was the yoyo adserver list I had enabled in pfblockerNG package.

omg, i have been getting a similar trojan alert and its driving me mad trying to work out where it is coming from https://forum.pfsense.org/index.php?topic=121123.0 i also have ublock origin, but my snort rule is only showing src as WAN. now how can i tell if this is a false positive if i cant find the local ip

Hi. I do not know if tthis akamai server is compromised. But you can submit the "false positive" (or bug) to Snort if you have a registred user in community:: https://www.snort.org/community#submit_bug Regards.

In other words : unchecking Local Networks from the pass list seems to have no effect.  :( Could it be a cosmetic issue, while clicking "View list"  ? (don't think so…) Also tried to overload HOME_NET value in Advanced Configuration Pass-Through, but Advanced Configuration Pass-Through seems to be broken too (encoded while config is saved).  :(

I am guessing it's probably your IPS policy you have set or you have set it to balanced. If not check it out and just manually set the ones you want.

Hi. More about … :) @BBcan177: I have tried to do this in postfix but couldn't find a solution, so I ended up adding a custom rule to Snort… Getting hit by a usually EHLO  ylmf-pc  (Chinese OS) Snort won't block it fast enough to prevent a couple login attempts, but it will stop an IP after about three attempts. This is because currently Snort is acting on a copy of the packet. alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP EHLO from ylmf-pc attempt"; threshold: type limit, track by_src, count 1, seconds 60; content:"ylmf-pc"; nocase; classtype:suspicious-login; sid:9000032; rev:2;) Rgards.

Hi I see your need some thing more f. Try it create a custom rules in Snort for pass the traffic with dst 192.168.1.9 port 65000 and block the rest. alert tcp any any -> !192.168.1.9/32 65000 (msg:"IgnoreIPtcp";  sid:9000001; classtype:misc-activity; rev:1;) alert udp any any -> !192.168.1.9/32 65000 (msg:"IgnoreIPudp";  sid:9000002; classtype:misc-activity; rev:1;) Regards

@jgkpffrm: connect to the pfsense server with filezilla and go to /var/log/snort/<interface>/  download snort.log.xxxxx turn off ssh Run Wireshark and look at the data</interface> What you mean is to use wireshark on a local PC and run an analyzer-session against the log-file (snort.log.xxxx)? Does this mean that snort.log.xxxx in reality has all the data, it is just more readable through WireShark?

From: https://forum.pfsense.org/index.php?topic=91438.msg506088#msg506088 @fsansfil: They are covered in ET Trojan Rules. Have a look. F. If I read the above correctly it is already available?