Currently algorithm is set to AC-BNFA.  I tried to run it on ACS, but it basically maxed out the RAM and made the interface very unusable.  It's running on a 2.3.2 on a Quad core celeron with 4GB RAM.

You should exclude things like

.akamai.net .akamaiedge.net .amazonaws.com

from DNSBL using Custom Domain Whitelist. (The last one is for Snort, IIRC, however having huge CDNs blackholed is absolutely undesired, whatever the use case.)

@bmeeks:

@jpvonhemel:

Hi Bill,

I do have SSH enabled with keys and passwords disabled.    I thought this was secure and my port is not the typical 22.    I understand that a port scan would reveal my open ports and figured it was secure using the key pair.  I will take your advise and consider closing this port and accessing ssh via openVPN.  That goes for the web admin too.

I don't block anything with snort, just log and review.  I do see a snort alert on WAN when I ssh in.  What was odd about my AWS/Twitter IP addresses was my public IP and port 10022 were the source and I didn't know how to make sense of it.  Source ports are usually random, or at least I thought they were.    It was odd that my public ip/10022 was sending to AWS/Twitter at port 443

Anyway, I have disabled the WAN interface for Snort and will just watch out for LAN alerts.

I appreciate your help.

Jerold

Using SSH with keys is much better than a password.  A key can be OK, but you will see a constant stream of attempts if the bots find the open port.  Without the key they should be kept out.  If all you ever want is SSH, I guess for a home network key-driven logins are OK.  Personally I use the OpenVPN server on pfSense and a client to access my network remotely.  I then open select things from the VPN into my LAN.

Bill

Bill,

Great information! first time I am trying to setup snort.

I do agree that having OpenVpn open is the best way and access everything else behind it, but is OpenVPN protected against brute force attacks in snort by default or you have to set that up?

I managed to circumvent the issue by adding a check mark to the following option under the Snort LAN interface general setting:

Stream Inserts Do not evaluate stream inserted packets against the detection engine

Snort is now running but I find it interesting that the DNS alerts previously mentioned have stopped when using the LAN interface only. I've turned Snort on for both using all the categories and receive these types of entries again. I am guessing these are false positives due to the fact that clicking on the magnifying glass for some of the entries show that the IP resolves to ns1.google.com.

2017-02-08 23:18:10 1 UDP Attempted User Privilege Gain 216.239.32.10   53 192.168.0.5   50136 3:19187   PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

IP address "216.239.32.10" resolves to host "ns1.google.com"

I am still confused however why Snort LAN is not providing me these alerts as it must be an internal host being natted creating the false positives. Any input would be greatly appreciated.

Cheers.

E

update, working now.

I uninstalled one more time.  Then manually deleted some of the snort scripts, files and directories.  On the subsequent reload, the package installed with no errors in the package and started correctly.

However, these 3 rules failed to download.  I wait for results when regular downloads run as scheduled.

Snort VRT Rules
Snort GPLv2 Community Rules
Snort OpenAppID Detectors

I can confirm that exact this issue still exists. Happened during update to 3.1.2_2

Suricata was disabled (not in menu) but still in package manger under "installed packages".  So only uninstall and new install worked!!

@huckabuck:

This isn't totally on topic to the OP. My pf box has 6 igb int. I have an esx server downstream running security onion. I don't want to use Suricata for IPS but I do want to use netmap as a tap for all interfaces then send the whole stream to security onion on an unused int. Can Suricata be put in inline mode with IPS not blocking anything and use suricata.yml to configure the tap interfaces?

Wouldn't this be easier to accomplish at the switch versus within the firewall?

Well, I've been playing with it for a while, and my first hurdle was getting pfSense to acknowledge/see traffic not actually destined for it on the monitor interface(s). Creating a bridge group seems to be the solution, but Snort needs to still monitor the actual interface(s), and not the bridge for it to work.

My second hurdle is with Barnyard. The config page made it seem as though I could possibly nab packet captures/dumps right from the UI, which seems to be incorrect. So, that means pfSense is only usable as a sensor, which is fine. It's ability to disable/suppress Snort rules/alerts is way ahead of what the SO people are doing. So I've been working on getting Barnyard2 in pfSense to push the events into Security Onion's MySQL database. I found an older howto on the Spiceworks forum, but it seems to no longer be valid. Security Onion no longer uses Snorby and instead now uses Sguil.

The next step is probably to ask the Security Onion people for help. Anyone have any insight?

Hello vbentley,

thank's for your reply, but I was misunderstood!

The very open WLAN has for sure no access to the LAN, only to WAN and LAN has no access to the WLAN, only to WAN.
My question is different (maybe my english is not the best) :-[:
I want to setup snort on LAN and WAN, but only for traffic to and from LAN. I'm searching on how to setup the rules for snort in a way, that WLAN and WAN for WLAN is generally not affected. This "Freifunk"-thing is based on a club and one of the rules in that association is not to sniff any traffic (gentlemen's agreement). That's my goal!

Many thanks!

Thanks for the help..

How to find the link-local machine…
https://forum.pfsense.org/index.php?topic=122888.msg688720#msg688720

Yes, I found the line but I'm still perplexed why I can't renice a process through cron.
In openwrt, it was no problem.  Why is cron different here???

if they're blocks to normal google searches, let them pass. same with akamai blocks.

@genesislubrigas:

PS:  I dont use pfsense captive portal

You might want to fix the totally misleading subject, plus move this to some Linux forum.

The dependency is already fixed, no need to do anything here. https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-suricata/Makefile#L16

@bmeeks:

Hey
Sorry for the late reply.
I have rebuilt my VM lab on Vbox and tested on it, very good success with Suppression list but still can't figure out pass list.
But for now that will do nicely, Thank you very much for your help Bill.

Great job Bill, well explained. I absolutely agree with you that the best Passlist option is "none" for Inline mode.