Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IDS/IPS with pfblockerNG

    Scheduled Pinned Locked Moved pfBlockerNG
    4 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • QinnQ
      Qinn
      last edited by

      Hi there I could use some advise on the subject. Maybe it's in the wrong spot, but as pfblockerNG is my starting point and an IDS is my next step, I placed it here (If an admin wants me to move it, no worries). What can anyone advise me; Suricata or Snort in combination with pfblockerNG?

      Thanks for any help, pointers or advise.

      Cheers Qinn

      Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
      Firmware: Latest-stable-pfSense CE (amd64)
      Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

      1 Reply Last reply Reply Quote 0
      • V
        Velcro
        last edited by

        I can't speak much about Surricata but I have been using Snort with pfBlocker no compatability issues…the one problem I had was geo blocking Brazil. A Brazil University was the destination for a Snort rule...

        https://forum.pfsense.org/index.php?topic=131806.msg725825#msg725825

        I would defer to Suricata users for their thoughts...

        1 Reply Last reply Reply Quote 0
        • QinnQ
          Qinn
          last edited by

          @V3lcr0:

          I can't speak much about Surricata but I have been using Snort with pfBlocker no compatability issues…the one problem I had was geo blocking Brazil. A Brazil University was the destination for a Snort rule...

          https://forum.pfsense.org/index.php?topic=131806.msg725825#msg725825

          I would defer to Suricata users for their thoughts...

          Thanks, off course I still would like to know some thoughts from Suricata users, but can you advise on some good info/setup/video for a Snort newbee?

          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
          Firmware: Latest-stable-pfSense CE (amd64)
          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

          1 Reply Last reply Reply Quote 0
          • V
            Velcro
            last edited by

            bmeeks put a great guide together, a little dated but still a good thread…(thanks bmeeks!)
            https://forum.pfsense.org/index.php?topic=61018.0

            This is a more recent thread:
            https://doc.pfsense.org/index.php/Setup_Snort_Package

            This will get you going...

            My suggestions would be:

            1. When you setup the interfaces resist the temptation to "Block Offenders" at the start...you can use it as a IDS then move to IPS. It will block a lot!
            2. Use the "Snort VRT IPS Policy Selection" to start depending on your needs...i.e. Balanced/Connectivity/Security
            3. Use "Service_Watchdog" package as well in case it stops...

            I think any of the IDS/IPS packages use hardware resources...so make sure your setup is strong enough...not hard to setup! Requires some attention to get going...quite a few false positives to start that block traffic(hence start with IDS to start).

            Good luck...

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.