Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense Snort Limited Logging

    General pfSense Questions
    2
    2
    743
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pidakala
      last edited by

      I am trying out  pfSense on my home PC which I wanted to deploy in near future as router/firewall/IPS/web filtering system. I have downloaded Snort and playing with few settings on Snort. I find that the number of Alerts logged in under IPS Connectivity setting is overwhelming and too many. Is there anyway to Limit the Logging based on  number of logs per second etc. I could not find those settings on pfSense webConfigurator.

      I am also looking for to stop TCP SYN Flood and UDP Flood attacks. Is there anyway to do this in Snort packages that comes with pfSense.

      Thank you very much..

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @pidakala:

        I am trying out  pfSense on my home PC which I wanted to deploy in near future as router/firewall/IPS/web filtering system. I have downloaded Snort and playing with few settings on Snort. I find that the number of Alerts logged in under IPS Connectivity setting is overwhelming and too many. Is there anyway to Limit the Logging based on  number of logs per second etc. I could not find those settings on pfSense webConfigurator.

        I am also looking for to stop TCP SYN Flood and UDP Flood attacks. Is there anyway to do this in Snort packages that comes with pfSense.

        Thank you very much..

        Suppress Lists are used in Snort to "rate limit" events.  You can also suppress certain common false positives entirely.  There is an older thread in the Packages sub-forum with the words "Master Suppress List" in the title.  It has suggestions for several experienced Snort users.

        Snort with its associated rules is designed to look for specific attacks where the packet data matches content and metadata contained within the rules.  There are scan rules that can help with TCP SYN attacks.

        Snort on pfSense offers a blocking mode that will insert an offender's IP address into a table in the pf firewall.  This effectively blocks further traffic from that offender until a timeout you set expires.  There is a basic How-To sticky thread posted in the Packages sub-forum for the Snort package.  You may find some useful information there.  There are also a number of experienced users who are regulars in that sub-forum.  You can post questions there and probably receive more and quicker replies.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.