Snort not catching everything
-
I run a snort sensor on my network in addition to the Snort package on pfsense. I have VRT and Emerging Threats rules enabled on my pfsense box, but it just doesn't seem to catch some of the stuff that the sensor on the network does. For example, I get a lot of ZmEu Scanner alerts to my webserver from my sensor that the pfsense box doesn't seem to catch. There are many other instances here I can include if needed. Anything I am missing here?
-
The first thing to check is whether your separate sensor and the package on pfSense see the exact same network traffic. Is there perhaps a switch in between that blocks the pfSense port from seeing what the standalone sensor sees? Are there other routes to the standalone sensor that could bypass the Snort package in pfSense? A network diagram would help.
Are the exact same rules actually enabled and being enforced on both packages (the standalone versus pfSense)?
Bill
-
I don't think this is the case. The outside interface of the pfSense box plugs into my Internet connection. On the inside is a single cisco switch where my web servers and the Snort sensor plugs into. I have a monitor port configured on the switch where my sensor is plugged into. This monitor port is configured to have the traffic on all the other ports on the switch mirror to it, including the port that the inside interface of the pfSense box plugs into.
-
oh, and as far as the rules, Only difference I see on the rules side is that I am using both the VRT and community rules on the sensor. On the pfSense box I am only using the VRT. Didn't find out until after I built the sensor that the community rules are included in the VRT rules. Unless of course this is incorrect, then the could be my issue. On the pfsense box I have emerging threats enabled where I don't have this on the sensor.
-
Couple of other things to consider –
1. By default in the pfSense Snort package, the vast majority of the Community rules are disabled. Simply checking on the category on the RULES tab is not enough. You have to individually (or using the SELECT ALL option on the RULES tab) enable the vast majority of them.
2. If you are using a SPAN port on the switch, then the sensor sees all traffic the switch does when mirroring ports. However, the Snort sensor will only see traffic that is specifically passing through the firewall. Don't know the particulars of the alerts you are seeing on the monitor and not the pfSense instance, but is it possible that host-to-host traffic on the LAN side is what the sensor is alerting on when pfSense does not? The pfSense sensor will only see traffic either outbound to or inbound from the Internet. Traffic from one LAN host to another will be seen by the passive Snort sensor but not the pfSense Snort sensor.
Bill