Pfsense Snort Takes too much time to start when Enabling all Rules
-
hi all
i have a query about the IDS(Snort) in pfsense.i am using pfsense version 2.3.1 RELEASE with snort version 2.9.8.0 GRE
i have added the snort pkg from repo and downloaded all the rules,
i am running snort instance on a WAN and enabled all the Rules available.
when i start/restart snort instance it takes a lot of time to start sometime i get a timout from server.
how can i resolve this issue, is it a good practice to enable all the rules file available?
Thank you -
hi all
i have a query about the IDS(Snort) in pfsense.i am using pfsense version 2.3.1 RELEASE with snort version 2.9.8.0 GRE
i have added the snort pkg from repo and downloaded all the rules,
i am running snort instance on a WAN and enabled all the Rules available.
when i start/restart snort instance it takes a lot of time to start sometime i get a timout from server.
how can i resolve this issue, is it a good practice to enable all the rules file available?
Thank youAlthough it will make no difference in startup speed, you should update to the latest Snort package on pfSense. The VRT rules are no longer available for version 2.9.8.0. If you do not use those rules, then it may not bother you that VRT rules are not available/updated for 2.9.8.0. The current binary version is 2.9.8.3 (and the GUI package is 3.2.9.1_14).
Enabling all the rules is pretty much not a good idea. Unless you have a super server with lots of RAM, you can quickly bog it down evaluating thousands of rules for every packet. Many (if not most) of those rules will likely not even apply to your traffic. For example, if you are a home user and have no public facing servers, then all the rules for mail servers, SQL servers, web servers, etc., would serve no protective purpose and would just be chewing up firewall resources for zero gain.
You need to take the time to learn about Snort rules, the categories and what the rules in them do, and then select rules that fit your network. My suggestion to folks is to run a few weeks in IDS non-blocking mode and check the ALERTS tab several times a day to see what is alerting. Get a Snort Oinkmaster code from https://www.snort.org and enable the Snort VRT rules. Then go to the CATEGORIES tab and tick the checkbox to "Use IPS Policy". In the IPS Policy drop-down select Connectivity and save the change and restart Snort.
This will activate a good starter set of rules that will protect local LAN hosts from a ton of malicious threats without generating too many false positives. Only the Snort VRT rules package offers special metadata tags on rules that allow selection of a protection level. The three choices are CONNECTIVITY, BALANCED and SECURITY in order of increasing security. Don't be tempted to jump straight to SECURITY, though. That will generate some false positives and may be irritating to a beginner. Start with CONNECTIVITY and then after you gain experience bump up to BALANCED.
Bill
-
Moving my first steps with IDSs as well, and noticed that it was ludicrously slow to start as well, I was using the balanced IPS policy though, might give the Connectivity one a try.
I had a baffling issue with Snort though, when I suppressed alerts or even disabled rules completely (such as those in the HTTP inspections) it kept generating alerts all the same, albeit stating they were already disabled. I tried leaving it to its own devices for a day, thinking it might just take it a long time to reload the rules, but it kept showing alerts and dropping packets (in block mode) even for rules that had both alerts and the rule itself disabled, is this normal behavior?
-
Moving my first steps with IDSs as well, and noticed that it was ludicrously slow to start as well, I was using the balanced IPS policy though, might give the Connectivity one a try.
I had a baffling issue with Snort though, when I suppressed alerts or even disabled rules completely (such as those in the HTTP inspections) it kept generating alerts all the same, albeit stating they were already disabled. I tried leaving it to its own devices for a day, thinking it might just take it a long time to reload the rules, but it kept showing alerts and dropping packets (in block mode) even for rules that had both alerts and the rule itself disabled, is this normal behavior?
You probably had multiple processes running on the same interface. Can happen if your Snort instance is very slow starting. Some "restart all packages" processes kicked off for other reasons by pfSense can result in Snort getting "started" multiple times on an interface. Those duplicate processes will not honor any future config changes you make until they are stopped or the firewall is rebooted. I have tried many approaches to prevent this in the package software, but have thus far been unsuccessful. There are still some instances where duplicate Snort processes can get started on the same interface.
Bill
-
Thank you Mr Bill, i will explore it