Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort time from detection to block

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dcol Banned
      last edited by

      The Snort time from detection to block is not helping me. Is there a way to inspect the packet and then pass it only if it passes the snort rule? I use snort only for one port on my email server, so a delay in the packets is no big deal, but the packets getting through are. Snort is only effective for the next time a bad IP comes in.

      Any suggestions?

      1 Reply Last reply Reply Quote 0
      • F
        fsansfil
        last edited by

        Instead of a DROP rule, create one with PASS with Suricata inline.

        pfsense doesnt support snort inline yet, maybe when version 3  comes out.

        F.

        1 Reply Last reply Reply Quote 0
        • P
          Paint
          last edited by

          maybe write your own custom Snort Rules: custom.rules?

          http://archive.oreilly.com/pub/h/1393

          pfSense i5-4590
          940/880 mbit Fiber Internet from FiOS
          BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
          Netgear R8000 AP (DD-WRT)

          1 Reply Last reply Reply Quote 0
          • D
            dcol Banned
            last edited by

            So I can do this with Suricata?
            Is there a FAQ somewhere to explain using inline. I assume using this allows Suricata to review and drop the packet before it can be delivered.

            I already write my own custom rules. I was hoping there were some commands I could use. I understand the snort rules are compatible with Suricata too.

            1 Reply Last reply Reply Quote 0
            • D
              dcol Banned
              last edited by

              Reading up on Suricata looks like the answer to my needs now that the inline option is available.
              Thanks

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.