PfSense as an inside IDS sensor

  • I've been fiddling with Security Onion for the past few days, and I'm not crazy about the UI. I'm looking for an IDS setup to monitor internal client to server traffic. How much of the sensor and/or collector functionality could be duplicated with pfSense? Could I have Snort do IDS only inspection via a series of SPANs/port mirrors? Can I review/download Barnyard entries from within pfSense? Any gotchas that anyone knows of? Thanks.

  • Well, I've been playing with it for a while, and my first hurdle was getting pfSense to acknowledge/see traffic not actually destined for it on the monitor interface(s). Creating a bridge group seems to be the solution, but Snort needs to still monitor the actual interface(s), and not the bridge for it to work.

    My second hurdle is with Barnyard. The config page made it seem as though I could possibly nab packet captures/dumps right from the UI, which seems to be incorrect. So, that means pfSense is only usable as a sensor, which is fine. It's ability to disable/suppress Snort rules/alerts is way ahead of what the SO people are doing. So I've been working on getting Barnyard2 in pfSense to push the events into Security Onion's MySQL database. I found an older howto on the Spiceworks forum, but it seems to no longer be valid. Security Onion no longer uses Snorby and instead now uses Sguil.

    The next step is probably to ask the Security Onion people for help. Anyone have any insight?