Stupid SNORT question…
-
If pfSense by default blocks all incoming traffic (except for explicit rules I add), when I see alerts from SNORT (I don't have blocking enabled), does this mean that "attack" was blocked by the pfSense Firewall even though SNORT is not enabled to block? PfSense allows incoming responses to outgoing traffic so unless my home network has been compromised, I would think that just using the default firewall is good enough to block attacks from the outside in?
I'm not a firewall/security guy, but I'm pretty solid with technology in general. My Alerts log is full of alerts but I have no idea what's a real threat and what's not. For home use, I'm trying to understand how to enabled the right SNORT rules so I can turn on blocking and then know how to identify when an Alert is a real threat so I can take action or block. I'm afraid if I just enable blocking, its going to break the internet access at home and my family is going to throw a fit…
-
anyone? Bueller?
-
Snort wouldn't show pfsense firewall logs in alerts. Whatever snort is showing is base on the rules or policy you set. 99% of the time pfsense stand along is enough for home users but snort on top is just a plus.
There is no easy way of tweaking ips/ids it's trail and error. Best way to put it in connectivity ips policy and see what a day worth of alerts you get in your network. If anything like apps or a website you visit isn't working check out the block alert. What I tell people is clear the block list then visit or use the app again. If it shows up just add it to the suppress list and do it over and over until you get everything tweak out.
Of course I been in the security world for a long time so it's easy for me to determine a false positive but if your unsure there google. Most of the time if you are sure the site/app is legit then there no harm in adding it to the list. Just stick to what you are certan.
GL!
-
There are a few threads here on the forum about configuring Snort. Look for the Suppress List thread in particular. It will give you some ideas on which rules frequently false positive and should be either suppressed or disabled.
Bill
-
Thanks for the info.
bmeeks, I was looking at your sticky post: Quick Snort Setup Instructions for New Users and post #3 has a response about disabling rules vs. using suppression lists. Is disable vs suppress one of those religious debates where there isn't a right or wrong answer ?
-
Thanks for the info.
bmeeks, I was looking at your sticky post: Quick Snort Setup Instructions for New Users and post #3 has a response about disabling rules vs. using suppression lists. Is disable vs suppress one of those religious debates where there isn't a right or wrong answer ?
With today's highly capable hardware, "yes" it is sort of a religious debate. If you have super heavy traffic loads or marginal hardware for the task (low memory, slow CPU, etc.), then disabling is better than suppressing. Just be careful and don't willy-nilly disable flowbit required rules. Search for "flowbits" in this sub-forum to find some of my responses to others about the importance of flowbit rules.
Bill
