IDS/IPS with pfblockerNG



  • Hi there I could use some advise on the subject. Maybe it's in the wrong spot, but as pfblockerNG is my starting point and an IDS is my next step, I placed it here (If an admin wants me to move it, no worries). What can anyone advise me; Suricata or Snort in combination with pfblockerNG?

    Thanks for any help, pointers or advise.

    Cheers Qinn



  • I can't speak much about Surricata but I have been using Snort with pfBlocker no compatability issues…the one problem I had was geo blocking Brazil. A Brazil University was the destination for a Snort rule...

    https://forum.pfsense.org/index.php?topic=131806.msg725825#msg725825

    I would defer to Suricata users for their thoughts...



  • @V3lcr0:

    I can't speak much about Surricata but I have been using Snort with pfBlocker no compatability issues…the one problem I had was geo blocking Brazil. A Brazil University was the destination for a Snort rule...

    https://forum.pfsense.org/index.php?topic=131806.msg725825#msg725825

    I would defer to Suricata users for their thoughts...

    Thanks, off course I still would like to know some thoughts from Suricata users, but can you advise on some good info/setup/video for a Snort newbee?



  • bmeeks put a great guide together, a little dated but still a good thread…(thanks bmeeks!)
    https://forum.pfsense.org/index.php?topic=61018.0

    This is a more recent thread:
    https://doc.pfsense.org/index.php/Setup_Snort_Package

    This will get you going...

    My suggestions would be:

    1. When you setup the interfaces resist the temptation to "Block Offenders" at the start...you can use it as a IDS then move to IPS. It will block a lot!
    2. Use the "Snort VRT IPS Policy Selection" to start depending on your needs...i.e. Balanced/Connectivity/Security
    3. Use "Service_Watchdog" package as well in case it stops...

    I think any of the IDS/IPS packages use hardware resources...so make sure your setup is strong enough...not hard to setup! Requires some attention to get going...quite a few false positives to start that block traffic(hence start with IDS to start).

    Good luck...


Log in to reply