Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Questions about running SNORT in PfSense

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      weet9342
      last edited by weet9342

      Hello guys, first of all, take it easy on me, i'm a begginer in PfSense and IDS / IPS. Currently, i'm have PfSense 2.3.4 with SNORT package installed. Firstly, i'm having and issue with the Enable RULES OpenAppID. They just wont download and i have no clue why. But i dont think that it is a major issue, at least for now since i'm just messing around and learning as much as i can about SNORT and PfSense.

      My first question is fairly simple, how do i know if the SNORT rules work ? Most of the alerts i receive are almost the same and honestly i'm not quite sure if thats normal since there are so many rules. I've created a rule to alert me if it detects a ping. Is that enough to assure it is working properly ?

      Another question is: I want to evaluate SNORT's performance, any tips ?

      Any help is appreciated, thanks

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        @weet9342 said in Questions about running SNORT in PfSense:

        Another question is: I want to evaluate SNORT’s performance, any tips ?
        Any help is appreciated, thanks

        Post your ping rule.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 1
        • W
          weet9342
          last edited by

          My ping rule is super simple, just wanted to see if it detects something, and it does.

          alert icmp any any -> any any (msg:"ICMP test"; sid:10000001; rev:001;)

          Is there a way to generate traffic that might get blocked / detected by SNORT ?

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by NogBadTheBad

            OpenAppID rules seem to download fine for me.

            What interface are you running snort on ?

            Run it on your LAN as you then see hosts pre NAT.

            Yup the ping rule is a good test to see if snort is working.

            If you change your ICMP rule slightly :-

            alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:misc-activity;)

            alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:icmp-event;)

            It should block outbound ICMP traffic.

            andy@pi-3:~ $ ping 8.8.8.8
            PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
            64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=14.8 ms
            ^C
            --- 8.8.8.8 ping statistics ---
            6 packets transmitted, 1 received, 83% packet loss, time 5160ms
            rtt min/avg/max/mdev = 14.847/14.847/14.847/0.000 ms
            andy@pi-3:~ $ ping 8.8.8.8
            PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
            ^C
            --- 8.8.8.8 ping statistics ---
            3 packets transmitted, 0 received, 100% packet loss, time 2064ms

            andy@pi-3:~ $

            0_1527847252298_Untitled.jpeg

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.