Questions about running SNORT in PfSense
-
Hello guys, first of all, take it easy on me, i'm a begginer in PfSense and IDS / IPS. Currently, i'm have PfSense 2.3.4 with SNORT package installed. Firstly, i'm having and issue with the Enable RULES OpenAppID. They just wont download and i have no clue why. But i dont think that it is a major issue, at least for now since i'm just messing around and learning as much as i can about SNORT and PfSense.
My first question is fairly simple, how do i know if the SNORT rules work ? Most of the alerts i receive are almost the same and honestly i'm not quite sure if thats normal since there are so many rules. I've created a rule to alert me if it detects a ping. Is that enough to assure it is working properly ?
Another question is: I want to evaluate SNORT's performance, any tips ?
Any help is appreciated, thanks
-
@weet9342 said in Questions about running SNORT in PfSense:
Another question is: I want to evaluate SNORT’s performance, any tips ?
Any help is appreciated, thanksPost your ping rule.
-
My ping rule is super simple, just wanted to see if it detects something, and it does.
alert icmp any any -> any any (msg:"ICMP test"; sid:10000001; rev:001;)
Is there a way to generate traffic that might get blocked / detected by SNORT ?
-
OpenAppID rules seem to download fine for me.
What interface are you running snort on ?
Run it on your LAN as you then see hosts pre NAT.
Yup the ping rule is a good test to see if snort is working.
If you change your ICMP rule slightly :-
alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:misc-activity;)alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:icmp-event;)
It should block outbound ICMP traffic.
andy@pi-3:~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=14.8 ms
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 1 received, 83% packet loss, time 5160ms
rtt min/avg/max/mdev = 14.847/14.847/14.847/0.000 ms
andy@pi-3:~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2064msandy@pi-3:~ $
