4. Questions about running SNORT in PfSense

Questions about running SNORT in PfSense

  • W

    Hello guys, first of all, take it easy on me, i'm a begginer in PfSense and IDS / IPS. Currently, i'm have PfSense 2.3.4 with SNORT package installed. Firstly, i'm having and issue with the Enable RULES OpenAppID. They just wont download and i have no clue why. But i dont think that it is a major issue, at least for now since i'm just messing around and learning as much as i can about SNORT and PfSense.

    My first question is fairly simple, how do i know if the SNORT rules work ? Most of the alerts i receive are almost the same and honestly i'm not quite sure if thats normal since there are so many rules. I've created a rule to alert me if it detects a ping. Is that enough to assure it is working properly ?

    Another question is: I want to evaluate SNORT's performance, any tips ?

    Any help is appreciated, thanks

    0
  • Galactic Empire

    @weet9342 said in Questions about running SNORT in PfSense:

    Another question is: I want to evaluate SNORT’s performance, any tips ?
    Any help is appreciated, thanks

    Post your ping rule.

    1
  • W

    My ping rule is super simple, just wanted to see if it detects something, and it does.

    alert icmp any any -> any any (msg:"ICMP test"; sid:10000001; rev:001;)

    Is there a way to generate traffic that might get blocked / detected by SNORT ?

    0
  • Galactic Empire

    OpenAppID rules seem to download fine for me.

    What interface are you running snort on ?

    Run it on your LAN as you then see hosts pre NAT.

    Yup the ping rule is a good test to see if snort is working.

    If you change your ICMP rule slightly :-

    alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:misc-activity;)

    alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:icmp-event;)

    It should block outbound ICMP traffic.

    andy@pi-3:~ $ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=14.8 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    6 packets transmitted, 1 received, 83% packet loss, time 5160ms
    rtt min/avg/max/mdev = 14.847/14.847/14.847/0.000 ms
    andy@pi-3:~ $ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    ^C
    --- 8.8.8.8 ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2064ms

    andy@pi-3:~ $

    0_1527847252298_Untitled.jpeg

    1
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy