4. Questions about running SNORT in PfSense

Questions about running SNORT in PfSense

  • W

    Hello guys, first of all, take it easy on me, i'm a begginer in PfSense and IDS / IPS. Currently, i'm have PfSense 2.3.4 with SNORT package installed. Firstly, i'm having and issue with the Enable RULES OpenAppID. They just wont download and i have no clue why. But i dont think that it is a major issue, at least for now since i'm just messing around and learning as much as i can about SNORT and PfSense.

    My first question is fairly simple, how do i know if the SNORT rules work ? Most of the alerts i receive are almost the same and honestly i'm not quite sure if thats normal since there are so many rules. I've created a rule to alert me if it detects a ping. Is that enough to assure it is working properly ?

    Another question is: I want to evaluate SNORT's performance, any tips ?

    Any help is appreciated, thanks

    0
  • Galactic Empire

    @weet9342 said in Questions about running SNORT in PfSense:

    Another question is: I want to evaluate SNORT’s performance, any tips ?
    Any help is appreciated, thanks

    Post your ping rule.

    1
  • W

    My ping rule is super simple, just wanted to see if it detects something, and it does.

    alert icmp any any -> any any (msg:"ICMP test"; sid:10000001; rev:001;)

    Is there a way to generate traffic that might get blocked / detected by SNORT ?

    0
  • Galactic Empire

    OpenAppID rules seem to download fine for me.

    What interface are you running snort on ?

    Run it on your LAN as you then see hosts pre NAT.

    Yup the ping rule is a good test to see if snort is working.

    If you change your ICMP rule slightly :-

    alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:misc-activity;)

    alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:icmp-event;)

    It should block outbound ICMP traffic.

    andy@pi-3:~ $ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=14.8 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    6 packets transmitted, 1 received, 83% packet loss, time 5160ms
    rtt min/avg/max/mdev = 14.847/14.847/14.847/0.000 ms
    andy@pi-3:~ $ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    ^C
    --- 8.8.8.8 ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2064ms

    andy@pi-3:~ $

    0_1527847252298_Untitled.jpeg

    1
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy