Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ability to runs snort as IPS

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 448 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gbqs
      last edited by

      Hi

      I've just configured Netgate with snort and written some custom signatures. I've noticed that I had to enable an alert, rather than a drop and assume that this then triggers a firewall rule to drop the traffic, so the 1st packet flow that triggers the rule is permitted, then subsequent packets are blocked.

      My Q is, is there any way to run snort as a pure IPS (so packets flow through and are blocked, rather than allowing the triggering packet through and then blocking the IP address).

      If there is no way with Snort, would Suricata be a valid method to do this ?

      Many thanks

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @gbqs
        last edited by

        @gbqs
        Snort cannot run as a true inline IPS at this time on pfSense. Suricata can providing you have NIC hardware whose drivers fully support Netmap on FreeBSD. Not all do, so beware.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.