snort and pfblockerNG in one box
-
hello
im totally newbie on pfsense and im learning now running snort and pfblocker in one box could be a problem later on? please give me some advice base on your experience.
thank you
-
@publictoiletbowl said in snort and pfblockerNG in one box:
problem later on?
I will be a problem right now.
pfblockerNG-devel version 2.2.5_37 (as of today) is for experienced users.
snort is a far more advanced tool. It's a toy for the experts. The "IDS/IPS" is hidden in an unbreakable TLS , so, today, we're in 2020, completely useless. If, by any change, you became an TLS expert you place some MITM games. It is possible, although with some big trade-offs.
Ok, you could test if your LAN based clients brake the rules with some signature, protocol, and anomaly-based inspection. That if, if you do not trust your LAN based clients - and you have to know if they send 'syntax errors' out over the internet.
Incoming traffic : just use no NAT rules, nor any other rule on your WAN and you'll be fine for life. -
Aside from "how to set it up" questions there's nothing preventing both from running on the same router. We do so on almost all the ones we have in service. There are overlaps, for instance pfBlocker has several feeds like DROP and DShield that are also in Snort, so no need to check twice.
-
@publictoiletbowl said in snort and pfblockerNG in one box:
hello
im totally newbie on pfsense and im learning now running snort and pfblocker in one box could be a problem later on? please give me some advice base on your experience.
thank you
If you are also a newbie to administering an IDS/IPS such as Snort, I would suggest you not enable the blocking mode. At least not for several weeks. During that period of no blocking, examine the ALERTS tab daily to see what types of alerts are being logged. Research them and determine if they represent potential false positives for your network environment. For those rules generating what you determine to be false-positive alerts, you will want to disable the rule entirely or suppress the alert for certain hosts as you feel appropriate.
Administering an IDS/IPS is really for an expert in network security. It certainly is a skill that takes a long time to learn. For the majority of home networks, I don't recommend use of an IDS/IPS. If you are a curious type and want to invest the time to learn about the tool, then have at it. But be prepared for a lot of stuff to get blocked when you enable the blocking mode. Figuring out what is a false positive and what is an actual issue is where the "expert" earns his keep in the IDS/IPS world.
