Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    snort and pfblockerNG in one box

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 4 Posters 807 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      publictoiletbowl
      last edited by

      hello

      im totally newbie on pfsense and im learning now running snort and pfblocker in one box could be a problem later on? please give me some advice base on your experience.

      thank you

      GertjanG bmeeksB 2 Replies Last reply Reply Quote 0
      • GertjanG
        Gertjan @publictoiletbowl
        last edited by

        @publictoiletbowl said in snort and pfblockerNG in one box:

        problem later on?

        I will be a problem right now.
        pfblockerNG-devel version 2.2.5_37 (as of today) is for experienced users.
        snort is a far more advanced tool. It's a toy for the experts. The "IDS/IPS" is hidden in an unbreakable TLS , so, today, we're in 2020, completely useless. If, by any change, you became an TLS expert you place some MITM games. It is possible, although with some big trade-offs.
        Ok, you could test if your LAN based clients brake the rules with some signature, protocol, and anomaly-based inspection. That if, if you do not trust your LAN based clients - and you have to know if they send 'syntax errors' out over the internet.
        Incoming traffic : just use no NAT rules, nor any other rule on your WAN and you'll be fine for life.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire
          last edited by

          Aside from "how to set it up" questions there's nothing preventing both from running on the same router. We do so on almost all the ones we have in service. There are overlaps, for instance pfBlocker has several feeds like DROP and DShield that are also in Snort, so no need to check twice.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @publictoiletbowl
            last edited by bmeeks

            @publictoiletbowl said in snort and pfblockerNG in one box:

            hello

            im totally newbie on pfsense and im learning now running snort and pfblocker in one box could be a problem later on? please give me some advice base on your experience.

            thank you

            If you are also a newbie to administering an IDS/IPS such as Snort, I would suggest you not enable the blocking mode. At least not for several weeks. During that period of no blocking, examine the ALERTS tab daily to see what types of alerts are being logged. Research them and determine if they represent potential false positives for your network environment. For those rules generating what you determine to be false-positive alerts, you will want to disable the rule entirely or suppress the alert for certain hosts as you feel appropriate.

            Administering an IDS/IPS is really for an expert in network security. It certainly is a skill that takes a long time to learn. For the majority of home networks, I don't recommend use of an IDS/IPS. If you are a curious type and want to invest the time to learn about the tool, then have at it. But be prepared for a lot of stuff to get blocked when you enable the blocking mode. Figuring out what is a false positive and what is an actual issue is where the "expert" earns his keep in the IDS/IPS world.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.