Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New Install Snort Fun

    Scheduled Pinned Locked Moved
    pfSense Packages
    3
    5
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DrWarui
      last edited by

      First off, pfSense is pure awesome!  I cannot thank everybody who has worked on it enough–pfSense is just amazing.

      Now then, I've installed pfSense 1.2.3-RC1 on some new-ish hardware (P4 1.6GHz, 768MB RDRAM (remember that?), 60GB HDD) and it is working frighteningly well as a firewall/proxy/router/IDS/Ice Cream Maker for our wi-fi network.  I've installed Squid+Lightsquid+snort packages and it all seems to be working with the exception of, wait for it, snort.

      Well, snort runs, but I have two instances of it running which I gather isn't quite standard.  I do have it listening on both LAN and WAN, however both snorts seem to have glommed onto the WAN.  I have uninstalled and re-installed the package (thanks JamesDean!!!) and still two processes of snort on WAN.  To get snort running on LAN and WAN do I start hacking away at the snort.conf?

      A second issue is that I do have the 'autoblock' check box checked, but I don't see snort2c running.  So, I'm not quite sure what the mechanism is for this.  The FAQ was pretty clear, but no snort2c.  Am I missing something?

      Thanks very much for pfSense!

      1 Reply Last reply Reply Quote 0
      • C
        ColdFusion
        last edited by

        sometime packages show up twice if they were reinstalled twice and the first time it didn't de-install all the way. It's more of a cosmetic thing to me. You could just reboot the firewall or maybe de-install again and then reboot the firewall, then re-install.

        Why do you have Snort on Wan and Lan???? Should be just Wan.

        1 Reply Last reply Reply Quote 0
        • D
          DrWarui
          last edited by

          Hah, well, yeah I did read that snort should listen on just the WAN  ;D.  I was thinking that it might be nice to also filter stuff as it goes out.  And if we can find them and inform the user, that would be a bonus.

          Anyway, it appears that snort is working as it should!  One question I have, does snort block incoming packets even if the destination IP (the WAN IP) is whitelisted?  It appears that it does, but most of the time I see alerts but no blockage.  Is it pretty standard to just take the alert information and block the offending IP in the firewall?

          1 Reply Last reply Reply Quote 0
          • D
            dlawley
            last edited by

            I think wan is redundant, if the firewall or admin is/are doing its job its just going to drive ya nuts.  But lan, I much rather keep tabs on my side just in case I have a machine or user trying to do something nasty.  But have been know to watch them both..

            1 Reply Last reply Reply Quote 0
            • D
              DrWarui
              last edited by

              Good point.  Since I am the one who set this thing up, I think I elected myself to be the admin for it.  I do want it to be as stable and fuss free as it can be.

              I'll change snort to watch the LAN side of the force and see how that works.  I'm still amazed at how well pfSense works!

              Next up will be getting SquidGuard working, but that's another topic of course.

              Thanks!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post