Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort IPS

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 430 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      droidus
      last edited by

      I installed the Snort package. I've been looking for a way to configure Snort to block with Inline mode, acting as an IPS. The only relevant option I could find was "IPS Policy Selection". But when I look at my blocked traffic, it says that there are no hosts that are blocked.
      Is there any way to configure Snort, upon a rule activated, to drop that traffic? I was looking at a PFsense thread, and at the time, it didn't seem like there was any way to do this. But that was several years ago. If there is no way, just curious why there isn't?

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by bmeeks

        There is an entire sub-forum here dedicated to the Snort and Suricata IDS/IPS packages. Here is a direct link: https://forum.netgate.com/category/53/ids-ips.

        At the top of that forum page you will find a number of Sticky Posts describing the various operating modes and how to configure them. This one should get you started: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions. Note in the linked post that not all hardware NICs support the netmap kernel device required for inline IPS operation. If your NIC does not support netmap, then you will have to switch to Legacy Blocking Mode.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.