Snort IPS
-
I installed the Snort package. I've been looking for a way to configure Snort to block with Inline mode, acting as an IPS. The only relevant option I could find was "IPS Policy Selection". But when I look at my blocked traffic, it says that there are no hosts that are blocked.
Is there any way to configure Snort, upon a rule activated, to drop that traffic? I was looking at a PFsense thread, and at the time, it didn't seem like there was any way to do this. But that was several years ago. If there is no way, just curious why there isn't? -
There is an entire sub-forum here dedicated to the Snort and Suricata IDS/IPS packages. Here is a direct link: https://forum.netgate.com/category/53/ids-ips.
At the top of that forum page you will find a number of Sticky Posts describing the various operating modes and how to configure them. This one should get you started: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions. Note in the linked post that not all hardware NICs support the netmap kernel device required for inline IPS operation. If your NIC does not support netmap, then you will have to switch to Legacy Blocking Mode.