Snortsam in pfsense 2 RC1



  • Hi,

    I was just wondering if there is a snortsam package available for pfsense 2 RC1 and the corresponding snort version. Is snort package patched / compiled with snortsam plugin? Can I just add the package using pkg_add -r snortsam from the (freebsd) repositories and the configure and play with it?

    Any help would be really appreciated.

    Regards

    Antonios



  • A updated snort package is being worked on for 2.0 which will include snortsam i believe. Hoping it will be completed by the end of the month but no official word yet.



  • @atlasis:

    Hi,

    I was just wondering if there is a snortsam package available for pfsense 2 RC1 and the corresponding snort version. Is snort package patched / compiled with snortsam plugin? Can I just add the package using pkg_add -r snortsam from the (freebsd) repositories and the configure and play with it?

    Any help would be really appreciated.

    Regards

    Antonios

    Because pfSense is custom code, pkg_add -r will not work. You will have to wait until I am done with the new gui.

    Thanks @Cino for helping out on the forums.

    Rob



  • Thanks both of you guys for the info.

    I look forward to the new versions.

    Antonios



  • Hello.

    are there any news concerning snortsam in pfsense 2?

    Thanks

    Antonios



  • @atlasis:

    Hello.

    are there any news concerning snortsam in pfsense 2?

    Thanks

    Antonios

    It seems that in 2.0, snortsam was replaced with spoink (a fork? of snort2c by the same author).  This is a shame as spoink has a limitation described in this active thread:
    http://forum.pfsense.org/index.php/topic,41895.0.html
    And snortsam looks like it has some nifty features not in spoink, e.g.:
    Time-override list.
    Maximum block time ceiling as well as minimum block time definition for reporting entities.
    Flexible, per rule blocking specification, including rule dependent blocking time interval.

    Also, I problem I've noticed is that the whitelists in spoink, i.e. in "2.9 pkg v. 2.0" do not support networks, only IPs.  With the exception of the place where you can add a whitelist, the rest of the Snort GUI in this version suggests that "local networks" are automatically white-listed.  In fact, although they are, since spoink doesn't seem to understand networks, this has no effect and local networks are NOT prevented from being blocked.  This is what I have been testing today.



  • Hi to all,
      is there any news about that?

    Thanks a lot,
    Michele



  • @mdima:

    is there any news about that?

    Apparently a couple of weeks ago Ermal commited improvement to spoink code, in order to allow more versatile blocking (src/dst):

    https://github.com/bsdperimeter/pfsense-tools/commit/4e3502810b2f718e70c2bfe0cea768f1c9490141


Log in to reply