Snortsam in pfsense 2 RC1
-
Hi,
I was just wondering if there is a snortsam package available for pfsense 2 RC1 and the corresponding snort version. Is snort package patched / compiled with snortsam plugin? Can I just add the package using pkg_add -r snortsam from the (freebsd) repositories and the configure and play with it?
Any help would be really appreciated.
Regards
Antonios
-
A updated snort package is being worked on for 2.0 which will include snortsam i believe. Hoping it will be completed by the end of the month but no official word yet.
-
Hi,
I was just wondering if there is a snortsam package available for pfsense 2 RC1 and the corresponding snort version. Is snort package patched / compiled with snortsam plugin? Can I just add the package using pkg_add -r snortsam from the (freebsd) repositories and the configure and play with it?
Any help would be really appreciated.
Regards
Antonios
Because pfSense is custom code, pkg_add -r will not work. You will have to wait until I am done with the new gui.
Thanks @Cino for helping out on the forums.
Rob
-
Thanks both of you guys for the info.
I look forward to the new versions.
Antonios
-
Hello.
are there any news concerning snortsam in pfsense 2?
Thanks
Antonios
-
Hello.
are there any news concerning snortsam in pfsense 2?
Thanks
Antonios
It seems that in 2.0, snortsam was replaced with spoink (a fork? of snort2c by the same author). This is a shame as spoink has a limitation described in this active thread:
http://forum.pfsense.org/index.php/topic,41895.0.html
And snortsam looks like it has some nifty features not in spoink, e.g.:
Time-override list.
Maximum block time ceiling as well as minimum block time definition for reporting entities.
Flexible, per rule blocking specification, including rule dependent blocking time interval.Also, I problem I've noticed is that the whitelists in spoink, i.e. in "2.9 pkg v. 2.0" do not support networks, only IPs. With the exception of the place where you can add a whitelist, the rest of the Snort GUI in this version suggests that "local networks" are automatically white-listed. In fact, although they are, since spoink doesn't seem to understand networks, this has no effect and local networks are NOT prevented from being blocked. This is what I have been testing today.
-
Hi to all,
is there any news about that?Thanks a lot,
Michele -
is there any news about that?
Apparently a couple of weeks ago Ermal commited improvement to spoink code, in order to allow more versatile blocking (src/dst):
https://github.com/bsdperimeter/pfsense-tools/commit/4e3502810b2f718e70c2bfe0cea768f1c9490141