Snort on pfSense packet flow



  • I am running Snort package 2.9.0.5 and the pfSense 2.0 RC3 amd64 snapshot from 9/10/11.

    I have been adding hosts to a firewall alias as I find offenders in the alerts generated by Snort. I made a rule blocking this alias file as the source for communication on the WAN interface and another rule blocking them as the destination for communication on the WAN interface.

    These hosts still show up in the Snort alerts and in the Snort block list.

    I am hoping this is because Snort gets the traffic before the firewall filter in pfSense.

    Snort has a Blacklist, but I am hesitant to use it because in checking the Snort documentation I see if the IP of a Whitelist member (all my interface and host IPs for my network, in my case) is in a communication with a Blacklist member, the default is to give the Whitelist priority and allow the communication. Not positive that negatively affects me in these scenarios, but I have been wary of the Snort Blacklist for this reason.

    Right now everything works well, just not how I expected. These hosts I put in the firewall alias file get on the Snort block list instead of blocked by the firewall, but either way they ARE blocked.

    Perhaps someone can clarify both the Snort alerting on hosts blocked by a firewall rule (Snort gets the packets first?), and Snort behavior in pfSense when a Blacklist and a Whitelist host are both involved in an alert.

    Thanks in advance for any feedback.



  • Pfsense rules are set on source interface. The rule with destination To blacklist must be on lan.

    Check the snort rules that ate blocking offenders and see who is the source of that rule( server or client).

    Adjusting snort for a network take some time and false positives will occur.

    Note that a realy good tcp/ip knowledge is requisite for snort admins.



  • @marcelloc:

    Pfsense rules are set on source interface. The rule with destination To blacklist must be on lan.

    I set the rules up on the appropriate interfaces based on source and destination IP, but Snort sees (and then blocks) offenders that should be covered by these rules.

    The rule covering destination to blacklist is on the LAN interface.

    The rule covering source from blacklist is on the WAN interface.

    Still, Snort sees and blocks traffic covered by these rules.

    I still have these questions:

    Perhaps someone can clarify both the Snort alerting on hosts blocked by a firewall rule (Snort gets the packets first?), and Snort behavior in pfSense when a Blacklist and a Whitelist host are both involved in an alert.


Log in to reply