I have recently switched to pfSnese from IPCop. I am loving the change so far!
I have configured Snort with blocking on my firewall. I would like to exclude some rules from automatic blocking. Some rules, such as the Shellcode ones generate quite a bit of false positives in my implementation. I am not able to find a way to do this in the GUI. The host whitelist feature won't work for me because there are too many. I also don't want to suppress the noisy rules because I would like to see the alerts and investigate manually. I was going to edit the configuration files and was hoping that someone can point me in the right direction. My questions are:
1. Which snort.conf does the Snort package use in pfSense? I have two, /usr/local/etc/snort/snort.conf and /usr/local/etc/snort/snort_14918_bge0/snort.conf?
2. This directive seems to be ignored: portvar SHELLCODE_PORTS !80. Does pfSense not use this VAR or is there something wrong with my config?
3. Where does pfSense configure blocking in Snort?
Thanks in advance!