Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Blocking

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      ketchup
      last edited by

      Hello Everyone,

      I have recently switched to pfSnese from IPCop.  I am loving the change so far!

      I have configured Snort with blocking on my firewall.  I would like to exclude some rules from automatic blocking.  Some rules, such as the Shellcode ones generate quite a bit of false positives in my implementation.  I am not able to find a way to do this in the GUI.  The host whitelist feature won't work for me because there are too many.  I also don't want to suppress the noisy rules because I would like to see the alerts and investigate manually.  I was going to edit the configuration files and was hoping that someone can point me in the right direction.  My questions are:

      1.  Which snort.conf does the Snort package use in pfSense?  I have two, /usr/local/etc/snort/snort.conf and /usr/local/etc/snort/snort_14918_bge0/snort.conf?

      2. This directive seems to be ignored:  portvar SHELLCODE_PORTS !80.  Does pfSense not use this VAR or is there something wrong with my config?

      3.  Where does pfSense configure blocking in Snort?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.