Snort Blocking

  • Hello Everyone,

    I have recently switched to pfSnese from IPCop.  I am loving the change so far!

    I have configured Snort with blocking on my firewall.  I would like to exclude some rules from automatic blocking.  Some rules, such as the Shellcode ones generate quite a bit of false positives in my implementation.  I am not able to find a way to do this in the GUI.  The host whitelist feature won't work for me because there are too many.  I also don't want to suppress the noisy rules because I would like to see the alerts and investigate manually.  I was going to edit the configuration files and was hoping that someone can point me in the right direction.  My questions are:

    1.  Which snort.conf does the Snort package use in pfSense?  I have two, /usr/local/etc/snort/snort.conf and /usr/local/etc/snort/snort_14918_bge0/snort.conf?

    2. This directive seems to be ignored:  portvar SHELLCODE_PORTS !80.  Does pfSense not use this VAR or is there something wrong with my config?

    3.  Where does pfSense configure blocking in Snort?

    Thanks in advance!

Log in to reply