Using Snort as IDS in the beggining

costasppc · Feb 29, 2012, 4:50 PM

Hello!

We have pfSense installed in a PC with 3 GB of RAM and a Celeron 2.8 CPU. Currently we are using 3 WANs (1 with the default and the other 2 with OPT VLAN'd interfaces. We have a Tier-1 Gateway group (Load Balancing) and a Tier-2 as Failover.

We are intrested of using Snort and Squid.

Questions:

1. How can we set Snort for all the WAN interfaces and not just the one WAN?

2. Can we use Snort in IDS mode (not to block anything rather report) and afterwards turn it into full IPS?

Squid question will come in another thread ;D

Best regards

Kostas

Fesoj · Feb 29, 2012, 5:59 PM

Just add more Snort interfaces for the other adapters by clicking the "+" button on the "Snort Interfaces" sheet. I do not think that there are any restrictions on the number of interfaces (I usually have 2 Snort interfaces defined).

novacoresystems · Feb 29, 2012, 6:27 PM

yeah that's correct regarding the multiple interfaces. I only have 1 WAN currently, but I also have it set to IPS my LAN interface as well. You can bind the snort service it seems to every interface pfsense has. To to make it a IDS just do not set it to "Block" IPs that trigger alerts. That way, it just logs alerts only.

costasppc · Feb 29, 2012, 8:03 PM

Thank you both.

Do you have any other suggestion in the Snort usage? Any known issues?

I will "plug" it in the company network tomorrow, and I need to be prepared for user "nagging".

Best

Kostas

Fesoj · Feb 29, 2012, 8:28 PM

Snort needs some training before you can use it without pain. Do not activate "Block offenders" before you have adapted to the kind of traffic in your nets. You'll find out soon what this means.

The Emergingthreads rules work, but when I prefer the Snort.org rules whenever possible. Recently I have a few false alerts from the Emergingthreads p2p rules from some Windows 7 broadcasts…

Learn how to set up suppression lists and activate them on their interfaces or your users have reasons to nag.

This should keep you busy until tomorrow.

humps · Mar 1, 2012, 5:25 PM

@costasppc:

Thank you both.

Do you have any other suggestion in the Snort usage? Any known issues?

Kostas

Snort sometimes can be a Memory Hog on multiple interfaces, as you add the different WAN/LAN interfaces monitor your Memory Usage level at the Pfsense Status Dashboard to get a feel of how much Memory Snort is using and if you will need more.

costasppc · Mar 1, 2012, 7:07 PM

Thank you. I havent got the time to do it today. I have 3 GB of RAM in this box, and was designed mostly to use the Packages feature of pfSense. I am thinking of setting Snort in one of the WANs first.

Best regards

Kostas

Fesoj · Mar 1, 2012, 7:31 PM

Don't worry about the memory. You've got more than enough.