PFsense 2.0.1 Snort IPS bridge mode not work !



  • I'm configure a pfsense 2.0.1 64bits firewal to work in transparent mode (bridge) using this how to: 
    http://blog.qcsitter.com/BSDay/

    WAN (em0) –--- LAN  (em1)  ---  External network
                    |PF|                } ----> [bridge0]
                    –--- OPT1 (em2) --- Internal network

    Snort is listening in bridge0 interface.
    When i use backtrack (nmap) to test the snort, i'm not see any alert on log or web interface.
    I'm wirte icmp rules to test and i see any trigers on log, but exploits or portscan dont show in log alert
    The question is: PF sense 2.0.1  Snort work in bridge mode (IPS) ?



  • anyone ?



  • Thanks for Help (???) I solved my problem…

    pfsense uses a configuration file for each interface itself, in this case, the actual file configuration for the interface bridge0 as the startup script:
    /usr/local/etc/rc.d/snort.sh
    Look at line 28:
    /usr/local/bin/snort -R 58154 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 58154 -c /usr/local/etc/snort/snort_58154_bridge0/snort.conf -i bridge0

    We need to edit this file:
    /usr/local/etc/snort/snort_58154_bridge0/snort.conf
    To properly monitor traffic on bridge0 we must set two variables in this file correct? **WRONG! VERY WRONG !!!
    var HOME_NET
    var EXTERNAL_NET
    These variables need to be like this:
    var HOME_NET any
    var EXTERNAL_NET any

    But you can not change these parameters directly in the file itself, because it is generated by a script, this script:
    /usr/local/pkg/snort/snort.inc

    We need to change this script so that it runs the snort.conf with the correct variables, here we go:
    In the file /usr/local/pkg/snort/ snort.inc line 233 change:

    $ HOME_NET = "[{$ HOME_NET}]";
    to:
    $ HOME_NET = "any";

    And the line 1330 change:

    $ EXTERNAL_NET =! '$ HOME_NET';
    to:
    $ EXTERNAL_NET = 'any';

    Save file!

    Now the last set, edit the file:
    /usr/local/etc/snort/snort_58154_bridge0/snort.conf

    In session:

    preprocessor sfportscan: scan_type {all}
                             proto {all}
                             memcap {10000000}
                             sense_level medium} {
                            ignore_scanners HOME_NET $ {}

    Review the option ignore_scanners {$ HOME_NET}:

    preprocessor sfportscan: scan_type {all}
                             proto {all}
                             memcap {10000000}
                             sense_level {medium}
                            #ignore_scanners HOME_NET $ {}

    Save the file, go snort services and restart the interface and everything works beautiful! Thanks for Help (???) …..  :-X ::) >:(**



  • Did you tried to set any to HOME NET gui option before file hacking?



  • the only option in web interface is Default, how i change this ?


Log in to reply