3. PFsense 2.0.1 Snort IPS bridge mode not work !

PFsense 2.0.1 Snort IPS bridge mode not work !

  • G

    I'm configure a pfsense 2.0.1 64bits firewal to work in transparent mode (bridge) using this how to: 
    http://blog.qcsitter.com/BSDay/

    WAN (em0) –--- LAN  (em1)  ---  External network
                    |PF|                } ----> [bridge0]
                    –--- OPT1 (em2) --- Internal network

    Snort is listening in bridge0 interface.
    When i use backtrack (nmap) to test the snort, i'm not see any alert on log or web interface.
    I'm wirte icmp rules to test and i see any trigers on log, but exploits or portscan dont show in log alert
    The question is: PF sense 2.0.1  Snort work in bridge mode (IPS) ?

    0
  • G

    anyone ?

    0
  • G

    Thanks for Help (???) I solved my problem…

    pfsense uses a configuration file for each interface itself, in this case, the actual file configuration for the interface bridge0 as the startup script:
    /usr/local/etc/rc.d/snort.sh
    Look at line 28:
    /usr/local/bin/snort -R 58154 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 58154 -c /usr/local/etc/snort/snort_58154_bridge0/snort.conf -i bridge0

    We need to edit this file:
    /usr/local/etc/snort/snort_58154_bridge0/snort.conf
    To properly monitor traffic on bridge0 we must set two variables in this file correct? **WRONG! VERY WRONG !!!
    var HOME_NET
    var EXTERNAL_NET
    These variables need to be like this:
    var HOME_NET any
    var EXTERNAL_NET any

    But you can not change these parameters directly in the file itself, because it is generated by a script, this script:
    /usr/local/pkg/snort/snort.inc

    We need to change this script so that it runs the snort.conf with the correct variables, here we go:
    In the file /usr/local/pkg/snort/ snort.inc line 233 change:

    $ HOME_NET = "[{$ HOME_NET}]";
    to:
    $ HOME_NET = "any";

    And the line 1330 change:

    $ EXTERNAL_NET =! '$ HOME_NET';
    to:
    $ EXTERNAL_NET = 'any';

    Save file!

    Now the last set, edit the file:
    /usr/local/etc/snort/snort_58154_bridge0/snort.conf

    In session:

    preprocessor sfportscan: scan_type {all}
                             proto {all}
                             memcap {10000000}
                             sense_level medium} {
                            ignore_scanners HOME_NET $ {}

    Review the option ignore_scanners {$ HOME_NET}:

    preprocessor sfportscan: scan_type {all}
                             proto {all}
                             memcap {10000000}
                             sense_level {medium}
                            #ignore_scanners HOME_NET $ {}

    Save the file, go snort services and restart the interface and everything works beautiful! Thanks for Help (???) …..  :-X ::) >:(**

    0

  • Did you tried to set any to HOME NET gui option before file hacking?

    0
  • G

    the only option in web interface is Default, how i change this ?

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy