Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFsense 2.0.1 Snort IPS bridge mode not work !

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 2 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      giorgiolago
      last edited by

      I'm configure a pfsense 2.0.1 64bits firewal to work in transparent mode (bridge) using this how to: 
      http://blog.qcsitter.com/BSDay/

      WAN (em0) –--- LAN  (em1)  ---  External network
                      |PF|                } ----> [bridge0]
                      –--- OPT1 (em2) --- Internal network

      Snort is listening in bridge0 interface.
      When i use backtrack (nmap) to test the snort, i'm not see any alert on log or web interface.
      I'm wirte icmp rules to test and i see any trigers on log, but exploits or portscan dont show in log alert
      The question is: PF sense 2.0.1  Snort work in bridge mode (IPS) ?

      1 Reply Last reply Reply Quote 0
      • G
        giorgiolago
        last edited by

        anyone ?

        1 Reply Last reply Reply Quote 0
        • G
          giorgiolago
          last edited by

          Thanks for Help (???) I solved my problem…

          pfsense uses a configuration file for each interface itself, in this case, the actual file configuration for the interface bridge0 as the startup script:
          /usr/local/etc/rc.d/snort.sh
          Look at line 28:
          /usr/local/bin/snort -R 58154 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 58154 -c /usr/local/etc/snort/snort_58154_bridge0/snort.conf -i bridge0

          We need to edit this file:
          /usr/local/etc/snort/snort_58154_bridge0/snort.conf
          To properly monitor traffic on bridge0 we must set two variables in this file correct? **WRONG! VERY WRONG !!!
          var HOME_NET
          var EXTERNAL_NET
          These variables need to be like this:
          var HOME_NET any
          var EXTERNAL_NET any

          But you can not change these parameters directly in the file itself, because it is generated by a script, this script:
          /usr/local/pkg/snort/snort.inc

          We need to change this script so that it runs the snort.conf with the correct variables, here we go:
          In the file /usr/local/pkg/snort/ snort.inc line 233 change:

          $ HOME_NET = "[{$ HOME_NET}]";
          to:
          $ HOME_NET = "any";

          And the line 1330 change:

          $ EXTERNAL_NET =! '$ HOME_NET';
          to:
          $ EXTERNAL_NET = 'any';

          Save file!

          Now the last set, edit the file:
          /usr/local/etc/snort/snort_58154_bridge0/snort.conf

          In session:

          preprocessor sfportscan: scan_type {all}
                                   proto {all}
                                   memcap {10000000}
                                   sense_level medium} {
                                  ignore_scanners HOME_NET $ {}

          Review the option ignore_scanners {$ HOME_NET}:

          preprocessor sfportscan: scan_type {all}
                                   proto {all}
                                   memcap {10000000}
                                   sense_level {medium}
                                  #ignore_scanners HOME_NET $ {}

          Save the file, go snort services and restart the interface and everything works beautiful! Thanks for Help (???) …..  :-X ::) >:(**

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Did you tried to set any to HOME NET gui option before file hacking?

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • G
              giorgiolago
              last edited by

              the only option in web interface is Default, how i change this ?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.