PFsense 2.0.1 Snort IPS bridge mode not work !

giorgiolago

I'm configure a pfsense 2.0.1 64bits firewal to work in transparent mode (bridge) using this how to: 
http://blog.qcsitter.com/BSDay/

WAN (em0) –--- LAN  (em1)  ---  External network
                |PF|                } ----> [bridge0]
                –--- OPT1 (em2) --- Internal network

Snort is listening in bridge0 interface.
When i use backtrack (nmap) to test the snort, i'm not see any alert on log or web interface.
I'm wirte icmp rules to test and i see any trigers on log, but exploits or portscan dont show in log alert
The question is: PF sense 2.0.1  Snort work in bridge mode (IPS) ?

giorgiolago

anyone ?

giorgiolago

Thanks for Help (???) I solved my problem…

pfsense uses a configuration file for each interface itself, in this case, the actual file configuration for the interface bridge0 as the startup script:
/usr/local/etc/rc.d/snort.sh
Look at line 28:
/usr/local/bin/snort -R 58154 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 58154 -c /usr/local/etc/snort/snort_58154_bridge0/snort.conf -i bridge0

We need to edit this file:
/usr/local/etc/snort/snort_58154_bridge0/snort.conf
To properly monitor traffic on bridge0 we must set two variables in this file correct? **WRONG! VERY WRONG !!!
var HOME_NET
var EXTERNAL_NET
These variables need to be like this:
var HOME_NET any
var EXTERNAL_NET any

But you can not change these parameters directly in the file itself, because it is generated by a script, this script:
/usr/local/pkg/snort/snort.inc

We need to change this script so that it runs the snort.conf with the correct variables, here we go:
In the file /usr/local/pkg/snort/ snort.inc line 233 change:

$ HOME_NET = "[{$ HOME_NET}]";
to:
$ HOME_NET = "any";

And the line 1330 change:

$ EXTERNAL_NET =! '$ HOME_NET';
to:
$ EXTERNAL_NET = 'any';

Save file!

Now the last set, edit the file:
/usr/local/etc/snort/snort_58154_bridge0/snort.conf

In session:

preprocessor sfportscan: scan_type {all}
                         proto {all}
                         memcap {10000000}
                         sense_level medium} {
                        ignore_scanners HOME_NET $ {}

Review the option ignore_scanners {$ HOME_NET}:

preprocessor sfportscan: scan_type {all}
                         proto {all}
                         memcap {10000000}
                         sense_level {medium}
                        #ignore_scanners HOME_NET $ {}

Save the file, go snort services and restart the interface and everything works beautiful! Thanks for Help (???) …..  :-X ::) >:(**

marcelloc

Did you tried to set any to HOME NET gui option before file hacking?

giorgiolago

the only option in web interface is Default, how i change this ?