PFsense 2.0.1 Snort IPS bridge mode not work !

pfSense Packages
Log in to reply
  • G

    I'm configure a pfsense 2.0.1 64bits firewal to work in transparent mode (bridge) using this how to: 
    http://blog.qcsitter.com/BSDay/

    WAN (em0) –--- LAN  (em1)  ---  External network
                    |PF|                } ----> [bridge0]
                    –--- OPT1 (em2) --- Internal network

    Snort is listening in bridge0 interface.
    When i use backtrack (nmap) to test the snort, i'm not see any alert on log or web interface.
    I'm wirte icmp rules to test and i see any trigers on log, but exploits or portscan dont show in log alert
    The question is: PF sense 2.0.1  Snort work in bridge mode (IPS) ?

    0
  • G

    anyone ?

    0
  • G

    Thanks for Help (???) I solved my problem…

    pfsense uses a configuration file for each interface itself, in this case, the actual file configuration for the interface bridge0 as the startup script:
    /usr/local/etc/rc.d/snort.sh
    Look at line 28:
    /usr/local/bin/snort -R 58154 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 58154 -c /usr/local/etc/snort/snort_58154_bridge0/snort.conf -i bridge0

    We need to edit this file:
    /usr/local/etc/snort/snort_58154_bridge0/snort.conf
    To properly monitor traffic on bridge0 we must set two variables in this file correct? **WRONG! VERY WRONG !!!
    var HOME_NET
    var EXTERNAL_NET
    These variables need to be like this:
    var HOME_NET any
    var EXTERNAL_NET any

    But you can not change these parameters directly in the file itself, because it is generated by a script, this script:
    /usr/local/pkg/snort/snort.inc

    We need to change this script so that it runs the snort.conf with the correct variables, here we go:
    In the file /usr/local/pkg/snort/ snort.inc line 233 change:

    $ HOME_NET = "[{$ HOME_NET}]";
    to:
    $ HOME_NET = "any";

    And the line 1330 change:

    $ EXTERNAL_NET =! '$ HOME_NET';
    to:
    $ EXTERNAL_NET = 'any';

    Save file!

    Now the last set, edit the file:
    /usr/local/etc/snort/snort_58154_bridge0/snort.conf

    In session:

    preprocessor sfportscan: scan_type {all}
                             proto {all}
                             memcap {10000000}
                             sense_level medium} {
                            ignore_scanners HOME_NET $ {}

    Review the option ignore_scanners {$ HOME_NET}:

    preprocessor sfportscan: scan_type {all}
                             proto {all}
                             memcap {10000000}
                             sense_level {medium}
                            #ignore_scanners HOME_NET $ {}

    Save the file, go snort services and restart the interface and everything works beautiful! Thanks for Help (???) …..  :-X ::) >:(**

    0
  • marcelloc

    Did you tried to set any to HOME NET gui option before file hacking?

    0
  • G

    the only option in web interface is Default, how i change this ?

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy