Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Setup.

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      twinturbo
      last edited by

      I have installed Snort.

      Added my wan interface and ticked block src.
      Downloaded the rules.
      Ticked all the categories
      set pre-processing with a tick on port scanning.
      and enabled the snorth interface.

      But doing a port scan on the wan side does nothing?

      Any ideas?

      TT

      1 Reply Last reply Reply Quote 0
      • M
        moe2006
        last edited by

        Hi, try to enable more preprocessors, like http_inspect, to decode incoming packets…
        are there any alerts triggered? have you downloaded and activated all related rules (port scan)... which tool are you using for port scans? nmap works great to try to detect portscans... be sure that the scanning host is not inside of your homenet, otherwise, there will no alert if your host is in your $HOME_NET variable.

        1 Reply Last reply Reply Quote 0
        • T
          twinturbo
          last edited by

          Hmm..

          How does it determin "homenet" and "extnet" defaults?

          I want any host on one interface to be blocekd if it does a port scan. Nothing more complex than that.

          Do I need nmap installed on pFs for port scan detection to work?

          Does SNORT sit before the main incommign firewall rules?

          Cheers

          Rob

          1 Reply Last reply Reply Quote 0
          • M
            moe2006
            last edited by

            well, the homenet is usually the subnet in which your firewall is in, for example 192.168.1.0/24…  check your configuration for this in /usr/local/etc/snort/snort_???_yourInterface/snort.conf , try to read and open this file, it contains your $HOME_NET values. $EXTERNAL_NET is everything else. So be sure that the portscanning host is not in your homework and not listed in a whitelist, or the alarm is not being triggered or blocked. You dont need to install scanning tools like nmap on your firewall, just install it on an external host (not inside your subnet) and try to scan your firewall

            Depending on which interface you installed your snort sensor, you are able to place snort in front or behind your firewall rules, that means that your WAN-interface sees all incoming traffic, your LAN-interface only that kind of traffic which successfully passed your firewall rules.

            1 Reply Last reply Reply Quote 0
            • H
              humps
              last edited by

              Re: Port Scanning
              You can also use a website to do a Security Port Scan on your Firewall to test/trigger an alert in Snort.
              Try this site: https://www.grc.com/x/ne.dll?bh0bkyd2

              1 Reply Last reply Reply Quote 0
              • T
                twinturbo
                last edited by

                The PFS is nowhere near the internet, we are using it as a captive portal between our students BYOD and our Citrix VDI. The only thing the can do is get to the VDI server on port 443, but we want to detect port scans to identify students who are potentially attempting to circumnavigate our systems.

                The wan side firewall blocks everything apart from

                80,443,800,53 to the gateway ip
                443 to the VDI server on the LAN side of the network.

                the BYOD is on a x.x.x.x/23 network on the wan interface so we want to spot any client on that network hitting the wan interface with a port scan.

                I don't much care for any other attack detection at present just port scans.

                Cheers

                Rob

                1 Reply Last reply Reply Quote 0
                • M
                  moh10ly
                  last edited by

                  I've got the same problem. I applied all kinds of port scans from different applications "Nmap, MegaPing..etc" and even used the GRC website but Snort didn't view any alerts even though I have selected all categories and checked the Enable Port Scan detect under "General Preprocessor Settings" but nothing is showing! ? ??? ???
                  could this be a bug or is it working for someone else?

                  Power is Knowledge.

                  1 Reply Last reply Reply Quote 0
                  • M
                    moh10ly
                    last edited by

                    I removed the snort package. restarted PFsense then reinstalled the package and it worked for me ..

                    Power is Knowledge.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.