Snort Setup.



  • I have installed Snort.

    Added my wan interface and ticked block src.
    Downloaded the rules.
    Ticked all the categories
    set pre-processing with a tick on port scanning.
    and enabled the snorth interface.

    But doing a port scan on the wan side does nothing?

    Any ideas?

    TT



  • Hi, try to enable more preprocessors, like http_inspect, to decode incoming packets…
    are there any alerts triggered? have you downloaded and activated all related rules (port scan)... which tool are you using for port scans? nmap works great to try to detect portscans... be sure that the scanning host is not inside of your homenet, otherwise, there will no alert if your host is in your $HOME_NET variable.



  • Hmm..

    How does it determin "homenet" and "extnet" defaults?

    I want any host on one interface to be blocekd if it does a port scan. Nothing more complex than that.

    Do I need nmap installed on pFs for port scan detection to work?

    Does SNORT sit before the main incommign firewall rules?

    Cheers

    Rob



  • well, the homenet is usually the subnet in which your firewall is in, for example 192.168.1.0/24…  check your configuration for this in /usr/local/etc/snort/snort_???_yourInterface/snort.conf , try to read and open this file, it contains your $HOME_NET values. $EXTERNAL_NET is everything else. So be sure that the portscanning host is not in your homework and not listed in a whitelist, or the alarm is not being triggered or blocked. You dont need to install scanning tools like nmap on your firewall, just install it on an external host (not inside your subnet) and try to scan your firewall

    Depending on which interface you installed your snort sensor, you are able to place snort in front or behind your firewall rules, that means that your WAN-interface sees all incoming traffic, your LAN-interface only that kind of traffic which successfully passed your firewall rules.



  • Re: Port Scanning
    You can also use a website to do a Security Port Scan on your Firewall to test/trigger an alert in Snort.
    Try this site: https://www.grc.com/x/ne.dll?bh0bkyd2



  • The PFS is nowhere near the internet, we are using it as a captive portal between our students BYOD and our Citrix VDI. The only thing the can do is get to the VDI server on port 443, but we want to detect port scans to identify students who are potentially attempting to circumnavigate our systems.

    The wan side firewall blocks everything apart from

    80,443,800,53 to the gateway ip
    443 to the VDI server on the LAN side of the network.

    the BYOD is on a x.x.x.x/23 network on the wan interface so we want to spot any client on that network hitting the wan interface with a port scan.

    I don't much care for any other attack detection at present just port scans.

    Cheers

    Rob



  • I've got the same problem. I applied all kinds of port scans from different applications "Nmap, MegaPing..etc" and even used the GRC website but Snort didn't view any alerts even though I have selected all categories and checked the Enable Port Scan detect under "General Preprocessor Settings" but nothing is showing! ? ??? ???
    could this be a bug or is it working for someone else?



  • I removed the snort package. restarted PFsense then reinstalled the package and it worked for me ..


Locked