RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker

eliteassassin07 · Feb 1, 2015, 4:44 AM

@jflsakfja:

This is the final rule post in this topic. Moving forward, the rules will be found in the suricata topic, which I'll create in a couple of days. I strongly advise all to move to suricata and stop using snort.

With that out of the way, here's the rule updates:

By the way this is the post that had made me think you had stopped posting in this section…

Wepee · Feb 22, 2015, 8:28 AM

@bmeeks:

@Wepee:

Ok, I went into my pfSense Web interface, went to Diagnostic-Backup/Restore
Press the download configuration button, and the config.xml was
downloaded to my PC.

Open up the config-pfsense-20150129111734.xm file and find the xml element =
But, I couldn't find it, am I looking at the wrong place. :(

I double checked Snort rules are loaded, by going to WAN categories.

Any idea, why??? ::)

See the attached pictures.

I understood you formerly had manually forced disabled/enabled rules BEFORE you upgraded, and now after upgrading those manual changes were missing. In order to see the old changes, you would need to have access to a config.xml file saved BEFORE you upgraded. The current one will not have the tags because they were lost when your interfaces were shuffled around. It sounds like you created a totally new Snort configuration. If that is the case, then all of your old changes were lost unless you did a configuration backup BEFORE you did the last update.

Sorry if I misled you. I was assuming you had some old backups of your config.xml files stored offline. You should be able to find older config.xml files still stored on the firewall in the /cf/conf/backup directory. You could look in one of those older files for the tags.

Bill

Hi bmeeks

Thank you for responding my question.

Ok, I have done some screen captures.

So in future, I can copy all the forced rules off= GID:SID from within <rule_sid_off>to</rule_sid_off>

Then paste on the old config.xml file, if I have somehow lost the configuration setting in Snort for
configuring FALSE positives??? :)

bmeeks · Feb 23, 2015, 2:00 AM

@Wepee:

So in future, I can copy all the forced rules off= GID:SID from within <rule_sid_off>to</rule_sid_off>

Then paste on the old config.xml file, if I have somehow lost the configuration setting in Snort for
configuring FALSE positives??? :)

You are correct. Copying and pasting the section you have highlighted will preserve the disabled rules.

Bill

Wepee · Feb 23, 2015, 8:26 AM

Thanks bmeeks ;D

If there is any future update in Snort package, e.g. right now is 2.9.7.0 pkg v3.2.3 ,
say there is a newer version = 2.9.8.0 pkg v3.4.0 and I proceed to update.

Does the update reset the disable rules and then goes back to the default settings??? ::)

bmeeks · Feb 23, 2015, 9:44 PM

@Wepee:

Thanks bmeeks ;D

If there is any future update in Snort package, e.g. right now is 2.9.7.0 pkg v3.2.3 ,
say there is a newer version = 2.9.8.0 pkg v3.4.0 and I proceed to update.

Does the update reset the disable rules and then goes back to the default settings??? ::)

No, updates to the package will remember and use all of your current settings so long as you have the checkbox ticked on the GLOBAL SETTINGS tab to "keep settings on deinstall". I've made that default to "checked" on new green field installs, but you can double check on your setup to insure the checkbox is checked.

Bill

sstretchh · Sep 13, 2015, 9:49 PM

The first post in this thread for the snort set up was in 2013, is that information for inital setup still valid ?

I am a noob to pFSense and just got mine up and running and just now about to install Snort for the first time

Ramosel · Oct 22, 2015, 3:10 PM

@ninjaneer:

The first post in this thread for the snort set up was in 2013, is that information for inital setup still valid ?

I am a noob to pFSense and just got mine up and running and just now about to install Snort for the first time

I'm not far behind you…. but I have been using it for a couple years and have just had to revisit it as health issues kept me from spending the time to update to the new versions under 2.2.4. But I'll say this is very close to still ringing true, some minor differences that I was able to work around in pfBlocker, Snort and the Rules setup. My Thanks to Bill for his help getting my system back up. I'm still tweaking on it a bit everyday.

I'd love to see Demetris update this but I know he is very deep into Suricata and he too is recovering from a serious health issue.

On that note... while rebuilding my aliases, I discovered many of the lists I had used were either abandoned, had slight name changes or were just no longer available.

Does anyone who really stays current have a good group of the current blocklists they import they would care to post??

Thanks,
Rick

Jeremy4k · Aug 16, 2016, 12:26 PM

If you don't mind me asking (stupidly): What's the point of this?
Can't I just enable all and be done with it?! Is this just for a few MB's of ram savings?

Ramosel · Aug 20, 2016, 1:14 PM

@Jeremy4k:

If you don't mind me asking (stupidly): What's the point of this?
Can't I just enable all and be done with it?! Is this just for a few MB's of ram savings?

While there are certainly some RAM savings (mine were significant), it has more to do with settings and processing behaviors. The OP also had a deep understanding of the rules and their history and knew which rules were old and obsoleted and which new rules were causing false positives.

Yep, you can turn them all on… expect some problems getting to things.

But depending on your needs and places you go you'll find yourself doing some tweaking anyway.

chrcoluk · Jan 14, 2017, 2:56 AM

The missing emerging-dhsield ip list might be this url?
http://feeds.dshield.org/top10-2.txt

GaryLeech · Oct 12, 2023, 1:59 PM

It's relevant for me too, thank you for explanation

GaryLeech · Oct 20, 2023, 2:24 PM

This post is deleted!