Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort in a home enviroment?

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Damned
      last edited by

      Hi!

      I've been fooling around with snort, mainly for testing purposes and because I like to fool around with stuff I have absolutely no knowledge about :)

      That being said, I've required a free oinkmaster code, using the community rules, and set it to 'connectivity'.

      I thought this would be the lightest setting, but it turns out, it shuts me out from almost everything, which in itself is pretty cool! :D

      My first problem arose with LogMeIn which I use to remote control my Windows PC. LogMeIn servers got blocked, so I had to scan through the logs, find their IPs, and whitelist them.
      After that, the server IP to the webmail I use got blocked, so I had to whitelist that as well. Something about a HELO snort didn't like.

      If that wasn't enough, after installing a new NIC and doing a reboot snort even blocked my WAN-IP! I had no interwebs at all, so I had to whitelist my own IP as well…an IP that is bound to change in the near future...
      Weird thing about this one was that my wan ip showed, but in the 'alert description' alot of russian known networks were listed. Also, my so far 600 blocked IPs disappeared entirely after the reboot.

      The above is fine though. Last night I was gonna game with a friend. We use a TS3-server which I host at home, and he could join fine, say a few words to me - and then he dropped. Turns out his IP got blocked as well.
      I whitelisted him, all good. Then either steam or a gameserver got blacklisted as well and the in-game server browser wouldn't give the list of available game servers...

      At this point I had to turn off snort.

      I understand that snort may be a more corporation-like-IDPS and maybe not intended in home/entertainment enviroments. But I want to learn and I find it very interesting to play with things like these...which is the main reason I use pfSense at all, when a random $50 router would suffice for my needs.

      So how do I gain control over snort? I can't keep whitelisting stuff as they get blocked - just finding out all IPs/networks that need to be whitelisted is a pain, and I spent a few hours to find the LogMeIn and Google networks I needed to whitelist.

      Can I even gain control over snort? If someone could give me a few hints, or point me in the right direction it would be very much appreciated!

      Another thing I would like to put out there. As you can see, I'm not a very experienced user. But whenever I've asked for help, either here or in IRC people have been very kind and helpful. Even if my questions could have been simple/silly, noone has stepped on me, or making me feel dumb. For that, I'd like to thank the community, and whatever inidividuals who has hepled me out in the past. Thank you.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        You might find this thread useful.

        P.S. Your experience pretty much matches anyone else's when it comes to getting started with snort. I like to set up firewalls as "set it and forget it". Not babysit them 24/7. Snort is simply not for me and frankly I'd not recommend it to anyone unless for learning purposes.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Snort is more for a commercial environment with regards to the rules out there today.  While you can certainly use it at home (I do), you must be prepared to do quite a bit of whitelisting and other tuning if you do anything on your network that is too much outside the mainstream of web, e-mail and simple stuff like that.  The problem with blacklisting (which is what a number of Snort rules do) is that you inevitably vacuum up "good" IPs in the list of "bad" IPs.  This is especially true when the blacklisted IP happens to be a hosting service or major Co-Lo center.  One bad apple in the data center can get the whole IP block on many of the "bad" lists (just like e-mail with spammer blacklisting).

          As for your issue with swapping NIC cards, that's expected unless the card is pretty much identical to the old one.  Part of the "interface name" in the Snort configuration is derived from the driver ("em" for some Intel cards, "re" for Realtek, etc.).  So if you changed NIC chipsets, Snort would no longer recognize your WAN interface correctly.  You can simply delete the interface in Snort and then add it back to pick up the new NIC chipset name.

          Bill

          1 Reply Last reply Reply Quote 0
          • C
            Craigusoz
            last edited by

            My approach (also in a home environment) is to judiciously hand-select individual rules. I find the ET ruleset quite useful.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.