Snort Deployment



  • Hey all,

    I've used snort at end user/remote locations effectively, but I'm considering using it on a firewall pair which protects a few web servers and other application boxes.

    I want to avoid being too strict and blocking legitimate traffic, so the goal would be to go after some of the low hanging fruit: port scans, known bots, etc…

    I'm looking for advice, nothing too detailed or specific on the technical part of deployment, but more so of... "use this rule set" or "maybe try this obscure setting".

    Also if anyone has a good way to use dyndns + whitelists so that I'm never locked out from trusted devices/networks... that would be awesome!

    Fully willing to make this a bounty for anyone who is confident they can provide a professional solution.


  • Banned

    Its no problem to do :)



  • I guess my biggest concern is not locking myself out unintentionally. So coming up a way to ensure I can 1. automatically update dynamic dns entries or 2. manually update.


  • Banned

    You just whitelist your IP in Snort and thats how its done.

    Or use RDP to gain access to the LAN and take the webgui from there.



  • @MikeX:


    I'm looking for advice, nothing too detailed or specific on the technical part of deployment, but more so of... "use this rule set" or "maybe try this obscure setting".

    http://forum.pfsense.org/index.php/topic,64674
    Make sure you read every single post on that thread.

    As for the locking yourself out, if you are on a dynamic ip (seen that you mentioned dynamic dns) then you just change your ip you are remoting in from. Or just whitelist it as mentioned above.


Log in to reply