Recommendation for home user with VPN, Snort & fanless
-
Does it catch much on your home network? What does it catch?
I ask because I gave up running Snort at home after I was getting more false positives than anything useful. That was some time ago though and I'm not running any hime servers (currently).Steve
I've had a few people come over with laptops which had Zeus trying to hit CnC servers. I've also had it catch a few 0-Day exploits on web sites. I use it mostly for malware blocking.
Getting it configured correctly so it doesn't constantly block everything you do is the hardest part.
-
Ah, interesting thanks. ;)
Agreed, stopping it blocking everything is what I gave up trying in the end. Too many complaints, not enough perceived advantage.
Back in the day I used to run it in IPCop (by just checking the box) and never really had any issues but also never caught anything. That was on a box with 196MB. Times change, I guess Snort is able to detect far more than it could 10+ years ago.Steve
-
Ah, interesting thanks. ;)
Agreed, stopping it blocking everything is what I gave up trying in the end. Too many complaints, not enough perceived advantage.
Back in the day I used to run it in IPCop (by just checking the box) and never really had any issues but also never caught anything. That was on a box with 196MB. Times change, I guess Snort is able to detect far more than it could 10+ years ago.Steve
I too ran IPCop back in the day along with Snort on an old Dell P-III machine with 256meg of RAM. Most of the blocks were actually unnoticed. Since the hardware was very limited I only had it snort on the WAN (RED Network). I also was running some package that blocked IPs for port scans which worked pretty well. Over time IPCop started to age with no real updates so I looked around for something better which lead me to PfSense after trying out other firewalls.
Just a side note a group of devs forked IPCop which is now called IPFire and very active in development. For simple home use IPFire is fine but I prefer PfSense's advanced features and flexibility.
-
I have snort on my wan at home, the sheer amount of alerts it pops up as having blocked (incoming mainly) is both comforting and concerning at the same time. Yes it is a hassle but I believe it has stopped more problems than it has caused
-
Hmm, I'll have to give it a try again.
-
Interesting aside on the merits of snort for home use. I'm another IPCop user that made the switch years ago. I do remember running Snort and their caching accelerator (quasi-Squid).
I still have a Snort-code but don't currently use it - too much maintenance for what it captures. Now that you're (we're) thinking about resurrecting the package, have you kept up with the VHS-BETA discussion going on in the packages forum re: Suricata vs Snort? There's some persuasive and well structured thought seemingly going into Suricata that I find appealing.
The setup of either of them is still more Black Magic than I like but at least Suricata seems to be coming from a KISS principle first whereas Snort feels like an evolution that has reached the "we need to add one more thing" stage.
PS - Stephen, I sympathize on the lost text. I've taken to highlighting my entire posts and hitting Ctrl-C just before I post. The other thing that works for me (I also use Firefox) is to not set the "Stay logged in" flag, I use a timeout of 600 mins. A little annoying as I have to log back in once or twice a day, but I have had way fewer cookie/cache timeouts and lost posts.
-
PS - Stephen, I sympathize on the lost text. I've taken to highlighting my entire posts and hitting Ctrl-C just before I post. The other thing that works for me (I also use Firefox) is to not set the "Stay logged in" flag, I use a timeout of 600 mins. A little annoying as I have to log back in once or twice a day, but I have had way fewer cookie/cache timeouts and lost posts.
Just remember not to swear when that happens!!!
I have had some success to fix this issue. When it times out, open a second window and login to pfSense Forum again. Then go back to the previous windows and either refresh or click back.. Trying to remember the exact steps without repeating a timeout!! ;)
I am a big fan of using Snort, I would always recommend putting it into non-blocking mode and as you have time disable the rules that are causing FPs, and add suppression as you need. Then once you have it tuned, you can put it into Blocking Mode.
If Pulled Pork was utilized properly, we could use enablesid and disablesid.conf files which you could more easily copy and paste settings to enable/disable rulesets more easily.
so Steve.. Jump in… ;)
-
I've been meaning to give Securicata a try ever since bmeeks anounced his package. Time to try that too.
@BBcan177:so Steve.. Jump in… ;)
If you're asking me to help with integrating Pulled Pork then you clearly haven't ever read any code I've "written". :P
Steve
-
If you're asking me to help with integrating Pulled Pork then you clearly haven't every read any code I've "written". :P
no comment, have you seen mine? ::)
Stephen
-
I've been meaning to give Securicata a try ever since bmeeks anounced his package. Time to try that too.
@BBcan177:so Steve.. Jump in… ;)
If you're asking me to help with integrating Pulled Pork then you clearly haven't every read any code I've "written". :P
Steve
Suricata is a lot more involved. I personally would stick with Snort until Suricata goes thru another few versions. It also a little piggy on memory.
Bill is really doing a fantastic job at managing the Snort and Suricata packages. Integrating Pulled pork was just to let you know that if it was integrated, we could post a basic ruleset that you could copy/paste and be ahead of the curve.
I think we need to convince the pfSense Devs that its a change for the better. (politics!)
For all the help you do on a daily basis to others, we are extending our full support to help you get up and running with an IDS of your choice and no software writing lol :)
-
This post is deleted!