PfSense Snort Limited Logging



  • I am trying out  pfSense on my home PC which I wanted to deploy in near future as router/firewall/IPS/web filtering system. I have downloaded Snort and playing with few settings on Snort. I find that the number of Alerts logged in under IPS Connectivity setting is overwhelming and too many. Is there anyway to Limit the Logging based on  number of logs per second etc. I could not find those settings on pfSense webConfigurator.

    I am also looking for to stop TCP SYN Flood and UDP Flood attacks. Is there anyway to do this in Snort packages that comes with pfSense.

    Thank you very much..



  • @pidakala:

    I am trying out  pfSense on my home PC which I wanted to deploy in near future as router/firewall/IPS/web filtering system. I have downloaded Snort and playing with few settings on Snort. I find that the number of Alerts logged in under IPS Connectivity setting is overwhelming and too many. Is there anyway to Limit the Logging based on  number of logs per second etc. I could not find those settings on pfSense webConfigurator.

    I am also looking for to stop TCP SYN Flood and UDP Flood attacks. Is there anyway to do this in Snort packages that comes with pfSense.

    Thank you very much..

    Suppress Lists are used in Snort to "rate limit" events.  You can also suppress certain common false positives entirely.  There is an older thread in the Packages sub-forum with the words "Master Suppress List" in the title.  It has suggestions for several experienced Snort users.

    Snort with its associated rules is designed to look for specific attacks where the packet data matches content and metadata contained within the rules.  There are scan rules that can help with TCP SYN attacks.

    Snort on pfSense offers a blocking mode that will insert an offender's IP address into a table in the pf firewall.  This effectively blocks further traffic from that offender until a timeout you set expires.  There is a basic How-To sticky thread posted in the Packages sub-forum for the Snort package.  You may find some useful information there.  There are also a number of experienced users who are regulars in that sub-forum.  You can post questions there and probably receive more and quicker replies.

    Bill


Log in to reply