Can someone clue me in on Snort?
-
Snort looks like a project that's flexible and useful. It also seems quite complex, and I'm having trouble getting my head wrapped around it and the benefits it can (or can't) provide. The good news is it looks pretty easy to enable on pfSense.
Can y'all give me a brief overview of how enabling Snort on your firewall helps secure your network, and how much effort it takes. Is it worth the time and effort? Is it the sort of application that protects against attacks against vulnerable applications, or is it more of a monitoring tool that allows you to track interest in your servers and look for aberrations as an indicator of a problem?
-
Enabling it is little more than ticking the box. The effort it takes to tune it so that the alerts are (mostly) true positives with a minimal number of false positives and false negatives, that may take you weeks or months if you want to do it properly. One (snort) IDS I manage has been operating for over 2 years now and the rules are still being tuned (mostly adding new ones these days).
As for whether it blocks or alerts - that's your choice. I would strongly advise that you run it in alert only mode until you're happy that the rules are correctly tuned.
Just keep in mind that it's only as effective as the signatures - it can't alert or block malicious traffic based on signatures it doesn't have. For more information on snort see their web site - www.snort.org.
-
Assuming you have enough trafffic, it helps to start with one rule category at a time and run whois searches on the blocked IP's. Not an exact science but if the IP's are coming from countries you don't typically get traffic from it's a safe bet that rule can stay.
To speed up the whois I turned the blocked page into clickable links.
at /usr/local/www/snort_blocked.php line 109 changed to:
echo "\n {$ww_ip}";
note the escaped "
-
Thanks for the replies folks. Sounds like this will be something that will take a few hours per week to stay on top of, kind of like spam filtering…