Is Snort as IPS superior to ones offered by other UTMs?



  • Hi,

    Just wondering if anyone of you folks have used other UTMs and did a comparison of their IPS with pfsense's snort.

    Would you say that Snort VRT have more rules, covering more attacks ?


  • Moderator

    Snort/Suricata on any UTM will use the same rulesets it doesn't matter what the OS or UTM is…. So you can use Snort VRT or Emerging Threats Open or Paid Versions of the rulesets. Suricata however, has an issue loading approx 600 of the Snort Rules due to incompatibility in the Ruleset but most of these rules can be covered with the ET Ruleset.

    In regards to performance documentation, I have not seen any documentation... The only thing is that Snort/Suricata on pfSense can be used in a Quasi Intrusion Prevention Mode, meaning that pfSense Snort/Suricata is listening on a copy of the packets while allowing the original packet to pass thru. Once the IDS has analyzed the packet and an Alert is generated, it will place the IP address of the packet in the pfSense Firewall Table "Snort2c" which blocks all future packets from this offending IP. pfSense has optimized the packet processing to allow Snort/Suricata to collect the packets very early in the Packet inspection chain to make this as quick as possible.

    Future version of pfSense will use NetMAP API which will improve this process to be almost in real-time Intrusion Prevention Mode. However, as is, Snort/Suricata does a decent job of blocking and only a small amount of packets actually get thru before it can perform a Block.



  • Is there anything to configure to get snort into this IPS mode?


  • Moderator

    @pfs:

    Is there anything to configure to get snort into this IPS mode?

    Snort : Selected Interface (Edit) : <interace>settings</interace>

    And set the "Alert Settings section"

    1. Block Offenders
        2. Kill States
        3. Which IP to block



  • hi,

    I added the WAN interface to Snort Interfaces. But there is an exclaimation mark saying: "WARNING: Marked interface currently has no rules defined for Snort"
    I have entered my VRT subscription code and did an update, but this message still appears? I have Edited the WAN interface, and went to WAN Rules tab and added all the rules for each categories ( decoder rules and preprocessor rules and chose not to add sensitive data rules )

    EDIT: never mind that warning above, I found this page that documents snort installation. : EDIT: never mind the warning above, I found this page in the forum that documents what I need to start snort properly:

    Also I noticed in Edit WAN interface, the Home net and External net View List are the same ip's.



  • @pfs:

    Also I noticed in Edit WAN interface, the Home net and External net View List are the same ip's.

    Except in EXTERNAL NET they should all be proceeded with an exclamation point (!) which means "not", so IPs that are not in HOME NET.

    Bill



  • @BBcan177:

    @pfs:

    Is there anything to configure to get snort into this IPS mode?

    Snort : Selected Interface (Edit) : <interace>settings</interace>

    And set the "Alert Settings section"

    1. Block Offenders
        2. Kill States
        3. Which IP to block

    so doing so will put snort form IDS to IPS Mode ?



  • @Snailkhan:

    so doing so will put snort form IDS to IPS Mode ?

    BBCan177 answered your question very well in the second post of this thread.

    https://forum.pfsense.org/index.php?topic=94003.msg521687#msg521687


Log in to reply