Snort behind an external firewall - Is there a need for Snort?



  • Good day all,

    I'm wondering if i can get some clear answers regarding the need, if any, of Snort behind an external (of pfsense) firewall?

    For instance, currently i am using pfsense in bridge mode ( LAN & DMZ) with the firewall turned off. I am strictly using it for caching (Squid) and content filtering (SquidGuard).

    I currently have Snort installed, configured how i like on the DMZ (connected to external firewall) but it does seems to be doing anything but taking up cpu/ram resources and maybe some bandwidth.

    The "Alerts" tab is filled with a bunch of "unknown Traffic", "(http_inspect) UNKNOWN METHOD" and "Not Suspicious Traffic" "http_inspect) DOUBLE DECODING ATTACK".

    Other than a few "false positives" involving it giving internal lan communication a 'hard time' which i have 'Suppressed', it just seems like it is not doing anything, "it is just there" being a "cpu/ram" hog. :-/

    Your thoughts would be appreciated.



  • Not sure I get your "external firewall" set up, but…

    You are right... let your RAM/CPU do the bitcoin mining for the russian business network, tru their rootkit well installed in your network....intstead of IDSing :)

    Seriously, it like complaining about having to pay 30$ a month for an alarm system while nothing happens. Until the day it triggers and you are happy to be connected to the central.

    for someone not making their own rules and defining policies, and IDS is like an alarm system or an insurance policy; youre just happy to have it when a DUQU or Flame gets in...

    An like cars and motocycles, maybe in 5 years you will be required by law to have an IDS before getting an Internet access, youll pay an insurance compagny for them, in their cloud, to overlook for malwares, etc...think its crazy...think again...

    F.



  • @fsansfil:

    Not sure I get your "external firewall" set up, but…

    You are right... let your RAM/CPU do the bitcoin mining for the russian business network, tru their rootkit well installed in your network....intstead of IDSing :)

    Seriously, it like complaining about having to pay 30$ a month for an alarm system while nothing happens. Until the day it triggers and you are happy to be connected to the central.

    for someone not making their own rules and defining policies, and IDS is like an alarm system or an insurance policy; youre just happy to have it when a DUQU or Flame gets in...

    An like cars and motocycles, maybe in 5 years you will be required by law to have an IDS before getting an Internet access, youll pay an insurance compagny for them, in their cloud, to overlook for malwares, etc...think its crazy...think again...

    F.

    Um, the pfsense box is behind a juniper firewall. It is NOT doing any sort of packet filtering by way of its built in firewall! It is DISABLED!

    I am strictly using it for "caching", "web content filter"!

    All i want to know is, is Snort necessary for this sort of set up! Nothing more!

    So i am NOT complaining!



  • With everything going HTTPS these days a Bluecoat or squid with i-cap and sslbump is better for web filtering than an IPS.

    You might be better suited with a proxy.

    "So i am NOT complaining!"

    No harm, no offense; Its just me after working 12hrs in a row, doing suricata rules ;)

    F.



  • Is there a need for Snort?

    This is really urgent owed to the circumstance how important your data are, what your insurance is
    telling you by order or contract rules or plain company rules.

    Snort behind an external firewall

    Yes, there are many places where an IDS/IPS system could and should be set up
    to inspect the packets. Also a combination of both and common main ways to set
    it up would be often not wrong. (host & net based)

    I'm wondering if i can get some clear answers regarding the need, if any, of Snort behind
    an external (of pfsense) firewall?

    A so called clear answer is not even so easy to give to someone likes you!
    This is related to the circumstance, that there are often three camps of peoples
    and all wants to go their own way. Some of them are really thinking IDS must be
    sitting on a firewall, some are thinking IDS thinks it must be inserted in all other
    places as on the firewall directly and also some thinks their is no need of IDS.

    So you can easily imagine what kind of answers will come together here, if
    someone is answering your question. It is a bit like going in a comic book
    shop and asking who is the best superhero ever?

    For instance, currently i am using pfsense in bridge mode ( LAN & DMZ) with the firewall turned off.
    I am strictly using it for caching (Squid) and content filtering (SquidGuard).

    Likes a transparent HTTP proxy and cache, ok.

    I currently have Snort installed, configured how i like on the DMZ (connected to external firewall)
    but it does seems to be doing anything but taking up cpu/ram resources and maybe some bandwidth.

    For sure an IDS/IPS system is "eating" your CPU power, sucking your RAM and eating your bandwidth
    likes all other tasks like DPI also this could not be done by side, but many peoples are thinking of this
    because Snort is often also offered as a by side task or option!!!

    The "Alerts" tab is filled with a bunch of "unknown Traffic", "(http_inspect) UNKNOWN METHOD" and "Not Suspicious Traffic" "http_inspect) DOUBLE DECODING ATTACK".

    "False positives" would be only to be narrowed down by tuning and fine tuning an IDS/IPS
    such Snort is. The rules must be matching the entire networks usage, services and the horse
    power of the snort system or the system thats homing Snort!

    Other than a few "false positives" involving it giving internal lan communication a 'hard time'
    which i have 'Suppressed',

    If pfSense comes with a steep learn curve to configure it out really good it will be able to
    need several years, but on to then configuring Squid & SquidGuard it would be really hard
    and needing on top more time as the most peoples would imagine, and then on top an IDS/IPS
    system likes Snort is you would be need many more years, snort is more then setting up some
    rules and matching some patterns. Because installing pfSense would be really easy in some ways
    and the packets seems to be an extra option it is not likes push some buttons and all is running
    by using all of its benefits and functions.

    it just seems like it is not doing anything, "it is just there" being a "cpu/ram" hog. :-/

    Who is hiring you again if you are the security admin at Microsoft or Apple and all peoples would be
    able to read the private Mails from the CEOs at past bin? What is when the insurances is telling your
    boss or CEO, ok their is a damage for 1 billion $ but we don´t pay? For sure you will see it is easy to
    answer some things about IDS/IPS it is not common but it should and it is only so good as configured
    out by the admin guy and must also matching the needs you r company owns.



  • @fsansfil:

    With everything going HTTPS these days a Bluecoat or squid with i-cap and sslbump is better for web filtering than an IPS.

    You might be better suited with a proxy.

    "So i am NOT complaining!"

    No harm, no offense; Its just me after working 12hrs in a row, doing suricata rules ;)

    F.

    I have the i-cap/clam anti-virus enabled in my squid3 config


Log in to reply