![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Snort
- Thread starter hakstarr
- Start date
When I set up snort facing the internet we had so many false positives I had to really dial it back. Ended up turning it off because it was more trouble than it was worth but I think with some configuration you can make them work okay.
It is useful for reporting if you have it monitoring your local network. Helped me track down a few machines with viruses.
It is useful for reporting if you have it monitoring your local network. Helped me track down a few machines with viruses.
I have snort running on pfsense. It throws out an alert literally every 10-15 second. I dunno if its false or not. It has thrown alerts on the WAN interface on the same ports that my game servers run on behind the firewall. It hasnt affected friends from connecting so I'm ok with it.
Do you enable all rules?
I set up and manage many Snort boxes. After the initial tuning the false positives are pretty low. I primarily use Snort, PulledPork, and Barnyard2. If I can scan the network now and then I will configure and use Hogger.
I've used Base, I've tried Snorby, and used Splunk with the Snort App.
I've used Base, I've tried Snorby, and used Splunk with the Snort App.
I setup snort on my home pfSense. I only have 2 FP: first I disabled through suppress rules, second are on the DNS servers but that doesn't seem to be a problem because they are on a whitelist. You don't want to enable every rule. The are some there to e.g. block any bittorrent traffic.