What snort rules/categories to enable for pfSense?

A

AMD_Gamer

Fully [H]
Joined
Jan 20, 2002
Messages
18,287
I got pfSense and snort up and running but I am not sure which categories and rules to enable. If I enable them all do they block certain programs?

From what i gather snort does not have any rules running by default and you need to check the categories off in the categories tab for snort to start checking against those rules?

ZRyuo.jpg
 
I have them all enabled and havent had any problems..... YET, and I host a few local websites, an ftp server, exchange server (rarely used), and 8 game servers.

Each category can be opened up to examine all the individual rules. I've skimmed through them.

If/when I run into a problem I'd investigate the appropriate category.
 
Last edited:
jadams said:
I have them all enabled and havent had any problems..... YET, and I host a few local websites, an ftp server, exchange server (rarely used), and 8 game servers.

Each category can be opened up to examine all the individual rules. I've skimmed through them.

If/when I run into a problem I'd investigate the appropriate category.
Click to expand...

So that is what you are supposed to do?
 
probably not,

but if i had more time and actually cared enough id drill down through every category and inspect every rule

there are a few no brainer categories. like the activex, inappropriate, malware, and mobile_malware rules and such.

i myself definitely want the webserver, ftp, pop/imap/smtp rules, could probably do w/ out the pfsense_voip rules.
 
I enabled all of them but snort is getting all kinds of P2P/bitorrent/Terdo alerts even after turning the P2P category off. When I have BitTorrent running it fills an entire page of warnings every time i refresh?:confused:
 
AMD_Gamer said:
I enabled all of them but snort is getting all kinds of P2P/bitorrent/Terdo alerts even after turning the P2P category off. When I have BitTorrent running it fills an entire page of warnings every time i refresh?:confused:
Click to expand...

Is snort anything like firewall rules where you have to apply the changes after making them?
 
What does it say for the bad traffic category? It may not be a P2P violation, but a "Possible Corporate Policy Violation"

As for which to check? Just check em all. That is what I have on both of my snort interfaces, and no issues yet.
 
C7J0yc3 said:
What does it say for the bad traffic category? It may not be a P2P violation, but a "Possible Corporate Policy Violation"

As for which to check? Just check em all. That is what I have on both of my snort interfaces, and no issues yet.
Click to expand...

Yeah that is what they all are "Possible Corporate Policy Violation" what does that mean?

I also saw on about a "Skype Account Login" my roommates use it so i don't want them having trouble.

These are what i get A LOT of, every time i refresh there is a new page of it

POLICY Outbound Teredo traffic detected Potential Corporate Privacy Violation

POLICY Inbound Teredo traffic detected Potential Corporate Privacy Violation

I also saw something about dropbox,

POLICY Dropbox desktop software in use Potential Corporate Privacy Violation
 
Here is from the log file what I was talking about:

I had snort and utorrent running for about 20 minutes and my log file is now 867 pages long with 98% of it being these. Is that normal?

[**] [1:2181:4] P2P BitTorrent transfer [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]

[**] [1:12066:3] POLICY Inbound Teredo traffic detected [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
 
here is skype:

[**] [1:5998:4] P2P Skype client login startup [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
 
Also under the blocked ip I now have 357 and 99% of them being ICMP Destination Unreachable Port Unreachable

Is that normal?
 
I just downloaded the log file again and it doubled to 1533 pages in MS word. That can't be normal?
 
Also after re-reading your question, no, snort doesn't block anything by default. You have to specify in your snort interface if it should block offenders or not. What I usually do is tell it to block offenders on my WAN interface, and just alert on the LAN interface.

I also have it set under general options to removed blocked IPs every 6 hours. This is so if things accidentally get caught they get released without me having to think too much about it.
 
you're on pfsense 1.2.3 correct? by the screenshot. what version of snort are you running?

I'm running pfsense 2.0 RC at home and snort v2.8.6.1 pkg v. 1.34

I have every single rule enabled. i have bittorrent (for linux iso's of course) and skype running and they generate no alerts.

Only thing in there are fragmentation overlaps from yesterday actually, from an IP in the netherlands which is now on my blocked list.

The office has 1.2.3, but I havent installed snort yet, unfortunately i'm traveling all week and wont be in the office to compare different configs. I dont want to mess with the gateway that much when im not physically in the building. if this thread is around next week i'll check i tout.
 
jadams said:
you're on pfsense 1.2.3 correct? by the screenshot. what version of snort are you running?

I'm running pfsense 2.0 RC at home and snort v2.8.6.1 pkg v. 1.34

I have every single rule enabled. i have bittorrent (for linux iso's of course) and skype running and they generate no alerts.

Only thing in there are fragmentation overlaps from yesterday actually, from an IP in the netherlands which is now on my blocked list.

The office has 1.2.3, but I havent installed snort yet, unfortunately i'm traveling all week and wont be in the office to compare different configs. I dont want to mess with the gateway that much when im not physically in the building. if this thread is around next week i'll check i tout.
Click to expand...

1.2.3

Services: Snort 2.8.6.1 pkg v. 1.34
 
pfsense forums are actually a great place for support.

People there dont treat you like a moron, talk down to you, spread FUD, and actually want to help....

this forum could take a lesson lol
 
jadams said:
pfsense forums are actually a great place for support.

People there dont treat you like a moron, talk down to you, spread FUD, and actually want to help....

this forum could take a lesson lol
Click to expand...

+1 for this^^
 
Basically, there's a whooole list of categories.....you put a check in the ones you'd like to load. Installing Snort in some distros is a very manual process (such as you see here), where as other distros leverage snort..and they take care of all the settings behind the scenes for you.so it's already running and configured.

Snort in PFSense sorta reminds me of the smaller Cisco firewalls like a PIX. Someone plops it in there and thinks they've done a great job on the network "Yeah..I'm running a PIX!" ...and honestly..by default there's no additional security beyond a 69 dollar Stinksys home grade router. Yup..gotta go in and flip some switches! Turn things on, configure them.

The more you load into Snort..the more resources on your hardware it will consume. Granted..with todays appliances we're installing PFSense on..not a concern. It's time consuming, there's no easy hand holding answer for you other than..."go look at each one and see which ones YOU want to load on your system". Because what YOU want your PFSense to protect may be different than what someone else has PFSense protecting. Different services running from behind it, thus different needs.
 
You must log in or register to reply here.
Back
Top