pfsense + snort

[Dice]

Good evening fellas..
I was wondering if we got some active pfsense users?
Particularly if you'd happen to run Snort.. I'm a couple of days in my trials ....and tribulations.
It is far more time-consuming and frustrating to get going (not the setup but the maintenance to get acceptable amounts of road bumps while surfing...) than I anticipated.
Either the traffic on the usual big news sites are filled with junk, or snort is ....slightly more paranoid than anticipated. Anyways.

I could use any sort of shared story, mood lifer, encouragement or tips of any sort :)

 

[darkwarrior]

Hi there,

I'm using actively pfSense since quite a few years running OpenVPN, Squid and other small packages.
Personally I preferred to use Squid + SquidGuard to get the Proxy Webcaching + content filtering (based on blacklists and keywords).
Are you using Snort just to get a webfilter or are you also counting on the Intrusion Detection mechanisms ?

 

[Dice]

hi darkwarrior
thnx for tuning in.
I'm trying to get the 'intended' value out of investing into a machine suitable for pfsense 8 months ago. heh. I've just been all caught up with #life

I'm running three notable packages I'm trying to get working properly - pfBlockerNG, Snort and Squid + clamAV
pfBlockerNG has not made a lot of noise since I removed the initial "block the world" additional rule (idea from a youtube tutorial on the topic.... apparently there are not enough people on youtube to give bad advice on FreeNAS - there are boatloads of dubious ideas presented on pfSense too). I've added some 10-15 additional blocklists.. hope it works alright.

Then Snort.
Blocks everywhere! at a few instances even the open DNS 8.8.8.8. was blocked :|
In general I get some 10-15 alarms per hour in the error log of potential problems. And that is only 1 user - me. It is a full time job to just figure out what is a real problem and what is not, even more so, while googling to find answers - additional boatloads of warnings comes along. How do yo cope?
I've attempted to read up a bit on how to tune snort. Ie, more broadly firewall management since that area is out of my knowledge.
Most notably put forward by aggressive and unfriendly contributors of the pfsense forum - conclusions are that rather than adding loads of problems into suppress lists, the "overly active rule" should be disabled.
It is really difficult to grasp a topic when trying to make sense of both the concepts AND best practice at once, while sorting through malicious and simply bad advice.


Lastly, I added Squid with the intention to use its antivirus functionality. I've not really noticed it in action yet.

 

[anodos]

hi darkwarrior
thnx for tuning in.
I'm trying to get the 'intended' value out of investing into a machine suitable for pfsense 8 months ago. heh. I've just been all caught up with #life

I'm running three notable packages I'm trying to get working properly - pfBlockerNG, Snort and Squid + clamAV
pfBlockerNG has not made a lot of noise since I removed the initial "block the world" additional rule (idea from a youtube tutorial on the topic.... apparently there are not enough people on youtube to give bad advice on FreeNAS - there are boatloads of dubious ideas presented on pfSense too). I've added some 10-15 additional blocklists.. hope it works alright.

Then Snort.
Blocks everywhere! at a few instances even the open DNS 8.8.8.8. was blocked :|
In general I get some 10-15 alarms per hour in the error log of potential problems. And that is only 1 user - me. It is a full time job to just figure out what is a real problem and what is not, even more so, while googling to find answers - additional boatloads of warnings comes along. How do yo cope?
I've attempted to read up a bit on how to tune snort. Ie, more broadly firewall management since that area is out of my knowledge.
Most notably put forward by aggressive and unfriendly contributors of the pfsense forum - conclusions are that rather than adding loads of problems into suppress lists, the "overly active rule" should be disabled.
It is really difficult to grasp a topic when trying to make sense of both the concepts AND best practice at once, while sorting through malicious and simply bad advice.


Lastly, I added Squid with the intention to use its antivirus functionality. I've not really noticed it in action yet.

One nice thing about being a home user is that you can install Sophos UTM for free if you need a more polished UTM experience. https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

I believe @joeschmuck uses it, and so I'm volunteering him to troubleshoot all your Sophos problems. :D

Here is a very long forum discussion about it: https://forums.FreeNAS.org/index.php?threads/sophos.35563/

 

[darkwarrior]

One nice thing about being a home user is that you can install Sophos UTM for free if you need a more polished UTM experience.

Uggh :(
I "unboxed" the Sophos ISO, installed it, looked at it and threw it away just afterwards :P

 

[darkwarrior]

hi darkwarrior
thnx for tuning in.
I'm trying to get the 'intended' value out of investing into a machine suitable for pfsense 8 months ago. heh. I've just been all caught up with #life

I'm running three notable packages I'm trying to get working properly - pfBlockerNG, Snort and Squid + clamAV
pfBlockerNG has not made a lot of noise since I removed the initial "block the world" additional rule (idea from a youtube tutorial on the topic.... apparently there are not enough people on youtube to give bad advice on FreeNAS - there are boatloads of dubious ideas presented on pfSense too). I've added some 10-15 additional blocklists.. hope it works alright.

Then Snort.
Blocks everywhere! at a few instances even the open DNS 8.8.8.8. was blocked :|
In general I get some 10-15 alarms per hour in the error log of potential problems. And that is only 1 user - me. It is a full time job to just figure out what is a real problem and what is not, even more so, while googling to find answers - additional boatloads of warnings comes along. How do yo cope?
I've attempted to read up a bit on how to tune snort. Ie, more broadly firewall management since that area is out of my knowledge.
Most notably put forward by aggressive and unfriendly contributors of the pfsense forum - conclusions are that rather than adding loads of problems into suppress lists, the "overly active rule" should be disabled.
It is really difficult to grasp a topic when trying to make sense of both the concepts AND best practice at once, while sorting through malicious and simply bad advice.


Lastly, I added Squid with the intention to use its antivirus functionality. I've not really noticed it in action yet.

Installing and tuning a real security appliance like pfSense is a lot of work.
This is why turn-key solutions like Sophos, Netgear, D-link and whatever others have so much success these days.

Personally, I had a lot of fun tinkering with pfSense until it did what I wanted, even if out of laziness I ended up going with "Allow almost everything from inside / Block everything from outside"

If I would be in your shoes I would try out the Squid Proxy (could be transparent if you like) + SquidGuard + ClamAV solution to filter and secure web traffic. Snort as an ID solution is not really equipped for that job.
That is more like using a chainsaw to kill a mosquito if you see what I mean :p

Concerning the pfSense forum:
It's a place I don't like to go to, not a nice community.
Ours is much better

Just my 2 cents ;)

 

[Jailer]

I run pfSense with Snort and pfBlockerNG. Yes you have to tune Snort. I run a limited ruleset with Snort and it took about 3 weeks of babysitting to get things working pretty smoothly. For Snort I just run the emerging threats rules and for pfBlockerNG the top 20 spammers. Once it's set up though you won't have to babysit it any more for false positives. The length of time that takes will depend on your ruleset and your browsing habits.

BBcan177 is an invaluable resource over at the pfSense forums for the 2 packages. Search the forum for his posts in the package section and follow his advice and with a little tuning you'll have it running.

 

[JJT211]

If you really want to unleash the full power of snort (and pfsense) then check out the end-all be-all guide from the pfsense forums here.

Taming the Beast aka Suricata Blueprint
https://forum.pfsense.org/index.php?topic=78062.0

Its technically for suricata but everything equally applies for snort as well. IMO, its a must read for anyone interested in properly securing their network. Its the single best, most complete guide on anything ive read anywhere on the internet.

 

[Dice]

I appreciate all input :)

I intend on sticking with pfsense for a while. I've run pfsense as a basic setup for 7 months on ESXi. Just haven't gotten around to get my hands all dirty figuring out all the 'new features' ...I'm a network naubsauce. It is a lot more to figure out, understand and learn in pfsense than in freenas.

Concerning the pfSense forum:
It's a place I don't like to go to, not a nice community.
Ours is much better

Couldn't agree more.

If I would be in your shoes I would try out the Squid Proxy (could be transparent if you like) + SquidGuard + ClamAV solution to filter and secure web traffic. Snort as an ID solution is not really equipped for that job.
That is more like using a chainsaw to kill a mosquito if you see what I mean :p

I run pfSense with Snort and pfBlockerNG

Cool.
Currently I do em all. Until I lash out when I can't find which of them causing the headache x)

BBcan177 is an invaluable resource over at the pfSense forums for the 2 packages.

Indeed. Good tip. I've bookmarked numerous of his posts and used them for patching up what I got running right now.

Taming the Beast aka Suricata Blueprint
https://forum.pfsense.org/index.php?topic=78062.0

Its technically for suricata but everything equally applies for snort as well. IMO, its a must read for anyone interested in properly securing their network. Its the single best, most complete guide on anything ive read anywhere on the internet.

I stumbled upon this guide. Honestly, most of it is flying above my head. I can sense there is greatness to achieve - but the recommendations are written on purpose to require some skill and thought to achieve. I just don't have that yet. I will definitely revisit it multiple times.
One thing I find fascinating is that every tutorial I find offers different settings without no real explanation to why. Sometimes versions may differ. Other times it appears to be straight out incompetence (it's bad when I can spot that part...). It is really a mix&match to get well setup.


I guess I'm on the path to downsizing... this is turning out to be more than I can chew at once.
Did I mention I took a couple of bites onto getting VPN up too -just while at it?

 

[Dice]

One thing I haven't understood is what the differences are between disabling a rule and using a supress list in snort.
When looking at supress lists, it seems like they are nothing more than a bunch of rules.. ...sort of being blacklisted from ...alerting?

When or why to use the one over the other - I've not figured out. It is debated I see, but it is beyond me what the best practice is.
Any input?

 

[Jailer]

Disabling the rule stops those packets from being processed. Suppressing the rule means the packets all get filtered and then sorted. It's a performance tuning tip to disable rules that produce false positives to free up resources.