Re: [pfSense-discussion] IDS yet?
Sorry do you plan to use snort as IDS or as IPS? I think that the former should be easier to implement as a package, but the latter is the direction to follow, in a long term project. Few days ago I saw StillSecure Strataguard, and I found that their interface/approach to IPS is very good... If you like to go in that direction, I'll be pleased to help..at least for what I can do...On 10/3/06, Scott Ullrich [EMAIL PROTECTED] wrote:On 9/20/06, Scott Ullrich [EMAIL PROTECTED] wrote: There is no IDS package with no intention on creating one.We are waiting for you all to step up to the plate.I somewhat lied about this.For some reason after seeing your post something clicked in my head and I spent a good 35 hours on a IDSpackage.Upgrade to 1.0-RC3a and you will now find Snort in our packages area.ScottPS: it appears that I also have a sponsor for the package.Will post more information once I secure the funds.
Re: [pfSense-discussion] IDS yet?
Beside that I always thought Snort is first and foremost an IDS and not an IPS... Holger Bauer schrieb: I suggest just trying the snort package in the way it is now before discussinng new features so everybody in this discussion knows what we are talking about. It's easy to setup and configure. You have to be at RC3 for it to work. -- Mit freundlichen Gruessen / With kind regards DAn.I.El S. Haischt Spammers, please please send any mail to: Daniel S. Haischt [EMAIL PROTECTED] Want a complete signature??? Type at a shell prompt: $ finger -l [EMAIL PROTECTED]
Re: [pfSense-discussion] IDS yet?
Daniel S. Haischt wrote: Beside that I always thought Snort is first and foremost an IDS and not an IPS... It can do both, IIRC. But commercial IDS/IPS products have been blurring the line between these two purposes for years - upto a point where I think there is no real distinction possible anymore. Just like various intelligence-techniques have blurred the line between packet filter and application firewall in the commercial-firewall world. At least in this respect, pfSense is still a clear packet-filter only ;-) And ideally, it should stay this way while analyzing packet-content should occur elsewhere (because it also needs much more CPU-power). cheers, Rainer
Re: [pfSense-discussion] IDS yet?
Tommaso Di Donato wrote: On 10/4/06, Rainer Duffner [EMAIL PROTECTED] wrote: At least in this respect, pfSense is still a clear packet-filter only ;-) And ideally, it should stay this way while analyzing packet-content should occur elsewhere (because it also needs much more CPU-power). Sorry, but I do not agree totally with you: the thing I love with pfSense is that it is possible to install it everywhere, so it could be a _real_ competitor to enterprise products (like Cisco ASA). So, I think that CPU-power should not be a limit. I agree, I think pfsense devs do a great job. When I need something more than a packet-filter then I will post a bounty. I would encourage all those users who request packet-content analysis features to consider the same.
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Tommaso Di Donato [EMAIL PROTECTED] wrote: On 10/4/06, Rainer Duffner [EMAIL PROTECTED] wrote: At least in this respect, pfSense is still a clear packet-filter only ;-) And ideally, it should stay this way while analyzing packet-content should occur elsewhere (because it also needs much more CPU-power). Sorry, but I do not agree totally with you: the thing I love with pfSense is that it is possible to install it everywhere, so it could be a _real_ competitor to enterprise products (like Cisco ASA). So, I think that CPU-power should not be a limit. We have a serious disadvantage against hardware firewalls. Where they can crank out ASICs tuned to specific needs (which comes with a disadvantage we don't have...flexibility), we're stuck with general purpose CPU's which aren't necessarily fast. Thankfully, encryption boards supported by FreeBSD aren't terribly difficult to come by, but there's other code paths that could be sped up considerably by hardware optimized for it. Let us also not forget that CPU's aren't getting faster, they're scaling wider (in fact, I think most gamers would confirm that dual core procs don't necessarily speed up their games). FreeBSD doesn't multi-thread routing. The fastest proc today will be no faster than the fastest proc next year (unless AMD comes through with it's inverse SMP plans - presenting multiple cores as a single core to the OS). Also, interrupts are a KILLER on x86 hardware - FreeBSD w/ polling is better at this than OpenBSD (although I haven't personally benched this yet), but it's not free and theres still a limit. --Bill
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Bill Marquette [EMAIL PROTECTED] wrote: On 10/4/06, Tommaso Di Donato [EMAIL PROTECTED] wrote: On 10/4/06, Rainer Duffner [EMAIL PROTECTED] wrote: At least in this respect, pfSense is still a clear packet-filter only ;-) And ideally, it should stay this way while analyzing packet-content should occur elsewhere (because it also needs much more CPU-power). Sorry, but I do not agree totally with you: the thing I love with pfSense is that it is possible to install it everywhere, so it could be a _real_ competitor to enterprise products (like Cisco ASA). So, I think that CPU-power should not be a limit.We have a serious disadvantage against hardware firewalls.Where theycan crank out ASICs tuned to specific needs (which comes with adisadvantage we don't have...flexibility), we're stuck with general purpose CPU's which aren't necessarily fast.Thankfully, encryptionboards supported by FreeBSD aren't terribly difficult to come by, butthere's other code paths that could be sped up considerably byhardware optimized for it. You're totally right, I know. But I think we have to consider at lest 2 factors:1) I am not aware (please, somebody out there perhaps could help me) of any table or benchmark result that could help us to have a rough estimation of CPU load during a normal IPS work. My intention is to install a solution not gui-managed (just to speed up the testing phase), and try to do such an estimation 2) there can be installations or places, in which a normal hardware (such as mini-itx mobos) could be sufficient to manage the cpu load, because of a small internet link. I only would like to know if this could be of any interest for the community (so at the end of the test, I have to deal with package creation), or if I'll be the only interested in that. Just to know Tom
RE: [pfSense-discussion] IDS yet?
So far, I like the new Snort package. Very nice and easy to set up. You have my praises! If I am correct, the Snort package only sees traffic that was not blocked by firewall rules? - Jason
RE: [pfSense-discussion] IDS yet?
No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-) Holger -Original Message- From: Jason J. Ellingson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 04, 2006 3:58 PM To: discussion@pfsense.com Subject: RE: [pfSense-discussion] IDS yet? So far, I like the new Snort package. Very nice and easy to set up. You have my praises! If I am correct, the Snort package only sees traffic that was not blocked by firewall rules? - Jason
RE: [pfSense-discussion] IDS yet?
Very cool. Perhaps I'll be brave and allow it to block those IPs. Any way to send the Snort alerts to a syslog? I'd like to analyze them. - Jason -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 04, 2006 9:52 AM To: discussion@pfsense.com Subject: RE: [pfSense-discussion] IDS yet? No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-) Holger -Original Message- From: Jason J. Ellingson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 04, 2006 3:58 PM To: discussion@pfsense.com Subject: RE: [pfSense-discussion] IDS yet? So far, I like the new Snort package. Very nice and easy to set up. You have my praises! If I am correct, the Snort package only sees traffic that was not blocked by firewall rules? - Jason
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Holger Bauer [EMAIL PROTECTED] wrote: No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-) To be fair, ONLY stateless signatures (or signatures of attacks that only need one packet to do the damage) and the port scan engine can make any kind of detection on traffic blocked at the firewall. But hey, who really cares that someone is trying some uber attack against you if there's nothing listening? If you want to know that, I'm afraid you need a honeypot. --Bill
RE: [pfSense-discussion] IDS yet?
Snort hooks into bpf, bpf gets 1st look at all traffic. Greg -Original Message- From: Jason J. Ellingson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 04, 2006 2:58 PM To: discussion@pfsense.com Subject: RE: [pfSense-discussion] IDS yet? So far, I like the new Snort package. Very nice and easy to set up. You have my praises! If I am correct, the Snort package only sees traffic that was not blocked by firewall rules? - Jason
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Two problems here. 1. RC1 is ancient, the snort package only works on RC3 and above 2. Embedded doesn't support packages, either we still had that in RC1 (unlikely) or you've bypassed those checks somehow --Bill
Re: [pfSense-discussion] IDS yet?
Snort requires 1.0-RC3. On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Here is the output : - Installation of snort FAILED! Downloading package configuration file... failed! Installation aborted. Installation halted. - Do I need to do something to the installed embedded version to allow it to install packages ? Or am I SOL because its embedded ? -Don On Wed, 4 Oct 2006 11:07:15 -0500, Bill Marquette [EMAIL PROTECTED] wrote: On 10/4/06, Holger Bauer [EMAIL PROTECTED] wrote: No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-) To be fair, ONLY stateless signatures (or signatures of attacks that only need one packet to do the damage) and the port scan engine can make any kind of detection on traffic blocked at the firewall. But hey, who really cares that someone is trying some uber attack against you if there's nothing listening? If you want to know that, I'm afraid you need a honeypot. --Bill
Re: [pfSense-discussion] IDS yet?
The /pkg_mgr.php and related files are still in the www directory, I just pointed to them in my url. If I upgrade to RC3, is there an easy way to change the embedded image to support packages ? Otherwise I could always just compile and install snort myself I guess. Thanks for your replies. BTW, pfSense completely rocks. I love it. I've been running it on Soekris hardware for about 2 years now. The only feature I was waiting for was IDS. -Don On Wed, 4 Oct 2006 12:00:51 -0500, Bill Marquette [EMAIL PROTECTED] wrote: On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Two problems here. 1. RC1 is ancient, the snort package only works on RC3 and above 2. Embedded doesn't support packages, either we still had that in RC1 (unlikely) or you've bypassed those checks somehow --Bill
Re: [pfSense-discussion] IDS yet?
SH. Don't tell anyone this. ;) Scott On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: The /pkg_mgr.php and related files are still in the www directory, I just pointed to them in my url. If I upgrade to RC3, is there an easy way to change the embedded image to support packages ? Otherwise I could always just compile and install snort myself I guess. Thanks for your replies. BTW, pfSense completely rocks. I love it. I've been running it on Soekris hardware for about 2 years now. The only feature I was waiting for was IDS. -Don On Wed, 4 Oct 2006 12:00:51 -0500, Bill Marquette [EMAIL PROTECTED] wrote: On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Two problems here. 1. RC1 is ancient, the snort package only works on RC3 and above 2. Embedded doesn't support packages, either we still had that in RC1 (unlikely) or you've bypassed those checks somehow --Bill
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: According to my rough calculations, I can do maybe 40mbps throughput before I peg the cpu. Or maybe I'm just dreaming, but I plan on testing it. With a 4801 or wrap??? Try again :) We peg the CPU on those boards well before 40mbit...I think the last benchmark I saw was 30+mbit. --Bill
Re: [pfSense-discussion] IDS yet?
Its a 4801 with the fastest processor I could get (266). We'll see what I can do with it, I don't plan on using a default config with snort. I know I'm going to have to tweak it. With the right setup, I believe running snort on the embedded image _is_ feasable. If I do manage to pull it off, I'll share what I did. -Don On Wed, 4 Oct 2006 13:01:44 -0500, Bill Marquette [EMAIL PROTECTED] wrote: On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: According to my rough calculations, I can do maybe 40mbps throughput before I peg the cpu. Or maybe I'm just dreaming, but I plan on testing it. With a 4801 or wrap??? Try again :) We peg the CPU on those boards well before 40mbit...I think the last benchmark I saw was 30+mbit. --Bill
[pfSense-discussion] add support for per-user bandwidth limitation
Jonathan De Graeve has implemented this nice feature and they are working on monowall 1.23b1. Has anyone tried or is willing to implement them into pfsense captive portal? If someone can show me the way on that, I am willing to help and maybe to do all the job. At the time, I am using monowall for that, but I miss the other funcionalities of pfsense. -- AEON TECHNOLOGIES (21) 2705-3139 http://www.aeon.com.br -- Esta mensagem foi verificada pelo sistema de antivĂrus e acredita-se estar livre de perigo.
Re: [pfSense-discussion] add support for per-user bandwidth limitation
This is not feasible. Dummynet (which is what is used on the CP) is not compatible with PF due to a rdr bug of some sort. The problem has been brought up on the FreeBSD lists but nobody is interested in fixing it. Scott On 10/4/06, Jan-Patrick Perisse [EMAIL PROTECTED] wrote: Jonathan De Graeve has implemented this nice feature and they are working on monowall 1.23b1. Has anyone tried or is willing to implement them into pfsense captive portal? If someone can show me the way on that, I am willing to help and maybe to do all the job. At the time, I am using monowall for that, but I miss the other funcionalities of pfsense. -- AEON TECHNOLOGIES (21) 2705-3139 http://www.aeon.com.br -- Esta mensagem foi verificada pelo sistema de antivĂrus e acredita-se estar livre de perigo.
RE: [pfSense-discussion] IDS yet?
A WRAP (266MHz Geode) is maxed out at 32 mbit/s (with optimum packetsize). However with enabled trafficshaper and lots of traffic (bittorrent for example) it's not able to keep up at my 16/1 mbit/s adsl2+ connection. Depending on your WAN speed or if you need LAN to OPT traffic these devices reach thier limits sooner or later. Holger -Original Message- From: Donald Pulsipher [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 04, 2006 8:03 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] IDS yet? Its a 4801 with the fastest processor I could get (266). We'll see what I can do with it, I don't plan on using a default config with snort. I know I'm going to have to tweak it. With the right setup, I believe running snort on the embedded image _is_ fea sable. If I do manage to pull it off, I'll share what I did. -Don On Wed, 4 Oct 2006 13:01:44 -0500, Bill Marquette [EMAIL PROTECTED] wrote: On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: According to my rough calculations, I can do maybe 40mbps throughput before I peg the cpu. Or maybe I'm just dreaming, but I plan on testing it. With a 4801 or wrap??? Try again :) We peg the CPU on those boards well before 40mbit...I think the last benchmark I saw was 30+mbit. --Bill