Stefan Fuhrmann, here's my settings. They work well for me, but there may be some fine-tuning you should do...
First, I choose the rules on the Global Settings tab. I applied for a free Oinkmaster Code, which I use on a few firewalls. Then I set the Removed Blocked Hosts Interval to 15 minutes, just in case I do something remotely that Snort doesn't like and locks me out. I think everything else is default: http://imgur.com/dLIsp7v Then I force a download of the rules on the Update tab... http://imgur.com/bV7Pqoa Next, create the Snort Interface. On the Wan Settings tab, I use defaults except I check Block Offenders and I use a Pass List and Suppression List which need to be selected here. On the WAN Categories tab, I select an IPS Policy which disables selection of some rules. This is normal. However, do select the other rules that are available: http://imgur.com/PwVqjU2 And then the last thing I change is on the WAN Preprocs tab. Everything is default, except that I check Auto Rule Disable, I disable HTTP Inspect, and enable Portscan Detection. HTTP Inspect will block many legitimate websites like Amazon, and will require that you add all the blocked sites to the pass or rule suppress lists. I feel this is too much work. After Snort is up and running, there will be times when you need to suppress some rules to suit your users. For instance, one user's iPhone was triggering a POP3 rule whenever he tried to connect, and was being blocked. When this happens go to the Blocked tab and unblock the address, then go to the Alerts tab, find the address, and add the rule to the Suppress list by clicking the appropriate button. Good luck!
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
