> How do you have Snort configured to differentiate between incoming and > outgoing traffic?
I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the problem. It watches any http traffic, which is mainly outgoing in our case. On the Services / Snort / Interfaces page, edit your interface. And then click the 'WAN Preprocs' tab. I used to just disable HTTP Inspect, but at some point in time snort in pfSense started displaying a large warning. So, in that section there's a 'Server Configurations' option. I have one configuration named 'default', and you might have the same. Edit default, and there's a Ports area where you specify an alias which contains the ports snort should watch for HTTP traffic. I use port 10, but can be any unused port. Now snort listens on port 10 for HTTP traffic and never hears any. Also on the WAN Preprocs tab, there's an option 'Portscan Detection' which I enable. I think I leave most of the other options on defaults. Mine is configured for the VRT rules, GPLv2 Community Rules, Emerging Threats (ET) Rules, and a list named 'emerging-compromised-ips.txt' on IP lists tab. However, I edit the snort interface and check 'Use IPS Policy' and then choose 'IPS Policy Selection: Connectivity'. I believe when you do this, snort decides which one of the rulesets it will use. Occasionally, as rules get updated snort will start blocking something that it wasn’t blocking before, and you have to add those rules to the suppress list. This doesn’t happen too often, though. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
