I am runiing it now like this. I will push all alerts to my Kibina now and will check that for a couple of weeks to get a good overview.
> Am 13.06.2016 um 21:48 schrieb compdoc <[email protected]>: > >> How do you have Snort configured to differentiate between incoming and >> outgoing traffic? > > > > I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the > problem. It watches any http traffic, which is mainly outgoing in our case. > > > > On the Services / Snort / Interfaces page, edit your interface. And then > click the 'WAN Preprocs' tab. > > > > I used to just disable HTTP Inspect, but at some point in time snort in > pfSense started displaying a large warning. > > > > So, in that section there's a 'Server Configurations' option. I have one > configuration named 'default', and you might have the same. > > > > Edit default, and there's a Ports area where you specify an alias which > contains the ports snort should watch for HTTP traffic. I use port 10, but > can be any unused port. Now snort listens on port 10 for HTTP traffic and > never hears any. > > > > Also on the WAN Preprocs tab, there's an option 'Portscan Detection' which I > enable. I think I leave most of the other options on defaults. > > > > Mine is configured for the VRT rules, GPLv2 Community Rules, Emerging Threats > (ET) Rules, and a list named 'emerging-compromised-ips.txt' on IP lists tab. > > > > However, I edit the snort interface and check 'Use IPS Policy' and then > choose 'IPS Policy Selection: Connectivity'. I believe when you do this, > snort decides which one of the rulesets it will use. > > > > Occasionally, as rules get updated snort will start blocking something that > it wasn’t blocking before, and you have to add those rules to the suppress > list. This doesn’t happen too often, though. > > > > > > > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
