Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense
Stefan Fuhrmann, here's my settings. They work well for me, but there may be some fine-tuning you should do... First, I choose the rules on the Global Settings tab. I applied for a free Oinkmaster Code, which I use on a few firewalls. Then I set the Removed Blocked Hosts Interval to 15 minutes, just in case I do something remotely that Snort doesn't like and locks me out. I think everything else is default: http://imgur.com/dLIsp7v Then I force a download of the rules on the Update tab... http://imgur.com/bV7Pqoa Next, create the Snort Interface. On the Wan Settings tab, I use defaults except I check Block Offenders and I use a Pass List and Suppression List which need to be selected here. On the WAN Categories tab, I select an IPS Policy which disables selection of some rules. This is normal. However, do select the other rules that are available: http://imgur.com/PwVqjU2 And then the last thing I change is on the WAN Preprocs tab. Everything is default, except that I check Auto Rule Disable, I disable HTTP Inspect, and enable Portscan Detection. HTTP Inspect will block many legitimate websites like Amazon, and will require that you add all the blocked sites to the pass or rule suppress lists. I feel this is too much work. After Snort is up and running, there will be times when you need to suppress some rules to suit your users. For instance, one user's iPhone was triggering a POP3 rule whenever he tried to connect, and was being blocked. When this happens go to the Blocked tab and unblock the address, then go to the Alerts tab, find the address, and add the rule to the Suppress list by clicking the appropriate button. Good luck! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense
[image: Inline image 1] On Thu, Oct 2, 2014 at 7:01 AM, Stefan Fuhrmann ste...@fuhrmann.homedns.org wrote: Hello Ivo, yes 2 pfsense nodes as cluster 2 loadbalancer 3 webserver need more info? tia Stefan -- *Von: *Ivo Tonev i...@tonev.pro.br *An: *pfSense Support and Discussion Mailing List list@lists.pfsense.org *Gesendet: *Montag, 29. September 2014 02:52:26 *Betreff: *Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense can you send your network layout ? how many servers ? -- Ivo Tonev i...@tonev.pro.br On Sep 28, 2014, at 05:58, Stefan Fuhrmann ste...@fuhrmann.homedns.org wrote: Hello all, can someone help? tia Stefan Am Freitag, 26. September 2014, 15:11:04 schrieb Stefan Fuhrmann: Hello all, I need a recommandation for following setup: pfsense-cluster loadbalancers webservers There are some thousend visits per day and I want to secure with pfsense and snort. Snort runs on lan-site. I want to be aware which are the false positives and how to handle this traffic with snort and the snort- gui within pfsense? Is it now a good idea to enable step by step the categories and doing whitelisting of rules , where Im the meaning this traffic should go and block the rest? Im unsure if there is alot of traffic getting blocked which should pass This should dont be happen... In that firm there is the meaning that we should do blacklisting. Blocking only categories where we are secure this is not good traffic. In the moment there are several thousend alerts per day! I would say blocking the alerts and then I do whitelisting via gui. Problem: at first there is an error state Someone can give recommandations how to implement? Is it a good idea to configure the files directly on pfsense? tia Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense
On 10/03/2014 04:31 PM, Ivo Tonev wrote: Inline image 1 On Thu, Oct 2, 2014 at 7:01 AM, Stefan Fuhrmann ste...@fuhrmann.homedns.org mailto:ste...@fuhrmann.homedns.org wrote: Hello Ivo, yes 2 pfsense nodes as cluster 2 loadbalancer 3 webserver need more info? tia Stefan hi stefan, i sniff at the switch where pfsense meets the the dmz and web servers -- a prosmiscuous port that sends all packets for analysis to alienvault ossim [1]. they have a really nice distro/appliance for intrusion detection with reporting, ticket system, etc. a bit complicated to setup, but once you understand it, it is really quite cool. i use the freeware version running inside vmware. cheers d [1] https://www.alienvault.com/open-threat-exchange/projects ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense
Hello Ivo, yes 2 pfsense nodes as cluster 2 loadbalancer 3 webserver need more info? tia Stefan Von: Ivo Tonev i...@tonev.pro.br An: pfSense Support and Discussion Mailing List list@lists.pfsense.org Gesendet: Montag, 29. September 2014 02:52:26 Betreff: Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense can you send your network layout ? how many servers ? -- Ivo Tonev i...@tonev.pro.br On Sep 28, 2014, at 05:58, Stefan Fuhrmann ste...@fuhrmann.homedns.org wrote: Hello all, can someone help? tia Stefan Am Freitag, 26. September 2014, 15:11:04 schrieb Stefan Fuhrmann: Hello all, I need a recommandation for following setup: pfsense-cluster loadbalancers webservers There are some thousend visits per day and I want to secure with pfsense and snort. Snort runs on lan-site. I want to be aware which are the false positives and how to handle this traffic with snort and the snort- gui within pfsense? Is it now a good idea to enable step by step the categories and doing whitelisting of rules , where Im the meaning this traffic should go and block the rest? Im unsure if there is alot of traffic getting blocked which should pass This should dont be happen... In that firm there is the meaning that we should do blacklisting. Blocking only categories where we are secure this is not good traffic. In the moment there are several thousend alerts per day! I would say blocking the alerts and then I do whitelisting via gui. Problem: at first there is an error state Someone can give recommandations how to implement? Is it a good idea to configure the files directly on pfsense? tia Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense
Hello all, can someone help? tia Stefan Am Freitag, 26. September 2014, 15:11:04 schrieb Stefan Fuhrmann: Hello all, I need a recommandation for following setup: pfsense-cluster loadbalancers webservers There are some thousend visits per day and I want to secure with pfsense and snort. Snort runs on lan-site. I want to be aware which are the false positives and how to handle this traffic with snort and the snort- gui within pfsense? Is it now a good idea to enable step by step the categories and doing whitelisting of rules , where Im the meaning this traffic should go and block the rest? Im unsure if there is alot of traffic getting blocked which should pass This should dont be happen... In that firm there is the meaning that we should do blacklisting. Blocking only categories where we are secure this is not good traffic. In the moment there are several thousend alerts per day! I would say blocking the alerts and then I do whitelisting via gui. Problem: at first there is an error state Someone can give recommandations how to implement? Is it a good idea to configure the files directly on pfsense? tia Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense
I need a recommandation for following setup: pfsense-cluster loadbalancers webservers I can't help with these. There are some thousend visits per day and I want to secure with pfsense and snort. Snort runs on lan-site. In the moment there are several thousend alerts per day! There are always many alerts, but you should not block them. Only the bad things are blocked. I can tell you how I set up snort to prevent it from creating too many false positives, if that's what you want. My settings might be a little different than others, but it's what I had to do ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense
can you send your network layout ? how many servers ? -- Ivo Tonev i...@tonev.pro.br On Sep 28, 2014, at 05:58, Stefan Fuhrmann ste...@fuhrmann.homedns.org wrote: Hello all, can someone help? tia Stefan Am Freitag, 26. September 2014, 15:11:04 schrieb Stefan Fuhrmann: Hello all, I need a recommandation for following setup: pfsense-cluster loadbalancers webservers There are some thousend visits per day and I want to secure with pfsense and snort. Snort runs on lan-site. I want to be aware which are the false positives and how to handle this traffic with snort and the snort- gui within pfsense? Is it now a good idea to enable step by step the categories and doing whitelisting of rules , where Im the meaning this traffic should go and block the rest? Im unsure if there is alot of traffic getting blocked which should pass This should dont be happen... In that firm there is the meaning that we should do blacklisting. Blocking only categories where we are secure this is not good traffic. In the moment there are several thousend alerts per day! I would say blocking the alerts and then I do whitelisting via gui. Problem: at first there is an error state Someone can give recommandations how to implement? Is it a good idea to configure the files directly on pfsense? tia Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] recommandation: snort IDS, web http traffic, pfsense
Hello all, I need a recommandation for following setup: pfsense-cluster | loadbalancers | webservers There are some thousend visits per day and I want to secure with pfsense and snort. Snort runs on lan-site. I want to be aware which are the false positives and how to handle this traffic with snort and the snort- gui within pfsense? Is it now a good idea to enable step by step the categories and doing whitelisting of rules , where Im the meaning this traffic should go and block the rest? Im unsure if there is alot of traffic getting blocked which should pass This should dont be happen... In that firm there is the meaning that we should do blacklisting. Blocking only categories where we are secure this is not good traffic. In the moment there are several thousend alerts per day! I would say blocking the alerts and then I do whitelisting via gui. Problem: at first there is an error state Someone can give recommandations how to implement? Is it a good idea to configure the files directly on pfsense? tia Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list