>
>
> How do you have Snort configured to differentiate between incoming and
> outgoing traffic?
Mhh, dont configured anythink. Just put the rules in my WAN interface. Maybe i
have to spend more time and read more documentation on it
___
pfSense
See if disabling the stream-events.rules ruleset helps. The web forum had some
references about that being incompatible with the pfSense implementation. If
memory serves, it's because Snort/Suricata see copies of packets not the actual
stream so they are often processed out of order.
When I
On Sun, Jun 12, 2016 at 7:32 PM, compdoc wrote:
>
> I've never tried suricata so I cant say if its better, but snort works
> pretty well. There is one problem with snort, however. It can watch
> incoming
> traffic as well as outgoing traffic.
>
> But when snort watches
When we first started experimenting with Suricata we had pfSense running on a
very old PC...XP era probably, and I'd guess 10-15 years old. When running,
Suricata did seem OK and not too CPU or RAM intensive but Suricata did simply
stop working now and again. That hasn't happened since using
With as many rules as an IDS/IPS would evaluate for each packet, it
seems that a multi-threaded option would be an obvious choice,
especially on modern multi-core quasi-embedded systems (e.g.
Rangely/Atom) with lower absolute clock speeds. Otherwise it seems you
might become effectively CPU
> How do you have Snort configured to differentiate between incoming and
> outgoing traffic?
I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the
problem. It watches any http traffic, which is mainly outgoing in our case.
On the Services / Snort / Interfaces page,