Re: [pfSense] Snort or Suricata

> > > How do you have Snort configured to differentiate between incoming and > outgoing traffic? Mhh, dont configured anythink. Just put the rules in my WAN interface. Maybe i have to spend more time and read more documentation on it ___ pfSense

Re: [pfSense] Snort or Suricata

See if disabling the stream-events.rules ruleset helps. The web forum had some references about that being incompatible with the pfSense implementation. If memory serves, it's because Snort/Suricata see copies of packets not the actual stream so they are often processed out of order. When I

Re: [pfSense] Snort or Suricata

On Sun, Jun 12, 2016 at 7:32 PM, compdoc wrote: > > I've never tried suricata so I cant say if its better, but snort works > pretty well. There is one problem with snort, however. It can watch > incoming > traffic as well as outgoing traffic. > > But when snort watches

Re: [pfSense] Snort or Suricata

When we first started experimenting with Suricata we had pfSense running on a very old PC...XP era probably, and I'd guess 10-15 years old. When running, Suricata did seem OK and not too CPU or RAM intensive but Suricata did simply stop working now and again. That hasn't happened since using

Re: [pfSense] Snort or Suricata

With as many rules as an IDS/IPS would evaluate for each packet, it seems that a multi-threaded option would be an obvious choice, especially on modern multi-core quasi-embedded systems (e.g. Rangely/Atom) with lower absolute clock speeds. Otherwise it seems you might become effectively CPU

Re: [pfSense] Snort or Suricata

> How do you have Snort configured to differentiate between incoming and > outgoing traffic? I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the problem. It watches any http traffic, which is mainly outgoing in our case. On the Services / Snort / Interfaces page,