Re: [pfSense] Snort as IPS in Pfsense
Ivo, that's a good ideabut please tell me if I'm correct or not: WAN, LAN, Bridge interfaces: IP-Less OPT1: IP for management in a management network Tnaks again, 2014-09-30 9:27 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recommend you create a management network for OPT1 with private IP. On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna robertocarn...@gmail.com wrote: I think this is good for us: - Router ISP with IP 200.0.0.1 - pFsense with the following interfaces: a) WAN IP-Less b) LAN IP-Less c) OPT1 with IP 200.0.0.2 (management) d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less - Corporate firewall with IP 200.0.0.3 - Snort runs in Bridge interface Do you think this is correct ??? Good night !!! Roberto 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral jelocab...@gmail.com: I can say that I imagine this addresses space: Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall / IP 200.1.1.2 OPT1 / IP 200.1.1.3 (management) So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode), and the OPT1 interface from pFsense has a public IP as router and firewall. Can I do this in pfsense ??? On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: OK Ivo, this is very helpful to meSuppose I have: Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2 I have to maintan invariable the addressing of this scenario, so what IP addresses do I have to assign to WAN and LAN pFsense interfaces ??? Thanks a lot, JeLo On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br wrote: In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
you need to use the management network to download. On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: Dear, I can't understand at allplease be patient with me :( I'll use pFsense with Snort as a IPS because I see is easier than the manually configuration of Snort. I have an ISP router with 200.1.1.1, a corporate firewall with 200.1.1.2 and the condition is that I MUST LET THIS CONFIGURATION AS IT IS NOW. So, I have to locate the pFsense server between the router and the firewall, in inline mode. My pFsense server has 3 network interfaces, let's say: WAN connected to router, LAN connected to corporate firewall and OPT1 for management with IP 192.168.1.1. Now I have the question: How should I have to configure the WAN and LAN interfaces, with IP, IP-less, creating a bridging interface IP-less or with IP Because if I create a bridge with WAN and LAN and I don't assign an IP, the IPS won't download the signs from Internet...I'm a bit confused. Thanks a lot, regards. JeLo On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev i...@tonev.pro.br wrote: Yes. Always use out of band management. On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna robertocarn...@gmail.com wrote: Ivo, that's a good ideabut please tell me if I'm correct or not: WAN, LAN, Bridge interfaces: IP-Less OPT1: IP for management in a management network Tnaks again, 2014-09-30 9:27 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recommend you create a management network for OPT1 with private IP. On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna robertocarn...@gmail.com wrote: I think this is good for us: - Router ISP with IP 200.0.0.1 - pFsense with the following interfaces: a) WAN IP-Less b) LAN IP-Less c) OPT1 with IP 200.0.0.2 (management) d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less - Corporate firewall with IP 200.0.0.3 - Snort runs in Bridge interface Do you think this is correct ??? Good night !!! Roberto 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral jelocab...@gmail.com: I can say that I imagine this addresses space: Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall / IP 200.1.1.2 OPT1 / IP 200.1.1.3 (management) So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode), and the OPT1 interface from pFsense has a public IP as router and firewall. Can I do this in pfsense ??? On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: OK Ivo, this is very helpful to meSuppose I have: Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2 I have to maintan invariable the addressing of this scenario, so what IP addresses do I have to assign to WAN and LAN pFsense interfaces ??? Thanks a lot, JeLo On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br wrote: In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Of course you canIt's an add-on. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto Carna Sent: Monday, September 29, 2014 10:28 AM To: list@lists.pfsense.org Subject: [pfSense] Snort as IPS in Pfsense Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Why Suricata in place of Snort? Please can you tell me shortly the advantages of Suricata over Snort Really thanks Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
You might want to use google insted og relying on others. Maybe try to do your own homework? https://www.google.no/url?sa=tsource=webrct=jei=faYpVJXTH6XGygP554LYBQurl=https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guidecd=1ved=0CBwQFjAAusg=AFQjCNFUY-LZh__z8odZ4G5SwA3s1vGGIAsig2=HKTMIqME00rmj7mj-CHBrQ 29. sep. 2014 20:34 skrev Roberto Carna robertocarn...@gmail.com følgende: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos *´αίέν άριστεύειν* On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
If you have access to VMWare workstation installed or ESXi, it is worthwhile to install and experiment in an isolated environment prior to going live with either. If not, a couple of PC''s. --- Anastasios Stefos *´αίέν άριστεύειν* On Mon, Sep 29, 2014 at 3:07 PM, Roberto Carna robertocarn...@gmail.com wrote: OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com : Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
I agree completely with Espen. All your eggs in one basket is a terribly bad idea and a troubleshooting nightmare. Security Onion in back of pfsense is one idea. You can run Snorby, Snort and additional tools and not overtax pfsense. --- Anastasios Stefos *´αίέν άριστεύειν* On Mon, Sep 29, 2014 at 3:15 PM, Espen Johansen pfse...@gmail.com wrote: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com : Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Why bridge? Do you want to hide evrything? Its not that hard to fingerprint a pfS bridge. If you have practical reasons, sure go ahead. 29. sep. 2014 21:28 skrev Roberto Carna robertocarn...@gmail.com følgende: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Mainly bridge to hide the IPS server from Internet, and also if I don't use the bridge mode I have to put a public IP in the WAN interface connected to the router and I have not much more available public IP's. 2014-09-29 16:31 GMT-03:00 Espen Johansen pfse...@gmail.com: Why bridge? Do you want to hide evrything? Its not that hard to fingerprint a pfS bridge. If you have practical reasons, sure go ahead. 29. sep. 2014 21:28 skrev Roberto Carna robertocarn...@gmail.com følgende: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
You can use as many interfacez you want. You can use the web gui or tail -f the file on /var/log/suricata/(interface)/* :) On Sep 29, 2014 3:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Ivo, I want to locate the IPS between the router and the corporative firewall, so I think to use bridge modeis correct??? 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recomend to use in router mode. On Sep 29, 2014 4:29 PM, Roberto Carna robertocarn...@gmail.com wrote: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
You can use invalid IP on wan interface. This way is no way to avoid the firewall. On Sep 29, 2014 4:37 PM, Roberto Carna robertocarn...@gmail.com wrote: Mainly bridge to hide the IPS server from Internet, and also if I don't use the bridge mode I have to put a public IP in the WAN interface connected to the router and I have not much more available public IP's. 2014-09-29 16:31 GMT-03:00 Espen Johansen pfse...@gmail.com: Why bridge? Do you want to hide evrything? Its not that hard to fingerprint a pfS bridge. If you have practical reasons, sure go ahead. 29. sep. 2014 21:28 skrev Roberto Carna robertocarn...@gmail.com følgende: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
If all you want is a IPS then i dont undertand what you need pfS for? There are tons of setup guides for a linux flavour of choice to get this setup done. You can even build a hogwash like setup if you like. 29. sep. 2014 21:38 skrev Roberto Carna robertocarn...@gmail.com følgende: Ivo, I want to locate the IPS between the router and the corporative firewall, so I think to use bridge modeis correct??? 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recomend to use in router mode. On Sep 29, 2014 4:29 PM, Roberto Carna robertocarn...@gmail.com wrote: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
On pfsense is clickgo. No need to install everything. :) On Sep 29, 2014 4:46 PM, Espen Johansen pfse...@gmail.com wrote: If all you want is a IPS then i dont undertand what you need pfS for? There are tons of setup guides for a linux flavour of choice to get this setup done. You can even build a hogwash like setup if you like. 29. sep. 2014 21:38 skrev Roberto Carna robertocarn...@gmail.com følgende: Ivo, I want to locate the IPS between the router and the corporative firewall, so I think to use bridge modeis correct??? 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recomend to use in router mode. On Sep 29, 2014 4:29 PM, Roberto Carna robertocarn...@gmail.com wrote: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Ok, thanks 2014-09-29 16:58 GMT-03:00 Ivo Tonev i...@tonev.pro.br: On pfsense is clickgo. No need to install everything. :) On Sep 29, 2014 4:46 PM, Espen Johansen pfse...@gmail.com wrote: If all you want is a IPS then i dont undertand what you need pfS for? There are tons of setup guides for a linux flavour of choice to get this setup done. You can even build a hogwash like setup if you like. 29. sep. 2014 21:38 skrev Roberto Carna robertocarn...@gmail.com følgende: Ivo, I want to locate the IPS between the router and the corporative firewall, so I think to use bridge modeis correct??? 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recomend to use in router mode. On Sep 29, 2014 4:29 PM, Roberto Carna robertocarn...@gmail.com wrote: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Dear, this topic is very interesting to me...I have the same scenario: Internet Router --- PFsense Corporate Firewall 1) Is it possible to have just 2 interfaces in Pfsense in order to setup an IPS ??? 2) Isn't it the best way to setup a bridged firewall ad Roberto said ??? Because I need to maintain the corporate firewall, and I want Pfsense just for my IPS solution. Thanking in advance. JeLo On Mon, Sep 29, 2014 at 5:07 PM, Roberto Carna robertocarn...@gmail.com wrote: Ok, thanks 2014-09-29 16:58 GMT-03:00 Ivo Tonev i...@tonev.pro.br: On pfsense is clickgo. No need to install everything. :) On Sep 29, 2014 4:46 PM, Espen Johansen pfse...@gmail.com wrote: If all you want is a IPS then i dont undertand what you need pfS for? There are tons of setup guides for a linux flavour of choice to get this setup done. You can even build a hogwash like setup if you like. 29. sep. 2014 21:38 skrev Roberto Carna robertocarn...@gmail.com følgende: Ivo, I want to locate the IPS between the router and the corporative firewall, so I think to use bridge modeis correct??? 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recomend to use in router mode. On Sep 29, 2014 4:29 PM, Roberto Carna robertocarn...@gmail.com wrote: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org
Re: [pfSense] Snort as IPS in Pfsense
Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ Is the free to use version of Snort going away? I scanned the page mentioned above but it seems unclear. Suricata sounds like an excellent replacement given the advanced features, but I have to say Snort is doing a fine job for us. I use the free Registered User rules and the free Emerging Threats rules, and Snort is busy blocking port scans and all kinds of activity, while not bothering/blocking our user's activity. Not that we rely solely on Snort - no unnecessary ports are listening to the web. No management ports like 22 are open. Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think its fine. By the way, if you have a decent speed quad-core server with at least 8GB ram, you can easily run pfSense, Suricata, and whatever else side by side in virtual machines. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Dear, do I have to have 3 network interfaces or 2 interfaces are enough to implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1 promiscuos LAN and 1 management. The Pfsense firewall has to be setup as BRIDGE if want to put it between the router and the corporate firewall ??? Special thanks, JeLo On Mon, Sep 29, 2014 at 5:35 PM, compdoc comp...@hotrodpc.com wrote: Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ Is the free to use version of Snort going away? I scanned the page mentioned above but it seems unclear. Suricata sounds like an excellent replacement given the advanced features, but I have to say Snort is doing a fine job for us. I use the free Registered User rules and the free Emerging Threats rules, and Snort is busy blocking port scans and all kinds of activity, while not bothering/blocking our user's activity. Not that we rely solely on Snort - no unnecessary ports are listening to the web. No management ports like 22 are open. Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think its fine. By the way, if you have a decent speed quad-core server with at least 8GB ram, you can easily run pfSense, Suricata, and whatever else side by side in virtual machines. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
I don't like the bridge approach because if you have many vlans it become very complicated. I always use the router approach because I can configure the IDS for one interface and IPS for another. If you don't have enough IP addresses, you can use invalid IP on firewall WAN and create a route on your router to reach your range. On Sep 29, 2014 7:31 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: Dear, do I have to have 3 network interfaces or 2 interfaces are enough to implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1 promiscuos LAN and 1 management. The Pfsense firewall has to be setup as BRIDGE if want to put it between the router and the corporate firewall ??? Special thanks, JeLo On Mon, Sep 29, 2014 at 5:35 PM, compdoc comp...@hotrodpc.com wrote: Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ Is the free to use version of Snort going away? I scanned the page mentioned above but it seems unclear. Suricata sounds like an excellent replacement given the advanced features, but I have to say Snort is doing a fine job for us. I use the free Registered User rules and the free Emerging Threats rules, and Snort is busy blocking port scans and all kinds of activity, while not bothering/blocking our user's activity. Not that we rely solely on Snort - no unnecessary ports are listening to the web. No management ports like 22 are open. Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think its fine. By the way, if you have a decent speed quad-core server with at least 8GB ram, you can easily run pfSense, Suricata, and whatever else side by side in virtual machines. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Kickstarter had/has a campaign by iguardian to create a snort appliance. It looks like something you are trying to do. Instead of pf, it is based on openwrt. Check it out. Yudhvir On Sep 29, 2014, at 4:22 PM, Ivo Tonev i...@tonev.pro.br wrote: I don't like the bridge approach because if you have many vlans it become very complicated. I always use the router approach because I can configure the IDS for one interface and IPS for another. If you don't have enough IP addresses, you can use invalid IP on firewall WAN and create a route on your router to reach your range. On Sep 29, 2014 7:31 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: Dear, do I have to have 3 network interfaces or 2 interfaces are enough to implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1 promiscuos LAN and 1 management. The Pfsense firewall has to be setup as BRIDGE if want to put it between the router and the corporate firewall ??? Special thanks, JeLo On Mon, Sep 29, 2014 at 5:35 PM, compdoc comp...@hotrodpc.com wrote: Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ Is the free to use version of Snort going away? I scanned the page mentioned above but it seems unclear. Suricata sounds like an excellent replacement given the advanced features, but I have to say Snort is doing a fine job for us. I use the free Registered User rules and the free Emerging Threats rules, and Snort is busy blocking port scans and all kinds of activity, while not bothering/blocking our user's activity. Not that we rely solely on Snort - no unnecessary ports are listening to the web. No management ports like 22 are open. Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think its fine. By the way, if you have a decent speed quad-core server with at least 8GB ram, you can easily run pfSense, Suricata, and whatever else side by side in virtual machines. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
The Pfsense firewall has to be setup as BRIDGE if want to put it between the router and the corporate firewall ??? Connect like this? www - isp router - pfSense - corporate firewall - lan Don’t think you have to use bridge mode. Can Snort work in bridge mode? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
do I have to have 3 network interfaces or 2 interfaces are enough to implement the IPS? With Snort, just need one for wan, one for lan. That’s all. I use a 3rd for wifi at home. The office is a virtual machine with two wan ports, one lan, one wifi, and one connection for the host. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg .html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Correct, as you said: www - ISP router - pfSense - corporate firewall - Lan I have one public IP in the router interface, another public IP en the corparate firewall interface, and I can't change these parameters at all, I need to put the IPS in the middleso I think I have to use the bridge mode, because ifI setup routing mode I alter the address schema. Can you help me??? On Mon, Sep 29, 2014 at 9:19 PM, compdoc comp...@hotrodpc.com wrote: The Pfsense firewall has to be setup as BRIDGE if want to put it between the router and the corporate firewall ??? Connect like this? www - isp router - pfSense - corporate firewall - lan Don’t think you have to use bridge mode. Can Snort work in bridge mode? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
OK Ivo, this is very helpful to meSuppose I have: Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2 I have to maintan invariable the addressing of this scenario, so what IP addresses do I have to assign to WAN and LAN pFsense interfaces ??? Thanks a lot, JeLo On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br wrote: In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg .html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
I can say that I imagine this addresses space: Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall / IP 200.1.1.2 OPT1 / IP 200.1.1.3 (management) So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode), and the OPT1 interface from pFsense has a public IP as router and firewall. Can I do this in pfsense ??? On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: OK Ivo, this is very helpful to meSuppose I have: Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2 I have to maintan invariable the addressing of this scenario, so what IP addresses do I have to assign to WAN and LAN pFsense interfaces ??? Thanks a lot, JeLo On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br wrote: In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg .html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
I think this is good for us: - Router ISP with IP 200.0.0.1 - pFsense with the following interfaces: a) WAN IP-Less b) LAN IP-Less c) OPT1 with IP 200.0.0.2 (management) d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less - Corporate firewall with IP 200.0.0.3 - Snort runs in Bridge interface Do you think this is correct ??? Good night !!! Roberto 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral jelocab...@gmail.com: I can say that I imagine this addresses space: Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall / IP 200.1.1.2 OPT1 / IP 200.1.1.3 (management) So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode), and the OPT1 interface from pFsense has a public IP as router and firewall. Can I do this in pfsense ??? On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: OK Ivo, this is very helpful to meSuppose I have: Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2 I have to maintan invariable the addressing of this scenario, so what IP addresses do I have to assign to WAN and LAN pFsense interfaces ??? Thanks a lot, JeLo On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br wrote: In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
I see no keyword match for Bro IDS nor Cymru from the previous 34 messages. https://github.com/sethhall/bro-scripts/wiki/The-Malware-Hash-Registry-and-Bro-IDS https://www.bro.org/ 2c -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 x100 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 09/29/2014 11:13 PM, Roberto Carna wrote: I think this is good for us: - Router ISP with IP 200.0.0.1 - pFsense with the following interfaces: a) WAN IP-Less b) LAN IP-Less c) OPT1 with IP 200.0.0.2 (management) d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less - Corporate firewall with IP 200.0.0.3 - Snort runs in Bridge interface Do you think this is correct ??? Good night !!! Roberto 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral jelocab...@gmail.com: I can say that I imagine this addresses space: Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall / IP 200.1.1.2 OPT1 / IP 200.1.1.3 (management) So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode), and the OPT1 interface from pFsense has a public IP as router and firewall. Can I do this in pfsense ??? On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: OK Ivo, this is very helpful to meSuppose I have: Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2 I have to maintan invariable the addressing of this scenario, so what IP addresses do I have to assign to WAN and LAN pFsense interfaces ??? Thanks a lot, JeLo On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br wrote: In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
