pfSense Gold Subscription

Author Topic: IDS/IPS with pfblockerNG  (Read 219 times)

0 Members and 1 Guest are viewing this topic.

Offline Qinn

  • Full Member
  • ***
  • Posts: 135
  • Karma: +5/-1
    • View Profile
IDS/IPS with pfblockerNG
« on: December 04, 2017, 03:19:20 am »
Hi there I could use some advise on the subject. Maybe it's in the wrong spot, but as pfblockerNG is my starting point and an IDS is my next step, I placed it here (If an admin wants me to move it, no worries). What can anyone advise me; Suricata or Snort in combination with pfblockerNG?

Thanks for any help, pointers or advise.

Cheers Qinn

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
Re: IDS/IPS with pfblockerNG
« Reply #1 on: December 04, 2017, 09:10:59 am »
I can't speak much about Surricata but I have been using Snort with pfBlocker no compatability issues...the one problem I had was geo blocking Brazil. A Brazil University was the destination for a Snort rule...

https://forum.pfsense.org/index.php?topic=131806.msg725825#msg725825

I would defer to Suricata users for their thoughts...

Offline Qinn

  • Full Member
  • ***
  • Posts: 135
  • Karma: +5/-1
    • View Profile
Re: IDS/IPS with pfblockerNG
« Reply #2 on: December 04, 2017, 12:38:45 pm »
I can't speak much about Surricata but I have been using Snort with pfBlocker no compatability issues...the one problem I had was geo blocking Brazil. A Brazil University was the destination for a Snort rule...

https://forum.pfsense.org/index.php?topic=131806.msg725825#msg725825

I would defer to Suricata users for their thoughts...

Thanks, off course I still would like to know some thoughts from Suricata users, but can you advise on some good info/setup/video for a Snort newbee?

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
Re: IDS/IPS with pfblockerNG
« Reply #3 on: December 04, 2017, 01:13:11 pm »
bmeeks put a great guide together, a little dated but still a good thread...(thanks bmeeks!)
https://forum.pfsense.org/index.php?topic=61018.0

This is a more recent thread:
https://doc.pfsense.org/index.php/Setup_Snort_Package

This will get you going...

My suggestions would be:

1) When you setup the interfaces resist the temptation to "Block Offenders" at the start...you can use it as a IDS then move to IPS. It will block a lot!
2) Use the "Snort VRT IPS Policy Selection" to start depending on your needs...i.e. Balanced/Connectivity/Security
3) Use "Service_Watchdog" package as well in case it stops...

I think any of the IDS/IPS packages use hardware resources...so make sure your setup is strong enough...not hard to setup! Requires some attention to get going...quite a few false positives to start that block traffic(hence start with IDS to start).

Good luck...