The pfSense Store

Author Topic: PFsense 2.0.1 Snort IPS bridge mode not work !  (Read 1677 times)

0 Members and 1 Guest are viewing this topic.

Offline giorgiolago

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
PFsense 2.0.1 Snort IPS bridge mode not work !
« on: March 20, 2012, 08:15:53 pm »
I'm configure a pfsense 2.0.1 64bits firewal to work in transparent mode (bridge) using this how to: 
http://blog.qcsitter.com/BSDay/

WAN (em0) ----- LAN   (em1)   ---  External network
                |PF|                } ----> [bridge0]
                ----- OPT1 (em2) --- Internal network

Snort is listening in bridge0 interface.
When i use backtrack (nmap) to test the snort, i'm not see any alert on log or web interface.
I'm wirte icmp rules to test and i see any trigers on log, but exploits or portscan dont show in log alert
The question is: PF sense 2.0.1  Snort work in bridge mode (IPS) ? 

Offline giorgiolago

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: PFsense 2.0.1 Snort IPS bridge mode not work !
« Reply #1 on: March 21, 2012, 10:03:01 am »
anyone ?

Offline giorgiolago

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: PFsense 2.0.1 Snort IPS bridge mode not work !
« Reply #2 on: March 23, 2012, 01:25:38 pm »
Thanks for Help (???) I solved my problem...

pfsense uses a configuration file for each interface itself, in this case, the actual file configuration for the interface bridge0 as the startup script:
/usr/local/etc/rc.d/snort.sh
Look at line 28:
/usr/local/bin/snort -R 58154 -D -q -l /var/log/snort --pid-path /var/log/snort/run -G 58154 -c /usr/local/etc/snort/snort_58154_bridge0/snort.conf -i bridge0

We need to edit this file:
/usr/local/etc/snort/snort_58154_bridge0/snort.conf
To properly monitor traffic on bridge0 we must set two variables in this file correct? WRONG! VERY WRONG !!![/color]
var HOME_NET
var EXTERNAL_NET
These variables need to be like this:
var HOME_NET any
var EXTERNAL_NET any

But you can not change these parameters directly in the file itself, because it is generated by a script, this script:
/usr/local/pkg/snort/snort.inc

We need to change this script so that it runs the snort.conf with the correct variables, here we go:
In the file /usr/local/pkg/snort/ snort.inc line 233 change:

$ HOME_NET = "[{$ HOME_NET}]";
to:
$ HOME_NET = "any";


And the line 1330 change:

$ EXTERNAL_NET =! '$ HOME_NET';
to:
$ EXTERNAL_NET = 'any';

Save file!

Now the last set, edit the file:
/usr/local/etc/snort/snort_58154_bridge0/snort.conf

In session:

preprocessor sfportscan: scan_type {all} \
                          proto {all} \
                          memcap {10000000} \
                          sense_level medium} {\
                         ignore_scanners HOME_NET $ {}

Review the option ignore_scanners {$ HOME_NET}:

preprocessor sfportscan: scan_type {all} \
                          proto {all} \
                          memcap {10000000} \
                          sense_level {medium}
                         #ignore_scanners HOME_NET $ {}

Save the file, go snort services and restart the interface and everything works beautiful! Thanks for Help (???) .....  :-X ::) >:(

Online marcelloc

  • Hero Member
  • *****
  • Posts: 9996
  • Karma: +4/-0
    • View Profile
Re: PFsense 2.0.1 Snort IPS bridge mode not work !
« Reply #3 on: March 23, 2012, 01:43:35 pm »
Did you tried to set any to HOME NET gui option before file hacking?


Offline giorgiolago

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: PFsense 2.0.1 Snort IPS bridge mode not work !
« Reply #4 on: March 24, 2012, 02:07:25 am »
the only option in web interface is Default, how i change this ?