The recommended setting is WAN however I prefer to use LAN. I will deal with the necessary ones below. When we add an interface we will see Sub-Tabs created. On this tab we will specify the interfaces for Snort to monitor. This setting will ensure you don’t have to reconfigure Snort again. I suggest removing the Snort package, before doing an upgrade then re-install Snort. I have had issues with Snort after an upgrade to pfSense. This setting is useful when it comes time to upgrade pfSense. Keep Snort Settings after Deinstall = checked Once you are more comfortable managing snort you can come back and adjust this as needed. You will get false positives and you don’t want to have a large block list to sort through. Keep this setting to a short time particularly while you are building your rule set (we’ll get to that later). Set the block time for an address that triggers an alert. I’ve not used this feature in my environment so we’ll leave it off for this tutorial. OpenAppID is a new method of detection and will detect applications in use. I have this unchecked, but test it out to see if it something you want to enable. This can be a pro if it is actually detecting a new type of attack or a con if it is flooding alerts with false positives. Enabling the Emerging Threats rules may lead to more alerts being triggered. There is a free and paid version of these rules. Install Emerging Threats rules = uncheckedĮTOpen is another provider of rules that Snort can download and use. If you are a VRT paid subscriber you are already getting these rules as soon as they are available and don’t need to check this. These rules are the same as the Snort VRT paid subscribers however they are on a delayed release. This option downloads additional Snort rules from the community. These are rules available to free accounts. This allows the snort package to download the Snort VRT rules from. Enter the OinkCode you obtained from your account
0 Comments
Leave a Reply. |