Re: [pfSense] Snort as IPS in Pfsense

[Blake Cornell]

I see no keyword match for "Bro IDS" nor "Cymru" from the previous 34
messages.

https://github.com/sethhall/bro-scripts/wiki/The-Malware-Hash-Registry-and-Bro-IDS


https://www.bro.org/

2c

-- 
Blake Cornell
CTO, Integris Security LLC
501 Franklin Ave, Suite 200
Garden City, NY 11530 USA
http://www.integrissecurity.com/
O: +1(516)750-0478 x100
M: +1(516)900-2193
PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
Free Tools: https://www.integrissecurity.com/SecurityTools
Follow us on Twitter: @integrissec

On 09/29/2014 11:13 PM, Roberto Carna wrote:
> I think this is good for us:
>
>
> - Router ISP with IP 200.0.0.1
>
> - pFsense with the following interfaces:
>
>   a) WAN IP-Less
>   b) LAN IP-Less
>   c) OPT1 with IP 200.0.0.2 (management)
>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
>
> - Corporate firewall with IP 200.0.0.3
>
> - Snort runs in Bridge interface
>
> Do you think this is correct ???
>
> Good night !!!
>
> Roberto
>
>
> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
>> I can say that I imagine this addresses space:
>>
>> Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall /
>> IP 200.1.1.2
>>OPT1 / IP
>> 200.1.1.3
>> (management)
>>
>> So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode),
>> and the OPT1 interface from pFsense has a public IP as router and firewall.
>>
>> Can I do this in pfsense ???
>>
>>
>> On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral 
>> wrote:
>>> OK Ivo, this is very helpful to meSuppose I have:
>>>
>>> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
>>>
>>> I have to maintan invariable the addressing of this scenario, so what IP
>>> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>>>
>>> Thanks a lot,
>>>
>>> JeLo
>>>
>>> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
 In production environment you need 3 interfaces - one for WAN, one for
 LAN and one for management.


 http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html


 On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:
>> But you say: one interface for WAN, a second for
>> LAN...and which interface is for managing ???
>
>
>
>
> You manage with a browser from LAN, and optional also from the WAN port.
> And with ssh from the LAN.
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list



 --
 Ivo R. Tonev
 +55 61 8409-2642
 i...@tonev.com.br

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

I think this is good for us:


- Router ISP with IP 200.0.0.1

- pFsense with the following interfaces:

  a) WAN IP-Less
  b) LAN IP-Less
  c) OPT1 with IP 200.0.0.2 (management)
  d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less

- Corporate firewall with IP 200.0.0.3

- Snort runs in Bridge interface

Do you think this is correct ???

Good night !!!

Roberto


2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
> I can say that I imagine this addresses space:
>
> Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall /
> IP 200.1.1.2
>OPT1 / IP
> 200.1.1.3
> (management)
>
> So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode),
> and the OPT1 interface from pFsense has a public IP as router and firewall.
>
> Can I do this in pfsense ???
>
>
> On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral 
> wrote:
>>
>> OK Ivo, this is very helpful to meSuppose I have:
>>
>> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
>>
>> I have to maintan invariable the addressing of this scenario, so what IP
>> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>>
>> Thanks a lot,
>>
>> JeLo
>>
>> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
>>>
>>> In production environment you need 3 interfaces - one for WAN, one for
>>> LAN and one for management.
>>>
>>>
>>> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
>>>
>>>
>>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:

 > But you say: one interface for WAN, a second for

 >LAN...and which interface is for managing ???





 You manage with a browser from LAN, and optional also from the WAN port.
 And with ssh from the LAN.




 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
>>>
>>>
>>>
>>>
>>> --
>>> Ivo R. Tonev
>>> +55 61 8409-2642
>>> i...@tonev.com.br
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>
>>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

I can say that I imagine this addresses space:

Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall /
IP 200.1.1.2
   OPT1 / IP
200.1.1.3
(management)

So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode),
and the OPT1 interface from pFsense has a public IP as router and firewall.

Can I do this in pfsense ???


On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral 
wrote:

> OK Ivo, this is very helpful to meSuppose I have:
>
> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
>
> I have to maintan invariable the addressing of this scenario, so what IP
> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>
> Thanks a lot,
>
> JeLo
>
> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
>
>> In production environment you need 3 interfaces - one for WAN, one for
>> LAN and one for management.
>>
>> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg
>> .html
>>
>>
>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:
>>
>>> > But you say: one interface for WAN, a second for
>>>
>>> >LAN...and which interface is for managing ???
>>>
>>>
>>>
>>>
>>>
>>> You manage with a browser from LAN, and optional also from the WAN port.
>>> And with ssh from the LAN.
>>>
>>>
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>>
>>
>> --
>> Ivo R. Tonev
>> +55 61 8409-2642
>> i...@tonev.com.br
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

OK Ivo, this is very helpful to meSuppose I have:

Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2

I have to maintan invariable the addressing of this scenario, so what IP
addresses do I have to assign to WAN and LAN pFsense interfaces ???

Thanks a lot,

JeLo

On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:

> In production environment you need 3 interfaces - one for WAN, one for LAN
> and one for management.
>
> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg
> .html
>
>
> On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:
>
>> > But you say: one interface for WAN, a second for
>>
>> >LAN...and which interface is for managing ???
>>
>>
>>
>>
>>
>> You manage with a browser from LAN, and optional also from the WAN port.
>> And with ssh from the LAN.
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
> --
> Ivo R. Tonev
> +55 61 8409-2642
> i...@tonev.com.br
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

Correct, as you said:

www - ISP router - pfSense - corporate firewall - Lan

I have one public IP in the router interface, another public IP en the
corparate firewall interface, and I can't change these parameters at all, I
need to put the IPS in the middleso I think I have to use the bridge
mode, because ifI setup routing mode I alter the address schema.

Can you help me???

On Mon, Sep 29, 2014 at 9:19 PM, compdoc  wrote:

> > The Pfsense firewall has to be setup as BRIDGE if  want to put it
> between the router and the corporate firewall ???
>
>
>
>
>
> Connect like this?
>
>
>
> www - isp router - pfSense - corporate firewall - lan
>
>
>
>
>
> Don’t think you have to use bridge mode. Can Snort work in bridge mode?
>
>
>
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

In production environment you need 3 interfaces - one for WAN, one for LAN
and one for management.

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg
.html


On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:

> > But you say: one interface for WAN, a second for
>
> >LAN...and which interface is for managing ???
>
>
>
>
>
> You manage with a browser from LAN, and optional also from the WAN port.
> And with ssh from the LAN.
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[compdoc]

> But you say: one interface for WAN, a second for 

>LAN...and which interface is for managing ???

 

 

You manage with a browser from LAN, and optional also from the WAN port. And 
with ssh from the LAN.

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[compdoc]

> do I have to have 3 network interfaces or 2 interfaces are enough to 
> implement the IPS?

 

With Snort, just need one for wan, one for lan. That’s all. I use a 3rd for 
wifi at home. 

 

The office is a virtual machine with two wan ports, one lan, one wifi, and one 
connection for the host. 

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[compdoc]

> The Pfsense firewall has to be setup as BRIDGE if  want to put it between the 
> router and the corporate firewall ???

 

 

Connect like this?

 

www - isp router - pfSense - corporate firewall - lan

 

 

Don’t think you have to use bridge mode. Can Snort work in bridge mode?

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Mehmasarja]

Kickstarter had/has a campaign by iguardian to create a snort appliance. It 
looks like something you are trying to do. Instead of pf, it is based on 
openwrt. Check it out. 

Yudhvir 

> On Sep 29, 2014, at 4:22 PM, Ivo Tonev  wrote:
> 
> I don't like the bridge approach because if you have many vlans it become 
> very complicated.
> 
> I always use the router approach because I can configure the IDS for one 
> interface and IPS for another.
> 
> If you don't have enough IP addresses, you can use invalid IP on firewall WAN 
> and create a route on your router to reach your range.
> 
>> On Sep 29, 2014 7:31 PM, "Jeronimo L. Cabral"  wrote:
>> Dear, do I have to have 3 network interfaces or 2 interfaces are enough to 
>> implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1 
>> promiscuos LAN and 1 management.
>> 
>> The Pfsense firewall has to be setup as BRIDGE if  want to put it between 
>> the router and the corporate firewall ???
>> 
>> Special thanks,
>> 
>> JeLo
>> 
>>> On Mon, Sep 29, 2014 at 5:35 PM, compdoc  wrote:
>>> > Here is a good place to start regarding Suricata or Snort. 
>>> >
>>> >http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>>> 
>>> 
>>> 
>>> Is the free to use version of Snort going away? I scanned the page 
>>> mentioned above but it seems unclear.
>>> 
>>>  
>>> 
>>> Suricata sounds like an excellent replacement given the advanced features, 
>>> but I have to say Snort is doing a fine job for us.
>>> 
>>>  
>>> 
>>> I use the free Registered User rules and the free Emerging Threats rules, 
>>> and Snort is busy blocking port scans and all kinds of activity, while not 
>>> bothering/blocking our user's activity.
>>> 
>>>  
>>> 
>>> Not that we rely solely on Snort - no unnecessary ports are listening to 
>>> the web. No management ports like 22 are open.
>>> 
>>>  
>>> 
>>> Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense 
>>> makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think 
>>> its fine.
>>> 
>>>  
>>> 
>>> By the way, if you have a decent speed quad-core server with at least 8GB 
>>> ram, you can easily run pfSense, Suricata, and whatever else side by side 
>>> in virtual machines.
>>> 
>>>  
>>> 
>>>  
>>> 
>>> 
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>> 
>> 
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

I don't like the bridge approach because if you have many vlans it become
very complicated.

I always use the router approach because I can configure the IDS for one
interface and IPS for another.

If you don't have enough IP addresses, you can use invalid IP on firewall
WAN and create a route on your router to reach your range.
On Sep 29, 2014 7:31 PM, "Jeronimo L. Cabral"  wrote:

> Dear, do I have to have 3 network interfaces or 2 interfaces are enough to
> implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1
> promiscuos LAN and 1 management.
>
> The Pfsense firewall has to be setup as BRIDGE if  want to put it between
> the router and the corporate firewall ???
>
> Special thanks,
>
> JeLo
>
> On Mon, Sep 29, 2014 at 5:35 PM, compdoc  wrote:
>
>> > Here is a good place to start regarding Suricata or Snort.
>> >
>> >
>> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>>
>>
>> Is the free to use version of Snort going away? I scanned the page
>> mentioned above but it seems unclear.
>>
>>
>>
>> Suricata sounds like an excellent replacement given the advanced
>> features, but I have to say Snort is doing a fine job for us.
>>
>>
>>
>> I use the free Registered User rules and the free Emerging Threats rules,
>> and Snort is busy blocking port scans and all kinds of activity, while not
>> bothering/blocking our user's activity.
>>
>>
>>
>> Not that we rely solely on Snort - no unnecessary ports are listening to
>> the web. No management ports like 22 are open.
>>
>>
>>
>> Anyway, Snort doesn’t use much cpu time for our 30 user office, and
>> pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I
>> think its fine.
>>
>>
>>
>> By the way, if you have a decent speed quad-core server with at least 8GB
>> ram, you can easily run pfSense, Suricata, and whatever else side by side
>> in virtual machines.
>>
>>
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

Dear, do I have to have 3 network interfaces or 2 interfaces are enough to
implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1
promiscuos LAN and 1 management.

The Pfsense firewall has to be setup as BRIDGE if  want to put it between
the router and the corporate firewall ???

Special thanks,

JeLo

On Mon, Sep 29, 2014 at 5:35 PM, compdoc  wrote:

> > Here is a good place to start regarding Suricata or Snort.
> >
> >
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>
>
> Is the free to use version of Snort going away? I scanned the page
> mentioned above but it seems unclear.
>
>
>
> Suricata sounds like an excellent replacement given the advanced features,
> but I have to say Snort is doing a fine job for us.
>
>
>
> I use the free Registered User rules and the free Emerging Threats rules,
> and Snort is busy blocking port scans and all kinds of activity, while not
> bothering/blocking our user's activity.
>
>
>
> Not that we rely solely on Snort - no unnecessary ports are listening to
> the web. No management ports like 22 are open.
>
>
>
> Anyway, Snort doesn’t use much cpu time for our 30 user office, and
> pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I
> think its fine.
>
>
>
> By the way, if you have a decent speed quad-core server with at least 8GB
> ram, you can easily run pfSense, Suricata, and whatever else side by side
> in virtual machines.
>
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[compdoc]

> Here is a good place to start regarding Suricata or Snort. 
>
>http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/




Is the free to use version of Snort going away? I scanned the page mentioned 
above but it seems unclear. 

 

Suricata sounds like an excellent replacement given the advanced features, but 
I have to say Snort is doing a fine job for us. 

 

I use the free Registered User rules and the free Emerging Threats rules, and 
Snort is busy blocking port scans and all kinds of activity, while not 
bothering/blocking our user's activity.

 

Not that we rely solely on Snort - no unnecessary ports are listening to the 
web. No management ports like 22 are open. 

 

Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense 
makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think its 
fine.

 

By the way, if you have a decent speed quad-core server with at least 8GB ram, 
you can easily run pfSense, Suricata, and whatever else side by side in virtual 
machines.

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

Dear, this topic is very interesting to me...I have the same scenario:

Internet Router --- PFsense  Corporate Firewall

1) Is it possible to have just 2 interfaces in Pfsense in order to setup an
IPS ???

2) Isn't it the best way to setup a bridged firewall ad Roberto said ???
Because I need to maintain the corporate firewall, and I want Pfsense just
for my IPS solution.

Thanking in advance.

JeLo

On Mon, Sep 29, 2014 at 5:07 PM, Roberto Carna 
wrote:

> Ok, thanks
>
> 2014-09-29 16:58 GMT-03:00 Ivo Tonev :
> > On pfsense is click&go. No need to install everything. :)
> >
> > On Sep 29, 2014 4:46 PM, "Espen Johansen"  wrote:
> >>
> >> If all you want is a IPS then i dont undertand what you need pfS for?
> >> There are tons of setup guides for a linux flavour of choice to get this
> >> setup done. You can even build a hogwash like setup if you like.
> >>
> >> 29. sep. 2014 21:38 skrev "Roberto Carna" 
> >> følgende:
> >>>
> >>> Ivo, I want to locate the IPS between the router and the corporative
> >>> firewall, so I think to use bridge modeis correct???
> >>>
> >>> 2014-09-29 16:34 GMT-03:00 Ivo Tonev :
> >>> > I recomend to use in "router mode".
> >>> >
> >>> > On Sep 29, 2014 4:29 PM, "Roberto Carna" 
> >>> > wrote:
> >>> >>
> >>> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> >>> >> in bridge mode with firewall rules enabled ???
> >>> >>
> >>> >> Really thanks,
> >>> >>
> >>> >> Roberto
> >>> >>
> >>> >>
> >>> >>
> >>> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> >>> >> > Depends on what you want. A splitt design is normaly better and
> >>> >> > safer
> >>> >> > then a
> >>> >> > all in one box. If you want suricata +snorby and barnyard its not
> >>> >> > recommended to run it all on pfsense. There are many deps. that
> will
> >>> >> > cause a
> >>> >> > security nightmare and you will probably run out of hw resources
> as
> >>> >> > well.
> >>> >> >
> >>> >> > OK, thanks, the last please:
> >>> >> >
> >>> >> > Do you recommend to install an IPS in a Virtual Machine like
> Vmware
> >>> >> > ??? Because we have VMweare for all our servers.
> >>> >> >
> >>> >> > Regards,
> >>> >> >
> >>> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
> >>> >> > :
> >>> >> >> Roberto
> >>> >> >>
> >>> >> >> Here is a good place to start regarding Suricata or Snort.
> >>> >> >>
> >>> >> >>
> >>> >> >>
> >>> >> >>
> >>> >> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >>> >> >>
> >>> >> >>
> >>> >> >>
> >>> >> >> ---
> >>> >> >> Anastasios Stefos
> >>> >> >> ´αίέν άριστεύειν
> >>> >> >>
> >>> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
> >>> >> >> 
> >>> >> >> wrote:
> >>> >> >>>
> >>> >> >>> Dear Ivo and people, just three short questions:
> >>> >> >>>
> >>> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using
> Snort
> >>> >> >>> ???
> >>> >> >>>
> >>> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>> >> >>>
> >>> >> >>> 3) The only way to view the IPS blocking events is from into
> >>> >> >>> Pfsense
> >>> >> >>> or can I use Snorby ???
> >>> >> >>>
> >>> >> >>> Thanks again,
> >>> >> >>>
> >>> >> >>> Roberto
> >>> >> >>>
> >>> >> >>> Thanks again,
> >>> >> >>>
> >>> >> >>> Roberto
> >>> >> >>>
> >>> >> >>>
> >>> >> >>>
> >>> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >>> >> >>> > Use suricata
> >>> >> >>> >
> >>> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna"
> >>> >> >>> > 
> >>> >> >>> > wrote:
> >>> >> >>> >>
> >>> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with
> >>> >> >>> >> Snort
> >>> >> >>> >> to
> >>> >> >>> >> get an IPS (Intrusion Prevention System), and in this case
> what
> >>> >> >>> >> is
> >>> >> >>> >> the
> >>> >> >>> >> graphical interface used to view events and dropped traffic.
> >>> >> >>> >>
> >>> >> >>> >> Thanks a lot,
> >>> >> >>> >>
> >>> >> >>> >> Roberto
> >>> >> >>> >> ___
> >>> >> >>> >> List mailing list
> >>> >> >>> >> List@lists.pfsense.org
> >>> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >>> >> >>> >
> >>> >> >>> >
> >>> >> >>> > ___
> >>> >> >>> > List mailing list
> >>> >> >>> > List@lists.pfsense.org
> >>> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >>> >> >>> ___
> >>> >> >>> List mailing list
> >>> >> >>> List@lists.pfsense.org
> >>> >> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>> >> >>
> >>> >> >>
> >>> >> >>
> >>> >> >> ___
> >>> >> >> List mailing list
> >>> >> >> List@lists.pfsense.org
> >>> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >>> >> > ___
> >>> >> > List mailing list
> >>> >> > List@lists.pfsense.org
> >>> >> > https://lists.pfsense.org/mailman/listinfo/list
> >>> >> >
> >>> >> > ___
> >

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Ok, thanks

2014-09-29 16:58 GMT-03:00 Ivo Tonev :
> On pfsense is click&go. No need to install everything. :)
>
> On Sep 29, 2014 4:46 PM, "Espen Johansen"  wrote:
>>
>> If all you want is a IPS then i dont undertand what you need pfS for?
>> There are tons of setup guides for a linux flavour of choice to get this
>> setup done. You can even build a hogwash like setup if you like.
>>
>> 29. sep. 2014 21:38 skrev "Roberto Carna" 
>> følgende:
>>>
>>> Ivo, I want to locate the IPS between the router and the corporative
>>> firewall, so I think to use bridge modeis correct???
>>>
>>> 2014-09-29 16:34 GMT-03:00 Ivo Tonev :
>>> > I recomend to use in "router mode".
>>> >
>>> > On Sep 29, 2014 4:29 PM, "Roberto Carna" 
>>> > wrote:
>>> >>
>>> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
>>> >> in bridge mode with firewall rules enabled ???
>>> >>
>>> >> Really thanks,
>>> >>
>>> >> Roberto
>>> >>
>>> >>
>>> >>
>>> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
>>> >> > Depends on what you want. A splitt design is normaly better and
>>> >> > safer
>>> >> > then a
>>> >> > all in one box. If you want suricata +snorby and barnyard its not
>>> >> > recommended to run it all on pfsense. There are many deps. that will
>>> >> > cause a
>>> >> > security nightmare and you will probably run out of hw resources as
>>> >> > well.
>>> >> >
>>> >> > OK, thanks, the last please:
>>> >> >
>>> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
>>> >> > ??? Because we have VMweare for all our servers.
>>> >> >
>>> >> > Regards,
>>> >> >
>>> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
>>> >> > :
>>> >> >> Roberto
>>> >> >>
>>> >> >> Here is a good place to start regarding Suricata or Snort.
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> ---
>>> >> >> Anastasios Stefos
>>> >> >> ´αίέν άριστεύειν
>>> >> >>
>>> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
>>> >> >> 
>>> >> >> wrote:
>>> >> >>>
>>> >> >>> Dear Ivo and people, just three short questions:
>>> >> >>>
>>> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
>>> >> >>> ???
>>> >> >>>
>>> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>>> >> >>>
>>> >> >>> 3) The only way to view the IPS blocking events is from into
>>> >> >>> Pfsense
>>> >> >>> or can I use Snorby ???
>>> >> >>>
>>> >> >>> Thanks again,
>>> >> >>>
>>> >> >>> Roberto
>>> >> >>>
>>> >> >>> Thanks again,
>>> >> >>>
>>> >> >>> Roberto
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>>> >> >>> > Use suricata
>>> >> >>> >
>>> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna"
>>> >> >>> > 
>>> >> >>> > wrote:
>>> >> >>> >>
>>> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with
>>> >> >>> >> Snort
>>> >> >>> >> to
>>> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
>>> >> >>> >> is
>>> >> >>> >> the
>>> >> >>> >> graphical interface used to view events and dropped traffic.
>>> >> >>> >>
>>> >> >>> >> Thanks a lot,
>>> >> >>> >>
>>> >> >>> >> Roberto
>>> >> >>> >> ___
>>> >> >>> >> List mailing list
>>> >> >>> >> List@lists.pfsense.org
>>> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
>>> >> >>> >
>>> >> >>> >
>>> >> >>> > ___
>>> >> >>> > List mailing list
>>> >> >>> > List@lists.pfsense.org
>>> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
>>> >> >>> ___
>>> >> >>> List mailing list
>>> >> >>> List@lists.pfsense.org
>>> >> >>> https://lists.pfsense.org/mailman/listinfo/list
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> ___
>>> >> >> List mailing list
>>> >> >> List@lists.pfsense.org
>>> >> >> https://lists.pfsense.org/mailman/listinfo/list
>>> >> > ___
>>> >> > List mailing list
>>> >> > List@lists.pfsense.org
>>> >> > https://lists.pfsense.org/mailman/listinfo/list
>>> >> >
>>> >> > ___
>>> >> > List mailing list
>>> >> > List@lists.pfsense.org
>>> >> > https://lists.pfsense.org/mailman/listinfo/list
>>> >> ___
>>> >> List mailing list
>>> >> List@lists.pfsense.org
>>> >> https://lists.pfsense.org/mailman/listinfo/list
>>> >
>>> >
>>> > ___
>>> > List mailing list
>>> > List@lists.pfsense.org
>>> > https://lists.pfsense.org/mailman/listinfo/list
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/li

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

On pfsense is click&go. No need to install everything. :)
On Sep 29, 2014 4:46 PM, "Espen Johansen"  wrote:

> If all you want is a IPS then i dont undertand what you need pfS for?
> There are tons of setup guides for a linux flavour of choice to get this
> setup done. You can even build a hogwash like setup if you like.
> 29. sep. 2014 21:38 skrev "Roberto Carna" 
> følgende:
>
>> Ivo, I want to locate the IPS between the router and the corporative
>> firewall, so I think to use bridge modeis correct???
>>
>> 2014-09-29 16:34 GMT-03:00 Ivo Tonev :
>> > I recomend to use in "router mode".
>> >
>> > On Sep 29, 2014 4:29 PM, "Roberto Carna" 
>> wrote:
>> >>
>> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
>> >> in bridge mode with firewall rules enabled ???
>> >>
>> >> Really thanks,
>> >>
>> >> Roberto
>> >>
>> >>
>> >>
>> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
>> >> > Depends on what you want. A splitt design is normaly better and safer
>> >> > then a
>> >> > all in one box. If you want suricata +snorby and barnyard its not
>> >> > recommended to run it all on pfsense. There are many deps. that will
>> >> > cause a
>> >> > security nightmare and you will probably run out of hw resources as
>> >> > well.
>> >> >
>> >> > OK, thanks, the last please:
>> >> >
>> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
>> >> > ??? Because we have VMweare for all our servers.
>> >> >
>> >> > Regards,
>> >> >
>> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
>> >> > :
>> >> >> Roberto
>> >> >>
>> >> >> Here is a good place to start regarding Suricata or Snort.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>> >> >>
>> >> >>
>> >> >>
>> >> >> ---
>> >> >> Anastasios Stefos
>> >> >> ´αίέν άριστεύειν
>> >> >>
>> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
>> >> >> 
>> >> >> wrote:
>> >> >>>
>> >> >>> Dear Ivo and people, just three short questions:
>> >> >>>
>> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
>> ???
>> >> >>>
>> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>> >> >>>
>> >> >>> 3) The only way to view the IPS blocking events is from into
>> Pfsense
>> >> >>> or can I use Snorby ???
>> >> >>>
>> >> >>> Thanks again,
>> >> >>>
>> >> >>> Roberto
>> >> >>>
>> >> >>> Thanks again,
>> >> >>>
>> >> >>> Roberto
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> >> >>> > Use suricata
>> >> >>> >
>> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" <
>> robertocarn...@gmail.com>
>> >> >>> > wrote:
>> >> >>> >>
>> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with
>> Snort
>> >> >>> >> to
>> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
>> is
>> >> >>> >> the
>> >> >>> >> graphical interface used to view events and dropped traffic.
>> >> >>> >>
>> >> >>> >> Thanks a lot,
>> >> >>> >>
>> >> >>> >> Roberto
>> >> >>> >> ___
>> >> >>> >> List mailing list
>> >> >>> >> List@lists.pfsense.org
>> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >> >>> >
>> >> >>> >
>> >> >>> > ___
>> >> >>> > List mailing list
>> >> >>> > List@lists.pfsense.org
>> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
>> >> >>> ___
>> >> >>> List mailing list
>> >> >>> List@lists.pfsense.org
>> >> >>> https://lists.pfsense.org/mailman/listinfo/list
>> >> >>
>> >> >>
>> >> >>
>> >> >> ___
>> >> >> List mailing list
>> >> >> List@lists.pfsense.org
>> >> >> https://lists.pfsense.org/mailman/listinfo/list
>> >> > ___
>> >> > List mailing list
>> >> > List@lists.pfsense.org
>> >> > https://lists.pfsense.org/mailman/listinfo/list
>> >> >
>> >> > ___
>> >> > List mailing list
>> >> > List@lists.pfsense.org
>> >> > https://lists.pfsense.org/mailman/listinfo/list
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

If all you want is a IPS then i dont undertand what you need pfS for?
There are tons of setup guides for a linux flavour of choice to get this
setup done. You can even build a hogwash like setup if you like.
29. sep. 2014 21:38 skrev "Roberto Carna" 
følgende:

> Ivo, I want to locate the IPS between the router and the corporative
> firewall, so I think to use bridge modeis correct???
>
> 2014-09-29 16:34 GMT-03:00 Ivo Tonev :
> > I recomend to use in "router mode".
> >
> > On Sep 29, 2014 4:29 PM, "Roberto Carna" 
> wrote:
> >>
> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> >> in bridge mode with firewall rules enabled ???
> >>
> >> Really thanks,
> >>
> >> Roberto
> >>
> >>
> >>
> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> >> > Depends on what you want. A splitt design is normaly better and safer
> >> > then a
> >> > all in one box. If you want suricata +snorby and barnyard its not
> >> > recommended to run it all on pfsense. There are many deps. that will
> >> > cause a
> >> > security nightmare and you will probably run out of hw resources as
> >> > well.
> >> >
> >> > OK, thanks, the last please:
> >> >
> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> >> > ??? Because we have VMweare for all our servers.
> >> >
> >> > Regards,
> >> >
> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
> >> > :
> >> >> Roberto
> >> >>
> >> >> Here is a good place to start regarding Suricata or Snort.
> >> >>
> >> >>
> >> >>
> >> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >> >>
> >> >>
> >> >>
> >> >> ---
> >> >> Anastasios Stefos
> >> >> ´αίέν άριστεύειν
> >> >>
> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
> >> >> 
> >> >> wrote:
> >> >>>
> >> >>> Dear Ivo and people, just three short questions:
> >> >>>
> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
> ???
> >> >>>
> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >> >>>
> >> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >> >>> or can I use Snorby ???
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>>
> >> >>>
> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >> >>> > Use suricata
> >> >>> >
> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" <
> robertocarn...@gmail.com>
> >> >>> > wrote:
> >> >>> >>
> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort
> >> >>> >> to
> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
> is
> >> >>> >> the
> >> >>> >> graphical interface used to view events and dropped traffic.
> >> >>> >>
> >> >>> >> Thanks a lot,
> >> >>> >>
> >> >>> >> Roberto
> >> >>> >> ___
> >> >>> >> List mailing list
> >> >>> >> List@lists.pfsense.org
> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >> >>> >
> >> >>> >
> >> >>> > ___
> >> >>> > List mailing list
> >> >>> > List@lists.pfsense.org
> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >> >>> ___
> >> >>> List mailing list
> >> >>> List@lists.pfsense.org
> >> >>> https://lists.pfsense.org/mailman/listinfo/list
> >> >>
> >> >>
> >> >>
> >> >> ___
> >> >> List mailing list
> >> >> List@lists.pfsense.org
> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

You can use invalid IP on wan interface. This way is no way to avoid the
firewall.
On Sep 29, 2014 4:37 PM, "Roberto Carna"  wrote:

> Mainly bridge to hide the IPS server from Internet, and also if I
> don't use the bridge mode I have to put a public IP in the WAN
> interface connected to the router and I have not much more available
> public IP's.
>
> 2014-09-29 16:31 GMT-03:00 Espen Johansen :
> > Why bridge? Do you want to hide evrything? Its not that hard to
> fingerprint
> > a pfS bridge. If you have practical reasons, sure go ahead.
> >
> > 29. sep. 2014 21:28 skrev "Roberto Carna" 
> > følgende:
> >
> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> >> in bridge mode with firewall rules enabled ???
> >>
> >> Really thanks,
> >>
> >> Roberto
> >>
> >>
> >>
> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> >> > Depends on what you want. A splitt design is normaly better and safer
> >> > then a
> >> > all in one box. If you want suricata +snorby and barnyard its not
> >> > recommended to run it all on pfsense. There are many deps. that will
> >> > cause a
> >> > security nightmare and you will probably run out of hw resources as
> >> > well.
> >> >
> >> > OK, thanks, the last please:
> >> >
> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> >> > ??? Because we have VMweare for all our servers.
> >> >
> >> > Regards,
> >> >
> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
> >> > :
> >> >> Roberto
> >> >>
> >> >> Here is a good place to start regarding Suricata or Snort.
> >> >>
> >> >>
> >> >>
> >> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >> >>
> >> >>
> >> >>
> >> >> ---
> >> >> Anastasios Stefos
> >> >> ´αίέν άριστεύειν
> >> >>
> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
> >> >> 
> >> >> wrote:
> >> >>>
> >> >>> Dear Ivo and people, just three short questions:
> >> >>>
> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
> ???
> >> >>>
> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >> >>>
> >> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >> >>> or can I use Snorby ???
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>>
> >> >>>
> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >> >>> > Use suricata
> >> >>> >
> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" <
> robertocarn...@gmail.com>
> >> >>> > wrote:
> >> >>> >>
> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort
> >> >>> >> to
> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
> is
> >> >>> >> the
> >> >>> >> graphical interface used to view events and dropped traffic.
> >> >>> >>
> >> >>> >> Thanks a lot,
> >> >>> >>
> >> >>> >> Roberto
> >> >>> >> ___
> >> >>> >> List mailing list
> >> >>> >> List@lists.pfsense.org
> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >> >>> >
> >> >>> >
> >> >>> > ___
> >> >>> > List mailing list
> >> >>> > List@lists.pfsense.org
> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >> >>> ___
> >> >>> List mailing list
> >> >>> List@lists.pfsense.org
> >> >>> https://lists.pfsense.org/mailman/listinfo/list
> >> >>
> >> >>
> >> >>
> >> >> ___
> >> >> List mailing list
> >> >> List@lists.pfsense.org
> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Ivo, I want to locate the IPS between the router and the corporative
firewall, so I think to use bridge modeis correct???

2014-09-29 16:34 GMT-03:00 Ivo Tonev :
> I recomend to use in "router mode".
>
> On Sep 29, 2014 4:29 PM, "Roberto Carna"  wrote:
>>
>> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
>> in bridge mode with firewall rules enabled ???
>>
>> Really thanks,
>>
>> Roberto
>>
>>
>>
>> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
>> > Depends on what you want. A splitt design is normaly better and safer
>> > then a
>> > all in one box. If you want suricata +snorby and barnyard its not
>> > recommended to run it all on pfsense. There are many deps. that will
>> > cause a
>> > security nightmare and you will probably run out of hw resources as
>> > well.
>> >
>> > OK, thanks, the last please:
>> >
>> > Do you recommend to install an IPS in a Virtual Machine like Vmware
>> > ??? Because we have VMweare for all our servers.
>> >
>> > Regards,
>> >
>> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
>> > :
>> >> Roberto
>> >>
>> >> Here is a good place to start regarding Suricata or Snort.
>> >>
>> >>
>> >>
>> >> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>> >>
>> >>
>> >>
>> >> ---
>> >> Anastasios Stefos
>> >> ´αίέν άριστεύειν
>> >>
>> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
>> >> 
>> >> wrote:
>> >>>
>> >>> Dear Ivo and people, just three short questions:
>> >>>
>> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>> >>>
>> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>> >>>
>> >>> 3) The only way to view the IPS blocking events is from into Pfsense
>> >>> or can I use Snorby ???
>> >>>
>> >>> Thanks again,
>> >>>
>> >>> Roberto
>> >>>
>> >>> Thanks again,
>> >>>
>> >>> Roberto
>> >>>
>> >>>
>> >>>
>> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> >>> > Use suricata
>> >>> >
>> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>> >>> > wrote:
>> >>> >>
>> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort
>> >>> >> to
>> >>> >> get an IPS (Intrusion Prevention System), and in this case what is
>> >>> >> the
>> >>> >> graphical interface used to view events and dropped traffic.
>> >>> >>
>> >>> >> Thanks a lot,
>> >>> >>
>> >>> >> Roberto
>> >>> >> ___
>> >>> >> List mailing list
>> >>> >> List@lists.pfsense.org
>> >>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >>> >
>> >>> >
>> >>> > ___
>> >>> > List mailing list
>> >>> > List@lists.pfsense.org
>> >>> > https://lists.pfsense.org/mailman/listinfo/list
>> >>> ___
>> >>> List mailing list
>> >>> List@lists.pfsense.org
>> >>> https://lists.pfsense.org/mailman/listinfo/list
>> >>
>> >>
>> >>
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

You can use as many interfacez you want.

You can use the web gui or tail -f the file on
/var/log/suricata/(interface)/*
:)
On Sep 29, 2014 3:34 PM, "Roberto Carna"  wrote:

> Dear Ivo and people, just three short questions:
>
> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>
> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>
> 3) The only way to view the IPS blocking events is from into Pfsense
> or can I use Snorby ???
>
> Thanks again,
>
> Roberto
>
> Thanks again,
>
> Roberto
>
>
>
> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> > Use suricata
> >
> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> wrote:
> >>
> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> get an IPS (Intrusion Prevention System), and in this case what is the
> >> graphical interface used to view events and dropped traffic.
> >>
> >> Thanks a lot,
> >>
> >> Roberto
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Mainly bridge to hide the IPS server from Internet, and also if I
don't use the bridge mode I have to put a public IP in the WAN
interface connected to the router and I have not much more available
public IP's.

2014-09-29 16:31 GMT-03:00 Espen Johansen :
> Why bridge? Do you want to hide evrything? Its not that hard to fingerprint
> a pfS bridge. If you have practical reasons, sure go ahead.
>
> 29. sep. 2014 21:28 skrev "Roberto Carna" 
> følgende:
>
>> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
>> in bridge mode with firewall rules enabled ???
>>
>> Really thanks,
>>
>> Roberto
>>
>>
>>
>> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
>> > Depends on what you want. A splitt design is normaly better and safer
>> > then a
>> > all in one box. If you want suricata +snorby and barnyard its not
>> > recommended to run it all on pfsense. There are many deps. that will
>> > cause a
>> > security nightmare and you will probably run out of hw resources as
>> > well.
>> >
>> > OK, thanks, the last please:
>> >
>> > Do you recommend to install an IPS in a Virtual Machine like Vmware
>> > ??? Because we have VMweare for all our servers.
>> >
>> > Regards,
>> >
>> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
>> > :
>> >> Roberto
>> >>
>> >> Here is a good place to start regarding Suricata or Snort.
>> >>
>> >>
>> >>
>> >> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>> >>
>> >>
>> >>
>> >> ---
>> >> Anastasios Stefos
>> >> ´αίέν άριστεύειν
>> >>
>> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
>> >> 
>> >> wrote:
>> >>>
>> >>> Dear Ivo and people, just three short questions:
>> >>>
>> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>> >>>
>> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>> >>>
>> >>> 3) The only way to view the IPS blocking events is from into Pfsense
>> >>> or can I use Snorby ???
>> >>>
>> >>> Thanks again,
>> >>>
>> >>> Roberto
>> >>>
>> >>> Thanks again,
>> >>>
>> >>> Roberto
>> >>>
>> >>>
>> >>>
>> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> >>> > Use suricata
>> >>> >
>> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>> >>> > wrote:
>> >>> >>
>> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort
>> >>> >> to
>> >>> >> get an IPS (Intrusion Prevention System), and in this case what is
>> >>> >> the
>> >>> >> graphical interface used to view events and dropped traffic.
>> >>> >>
>> >>> >> Thanks a lot,
>> >>> >>
>> >>> >> Roberto
>> >>> >> ___
>> >>> >> List mailing list
>> >>> >> List@lists.pfsense.org
>> >>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >>> >
>> >>> >
>> >>> > ___
>> >>> > List mailing list
>> >>> > List@lists.pfsense.org
>> >>> > https://lists.pfsense.org/mailman/listinfo/list
>> >>> ___
>> >>> List mailing list
>> >>> List@lists.pfsense.org
>> >>> https://lists.pfsense.org/mailman/listinfo/list
>> >>
>> >>
>> >>
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

I recomend to use in "router mode".
On Sep 29, 2014 4:29 PM, "Roberto Carna"  wrote:

> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> in bridge mode with firewall rules enabled ???
>
> Really thanks,
>
> Roberto
>
>
>
> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> > Depends on what you want. A splitt design is normaly better and safer
> then a
> > all in one box. If you want suricata +snorby and barnyard its not
> > recommended to run it all on pfsense. There are many deps. that will
> cause a
> > security nightmare and you will probably run out of hw resources as well.
> >
> > OK, thanks, the last please:
> >
> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> > ??? Because we have VMweare for all our servers.
> >
> > Regards,
> >
> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos <
> anastasios.ste...@gmail.com>:
> >> Roberto
> >>
> >> Here is a good place to start regarding Suricata or Snort.
> >>
> >>
> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >>
> >>
> >>
> >> ---
> >> Anastasios Stefos
> >> ´αίέν άριστεύειν
> >>
> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna <
> robertocarn...@gmail.com>
> >> wrote:
> >>>
> >>> Dear Ivo and people, just three short questions:
> >>>
> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
> >>>
> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>>
> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >>> or can I use Snorby ???
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>>
> >>>
> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >>> > Use suricata
> >>> >
> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> >>> > wrote:
> >>> >>
> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >>> >> get an IPS (Intrusion Prevention System), and in this case what is
> the
> >>> >> graphical interface used to view events and dropped traffic.
> >>> >>
> >>> >> Thanks a lot,
> >>> >>
> >>> >> Roberto
> >>> >> ___
> >>> >> List mailing list
> >>> >> List@lists.pfsense.org
> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >>> >
> >>> >
> >>> > ___
> >>> > List mailing list
> >>> > List@lists.pfsense.org
> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >>> ___
> >>> List mailing list
> >>> List@lists.pfsense.org
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>
> >>
> >>
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

Why bridge? Do you want to hide evrything? Its not that hard to fingerprint
a pfS bridge. If you have practical reasons, sure go ahead.
29. sep. 2014 21:28 skrev "Roberto Carna" 
følgende:

> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> in bridge mode with firewall rules enabled ???
>
> Really thanks,
>
> Roberto
>
>
>
> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> > Depends on what you want. A splitt design is normaly better and safer
> then a
> > all in one box. If you want suricata +snorby and barnyard its not
> > recommended to run it all on pfsense. There are many deps. that will
> cause a
> > security nightmare and you will probably run out of hw resources as well.
> >
> > OK, thanks, the last please:
> >
> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> > ??? Because we have VMweare for all our servers.
> >
> > Regards,
> >
> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos <
> anastasios.ste...@gmail.com>:
> >> Roberto
> >>
> >> Here is a good place to start regarding Suricata or Snort.
> >>
> >>
> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >>
> >>
> >>
> >> ---
> >> Anastasios Stefos
> >> ´αίέν άριστεύειν
> >>
> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna <
> robertocarn...@gmail.com>
> >> wrote:
> >>>
> >>> Dear Ivo and people, just three short questions:
> >>>
> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
> >>>
> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>>
> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >>> or can I use Snorby ???
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>>
> >>>
> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >>> > Use suricata
> >>> >
> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> >>> > wrote:
> >>> >>
> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >>> >> get an IPS (Intrusion Prevention System), and in this case what is
> the
> >>> >> graphical interface used to view events and dropped traffic.
> >>> >>
> >>> >> Thanks a lot,
> >>> >>
> >>> >> Roberto
> >>> >> ___
> >>> >> List mailing list
> >>> >> List@lists.pfsense.org
> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >>> >
> >>> >
> >>> > ___
> >>> > List mailing list
> >>> > List@lists.pfsense.org
> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >>> ___
> >>> List mailing list
> >>> List@lists.pfsense.org
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>
> >>
> >>
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
in bridge mode with firewall rules enabled ???

Really thanks,

Roberto



2014-09-29 16:15 GMT-03:00 Espen Johansen :
> Depends on what you want. A splitt design is normaly better and safer then a
> all in one box. If you want suricata +snorby and barnyard its not
> recommended to run it all on pfsense. There are many deps. that will cause a
> security nightmare and you will probably run out of hw resources as well.
>
> OK, thanks, the last please:
>
> Do you recommend to install an IPS in a Virtual Machine like Vmware
> ??? Because we have VMweare for all our servers.
>
> Regards,
>
> 2014-09-29 15:39 GMT-03:00 Anastasios Stefos :
>> Roberto
>>
>> Here is a good place to start regarding Suricata or Snort.
>>
>>
>> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>>
>>
>>
>> ---
>> Anastasios Stefos
>> ´αίέν άριστεύειν
>>
>> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna 
>> wrote:
>>>
>>> Dear Ivo and people, just three short questions:
>>>
>>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>>>
>>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>>>
>>> 3) The only way to view the IPS blocking events is from into Pfsense
>>> or can I use Snorby ???
>>>
>>> Thanks again,
>>>
>>> Roberto
>>>
>>> Thanks again,
>>>
>>> Roberto
>>>
>>>
>>>
>>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>>> > Use suricata
>>> >
>>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>>> > wrote:
>>> >>
>>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
>>> >> get an IPS (Intrusion Prevention System), and in this case what is the
>>> >> graphical interface used to view events and dropped traffic.
>>> >>
>>> >> Thanks a lot,
>>> >>
>>> >> Roberto
>>> >> ___
>>> >> List mailing list
>>> >> List@lists.pfsense.org
>>> >> https://lists.pfsense.org/mailman/listinfo/list
>>> >
>>> >
>>> > ___
>>> > List mailing list
>>> > List@lists.pfsense.org
>>> > https://lists.pfsense.org/mailman/listinfo/list
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Anastasios Stefos]

I agree completely with Espen. All your eggs in one basket is a terribly
bad idea and a troubleshooting nightmare.

Security Onion in back of pfsense is one idea. You can run Snorby, Snort
and additional tools and not overtax pfsense.



---
Anastasios Stefos
*´αίέν άριστεύειν*

On Mon, Sep 29, 2014 at 3:15 PM, Espen Johansen  wrote:

> Depends on what you want. A splitt design is normaly better and safer then
> a all in one box. If you want suricata +snorby and barnyard its not
> recommended to run it all on pfsense. There are many deps. that will cause
> a security nightmare and you will probably run out of hw resources as well.
> OK, thanks, the last please:
>
> Do you recommend to install an IPS in a Virtual Machine like Vmware
> ??? Because we have VMweare for all our servers.
>
> Regards,
>
> 2014-09-29 15:39 GMT-03:00 Anastasios Stefos  >:
> > Roberto
> >
> > Here is a good place to start regarding Suricata or Snort.
> >
> >
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >
> >
> >
> > ---
> > Anastasios Stefos
> > ´αίέν άριστεύειν
> >
> > On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna  >
> > wrote:
> >>
> >> Dear Ivo and people, just three short questions:
> >>
> >> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
> >>
> >> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>
> >> 3) The only way to view the IPS blocking events is from into Pfsense
> >> or can I use Snorby ???
> >>
> >> Thanks again,
> >>
> >> Roberto
> >>
> >> Thanks again,
> >>
> >> Roberto
> >>
> >>
> >>
> >> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >> > Use suricata
> >> >
> >> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> >> > wrote:
> >> >>
> >> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> >> get an IPS (Intrusion Prevention System), and in this case what is
> the
> >> >> graphical interface used to view events and dropped traffic.
> >> >>
> >> >> Thanks a lot,
> >> >>
> >> >> Roberto
> >> >> ___
> >> >> List mailing list
> >> >> List@lists.pfsense.org
> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >> >
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

Depends on what you want. A splitt design is normaly better and safer then
a all in one box. If you want suricata +snorby and barnyard its not
recommended to run it all on pfsense. There are many deps. that will cause
a security nightmare and you will probably run out of hw resources as well.
OK, thanks, the last please:

Do you recommend to install an IPS in a Virtual Machine like Vmware
??? Because we have VMweare for all our servers.

Regards,

2014-09-29 15:39 GMT-03:00 Anastasios Stefos :
> Roberto
>
> Here is a good place to start regarding Suricata or Snort.
>
>
http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>
>
>
> ---
> Anastasios Stefos
> ´αίέν άριστεύειν
>
> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna 
> wrote:
>>
>> Dear Ivo and people, just three short questions:
>>
>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>>
>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>>
>> 3) The only way to view the IPS blocking events is from into Pfsense
>> or can I use Snorby ???
>>
>> Thanks again,
>>
>> Roberto
>>
>> Thanks again,
>>
>> Roberto
>>
>>
>>
>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> > Use suricata
>> >
>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>> > wrote:
>> >>
>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
>> >> get an IPS (Intrusion Prevention System), and in this case what is the
>> >> graphical interface used to view events and dropped traffic.
>> >>
>> >> Thanks a lot,
>> >>
>> >> Roberto
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Anastasios Stefos]

If you have access to VMWare workstation installed or ESXi, it is
worthwhile to install and experiment in an isolated environment prior to
going live with either. If not, a couple of PC''s.



---
Anastasios Stefos
*´αίέν άριστεύειν*

On Mon, Sep 29, 2014 at 3:07 PM, Roberto Carna 
wrote:

> OK, thanks, the last please:
>
> Do you recommend to install an IPS in a Virtual Machine like Vmware
> ??? Because we have VMweare for all our servers.
>
> Regards,
>
> 2014-09-29 15:39 GMT-03:00 Anastasios Stefos  >:
> > Roberto
> >
> > Here is a good place to start regarding Suricata or Snort.
> >
> >
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >
> >
> >
> > ---
> > Anastasios Stefos
> > ´αίέν άριστεύειν
> >
> > On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna  >
> > wrote:
> >>
> >> Dear Ivo and people, just three short questions:
> >>
> >> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
> >>
> >> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>
> >> 3) The only way to view the IPS blocking events is from into Pfsense
> >> or can I use Snorby ???
> >>
> >> Thanks again,
> >>
> >> Roberto
> >>
> >> Thanks again,
> >>
> >> Roberto
> >>
> >>
> >>
> >> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >> > Use suricata
> >> >
> >> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> >> > wrote:
> >> >>
> >> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> >> get an IPS (Intrusion Prevention System), and in this case what is
> the
> >> >> graphical interface used to view events and dropped traffic.
> >> >>
> >> >> Thanks a lot,
> >> >>
> >> >> Roberto
> >> >> ___
> >> >> List mailing list
> >> >> List@lists.pfsense.org
> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >> >
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

OK, thanks, the last please:

Do you recommend to install an IPS in a Virtual Machine like Vmware
??? Because we have VMweare for all our servers.

Regards,

2014-09-29 15:39 GMT-03:00 Anastasios Stefos :
> Roberto
>
> Here is a good place to start regarding Suricata or Snort.
>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>
>
>
> ---
> Anastasios Stefos
> ´αίέν άριστεύειν
>
> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna 
> wrote:
>>
>> Dear Ivo and people, just three short questions:
>>
>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>>
>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>>
>> 3) The only way to view the IPS blocking events is from into Pfsense
>> or can I use Snorby ???
>>
>> Thanks again,
>>
>> Roberto
>>
>> Thanks again,
>>
>> Roberto
>>
>>
>>
>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> > Use suricata
>> >
>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>> > wrote:
>> >>
>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
>> >> get an IPS (Intrusion Prevention System), and in this case what is the
>> >> graphical interface used to view events and dropped traffic.
>> >>
>> >> Thanks a lot,
>> >>
>> >> Roberto
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Anastasios Stefos]

Roberto

Here is a good place to start regarding Suricata or Snort.

http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/



---
Anastasios Stefos
*´αίέν άριστεύειν*

On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna 
wrote:

> Dear Ivo and people, just three short questions:
>
> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>
> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>
> 3) The only way to view the IPS blocking events is from into Pfsense
> or can I use Snorby ???
>
> Thanks again,
>
> Roberto
>
> Thanks again,
>
> Roberto
>
>
>
> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> > Use suricata
> >
> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> wrote:
> >>
> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> get an IPS (Intrusion Prevention System), and in this case what is the
> >> graphical interface used to view events and dropped traffic.
> >>
> >> Thanks a lot,
> >>
> >> Roberto
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

You might want to use google insted og relying on others. Maybe try to do
your own homework?

https://www.google.no/url?sa=t&source=web&rct=j&ei=faYpVJXTH6XGygP554LYBQ&url=https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guide&cd=1&ved=0CBwQFjAA&usg=AFQjCNFUY-LZh__z8odZ4G5SwA3s1vGGIA&sig2=HKTMIqME00rmj7mj-CHBrQ
29. sep. 2014 20:34 skrev "Roberto Carna" 
følgende:

> Dear Ivo and people, just three short questions:
>
> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>
> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>
> 3) The only way to view the IPS blocking events is from into Pfsense
> or can I use Snorby ???
>
> Thanks again,
>
> Roberto
>
> Thanks again,
>
> Roberto
>
>
>
> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> > Use suricata
> >
> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> wrote:
> >>
> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> get an IPS (Intrusion Prevention System), and in this case what is the
> >> graphical interface used to view events and dropped traffic.
> >>
> >> Thanks a lot,
> >>
> >> Roberto
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Dear Ivo and people, just three short questions:

1) Using Suricata, can I enable the IPS mode as I can using Snort ???

2) In IPS mode, do I have to have 3 interfaces in my server ???

3) The only way to view the IPS blocking events is from into Pfsense
or can I use Snorby ???

Thanks again,

Roberto

Thanks again,

Roberto



2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> Use suricata
>
> On Sep 29, 2014 2:27 PM, "Roberto Carna"  wrote:
>>
>> Dear, I need to know if it's possible to setup Pfsense with Snort to
>> get an IPS (Intrusion Prevention System), and in this case what is the
>> graphical interface used to view events and dropped traffic.
>>
>> Thanks a lot,
>>
>> Roberto
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] bogon networks

[Andrew Mitchell]

Indeed it did. 

Thanks, 

Drew 

- Original Message -

From: "Jeremy Porter"  
To: list@lists.pfsense.org 
Sent: Monday, September 29, 2014 1:55:42 PM 
Subject: Re: [pfSense] bogon networks 


I've forced an update on the firewalls for the bogon, list, that protect 
files/updates.pfsense.org. This should resolve your issue. 

On 9/29/2014 6:37 AM, Andrew Mitchell wrote: 



Thanks for the info. 

I've been working working on this all night on and off. 

My questions to you guys is, does files.pfsense.org and/or updates.pfsense.org 
block bogon networks and if so, can I ask the update schedule? I ask because 
the bogon list on a pfSense box connected to our 192.40.140.0/23 block 
currently does contain our block and we can't connect from source 192.40.140.2 
to download updates. 

Drew 

- Original Message -

From: "Moshe Katz"  
To: "pfSense support and discussion"  
Sent: Sunday, September 28, 2014 12:04:25 PM 
Subject: Re: [pfSense] bogon networks 


The pfSense bogon list is at 
https://files.pfsense.org/lists/fullbogons-ipv4.txt and the current version 
there also doesn't have your block. Make sure that your pfSense has the newest 
list. (This should usually be done automatically, but you should be able to do 
it from the console/SSH by running /etc/rc.update_bogons). 
Moshe 
Sent from mobile device; sorry for top-posting. 
On Sep 28, 2014 10:26 AM, "Chris Bagnall" < pfse...@lists.minotaur.cc > wrote: 


On 28 Sep 2014, at 12:19, Andrew Mitchell < andrew.k.mitch...@att.net > wrote: 
> My apologies. 192.40.140.0/23 

I'm not sure what pfSense uses as its Bogons source, but my reference has 
usually been: 
http://www.team-cymru.org/Services/Bogons/http.html 

Your IP block isn't in there, from what I can see... 

Kind regards, 

Chris 
-- 
This email is made from 100% recycled electrons 

___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 



___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 


___
List mailing list List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 



___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] bogon networks

[Jeremy Porter]

I've forced an update on the firewalls for the bogon, list, that protect
files/updates.pfsense.org.  This should resolve your issue.

On 9/29/2014 6:37 AM, Andrew Mitchell wrote:
> Thanks for the info.
>
> I've been working working on this all night on and off.
>
> My questions to you guys is, does files.pfsense.org and/or
> updates.pfsense.org block bogon networks and if so, can I ask the
> update schedule? I ask because the bogon list on a pfSense box
> connected to our 192.40.140.0/23 block currently does contain our
> block and we can't connect from source 192.40.140.2 to download updates.
>
> Drew
>
> 
> *From: *"Moshe Katz" 
> *To: *"pfSense support and discussion" 
> *Sent: *Sunday, September 28, 2014 12:04:25 PM
> *Subject: *Re: [pfSense] bogon networks
>
> The pfSense bogon list is at
> https://files.pfsense.org/lists/fullbogons-ipv4.txt and the current
> version there also doesn't have your block.  Make sure that your
> pfSense has the newest list. (This should usually be done
> automatically, but you should be able to do it from the console/SSH by
> running /etc/rc.update_bogons).
>
> Moshe
>
> Sent from mobile device; sorry for top-posting.
>
> On Sep 28, 2014 10:26 AM, "Chris Bagnall"  > wrote:
>
> On 28 Sep 2014, at 12:19, Andrew Mitchell
> mailto:andrew.k.mitch...@att.net>> wrote:
> > My apologies. 192.40.140.0/23 
>
> I'm not sure what pfSense uses as its Bogons source, but my
> reference has usually been:
> http://www.team-cymru.org/Services/Bogons/http.html
>
> Your IP block isn't in there, from what I can see...
>
> Kind regards,
>
> Chris
> --
> This email is made from 100% recycled electrons
>
> ___
> List mailing list
> List@lists.pfsense.org 
> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Why Suricata in place of Snort?

Please can you tell me shortly the advantages of Suricata over Snort

Really thanks

Roberto

2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> Use suricata
>
> On Sep 29, 2014 2:27 PM, "Roberto Carna"  wrote:
>>
>> Dear, I need to know if it's possible to setup Pfsense with Snort to
>> get an IPS (Intrusion Prevention System), and in this case what is the
>> graphical interface used to view events and dropped traffic.
>>
>> Thanks a lot,
>>
>> Roberto
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

Use suricata
On Sep 29, 2014 2:27 PM, "Roberto Carna"  wrote:

> Dear, I need to know if it's possible to setup Pfsense with Snort to
> get an IPS (Intrusion Prevention System), and in this case what is the
> graphical interface used to view events and dropped traffic.
>
> Thanks a lot,
>
> Roberto
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Josh Bitto]

Of course you canIt's an add-on.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto Carna
Sent: Monday, September 29, 2014 10:28 AM
To: list@lists.pfsense.org
Subject: [pfSense] Snort as IPS in Pfsense

Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS 
(Intrusion Prevention System), and in this case what is the graphical interface 
used to view events and dropped traffic.

Thanks a lot,

Roberto
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Dear, I need to know if it's possible to setup Pfsense with Snort to
get an IPS (Intrusion Prevention System), and in this case what is the
graphical interface used to view events and dropped traffic.

Thanks a lot,

Roberto
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] bogon networks

[Andrew Mitchell]

I thought the same until I did a traceroute... 

traceroute to files.pfsense.org (208.123.73.81), 64 hops max, 52 byte packets 
1 dcna01.kc.voipster.org (192.40.140.1) 0.472 ms 5.143 ms 0.472 ms 
2 204.27.61.17 (204.27.61.17) 0.488 ms 0.426 ms 0.356 ms 
3 96.43.134.169 (96.43.134.169) 0.238 ms 0.273 ms 0.241 ms 
4 10ge1-4.core1.mci2.he.net (184.105.19.133) 0.487 ms 0.294 ms 0.371 ms 
5 10ge3-1.core1.mci3.he.net (184.105.213.38) 0.356 ms 10.794 ms 0.610 ms 
6 10ge1-4.core1.chi1.he.net (184.105.222.117) 11.741 ms 28.609 ms 41.591 ms 
7 184.105.255.30 (184.105.255.30) 12.728 ms 15.516 ms 12.731 ms 
8 107.14.17.195 (107.14.17.195) 24.224 ms 
107.14.17.193 (107.14.17.193) 28.177 ms 
66.109.1.67 (66.109.1.67) 23.161 ms 
9 ae-0-0.cr0.chi30.tbone.rr.com (66.109.6.21) 26.144 ms 27.774 ms 25.215 ms 
10 ae15.120.pr0.dfw10.tbone.rr.com (66.109.9.41) 26.087 ms 
ae-2-0.cr0.dfw10.tbone.rr.com (66.109.6.22) 26.233 ms 
ae15.120.pr0.dfw10.tbone.rr.com (66.109.9.41) 26.401 ms 
11 66.109.6.89 (66.109.6.89) 26.751 ms 
agg4.dllatxl301r.texas.rr.com (107.14.19.93) 24.349 ms 
66.109.6.89 (66.109.6.89) 28.612 ms 
12 agg1.ausutxla01r.texas.rr.com (24.175.41.47) 37.165 ms 34.775 ms 34.578 ms 
13 tge8-6.ausutxla02h.texas.rr.com (24.175.43.119) 32.588 ms 
tge8-1.ausutxla02h.texas.rr.com (24.175.43.113) 31.116 ms 
tge9-6.ausutxla02h.texas.rr.com (24.175.42.235) 32.465 ms 
14 RTR97-77-1-251.sw.twcbiz.com (97.77.1.251) 36.773 ms 33.846 ms 33.984 ms 
15 66.219.34.173 (66.219.34.173) 29.573 ms 32.223 ms 29.473 ms 
16 * * * 
17 * * * 

Which didn't mean anything until I tried from another SRC IP and when I did, I 
reached the final two hops: 

15 fw2.pfmechanics.com.0-255.73.123.208.in-addr.arpa (208.123.73.4) 62.182 ms 
64.389 ms 63.775 ms 
16 files.atx.pfmechanics.com (208.123.73.81) 65.813 ms 61.700 ms 63.936 ms 

A guess but it looks like 208.123.73.4 doesn't like our block. 

Drew 

- Original Message -

From: "Ryan Coleman"  
To: "pfSense Support and Discussion Mailing List"  
Sent: Monday, September 29, 2014 9:57:19 AM 
Subject: Re: [pfSense] bogon networks 

Then I suspect that the issue is not in your network but a problem on the 
software side. 



On 9/29/2014 8:53 AM, Andrew Mitchell wrote: 



Yeah. Connects to both files.pfsense.org and updates.pfsense.org servers fine. 

Drew 

- Original Message -

From: "Ryan Coleman"  
To: "pfSense Support and Discussion Mailing List"  
Sent: Monday, September 29, 2014 9:46:13 AM 
Subject: Re: [pfSense] bogon networks 

Have you tried pinging the IP from another machine not being routed through 
your subnet? 

On 9/29/2014 6:37 AM, Andrew Mitchell wrote: 



Thanks for the info. 

I've been working working on this all night on and off. 

My questions to you guys is, does files.pfsense.org and/or updates.pfsense.org 
block bogon networks and if so, can I ask the update schedule? I ask because 
the bogon list on a pfSense box connected to our 192.40.140.0/23 block 
currently does contain our block and we can't connect from source 192.40.140.2 
to download updates. 

Drew 

- Original Message -

From: "Moshe Katz"  
To: "pfSense support and discussion"  
Sent: Sunday, September 28, 2014 12:04:25 PM 
Subject: Re: [pfSense] bogon networks 


The pfSense bogon list is at 
https://files.pfsense.org/lists/fullbogons-ipv4.txt and the current version 
there also doesn't have your block. Make sure that your pfSense has the newest 
list. (This should usually be done automatically, but you should be able to do 
it from the console/SSH by running /etc/rc.update_bogons). 
Moshe 
Sent from mobile device; sorry for top-posting. 
On Sep 28, 2014 10:26 AM, "Chris Bagnall" < pfse...@lists.minotaur.cc > wrote: 


On 28 Sep 2014, at 12:19, Andrew Mitchell < andrew.k.mitch...@att.net > wrote: 
> My apologies. 192.40.140.0/23 

I'm not sure what pfSense uses as its Bogons source, but my reference has 
usually been: 
http://www.team-cymru.org/Services/Bogons/http.html 

Your IP block isn't in there, from what I can see... 

Kind regards, 

Chris 
-- 
This email is made from 100% recycled electrons 

___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 



___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 


___
List mailing list List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 



___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 


___
List mailing list List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 



___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 
___
List 

Re: [pfSense] bogon networks

[Ryan Coleman]

Then I suspect that the issue is not in your network but a problem on 
the software side.



On 9/29/2014 8:53 AM, Andrew Mitchell wrote:
Yeah. Connects to both files.pfsense.org and updates.pfsense.org 
servers fine.


Drew


*From: *"Ryan Coleman" 
*To: *"pfSense Support and Discussion Mailing List" 


*Sent: *Monday, September 29, 2014 9:46:13 AM
*Subject: *Re: [pfSense] bogon networks

Have you tried pinging the IP from another machine not being routed 
through your subnet?

On 9/29/2014 6:37 AM, Andrew Mitchell wrote:

Thanks for the info.

I've been working working on this all night on and off.

My questions to you guys is, does files.pfsense.org and/or
updates.pfsense.org block bogon networks and if so, can I ask the
update schedule? I ask because the bogon list on a pfSense box
connected to our 192.40.140.0/23 block currently does contain our
block and we can't connect from source 192.40.140.2 to download
updates.

Drew


*From: *"Moshe Katz" 
*To: *"pfSense support and discussion" 
*Sent: *Sunday, September 28, 2014 12:04:25 PM
*Subject: *Re: [pfSense] bogon networks

The pfSense bogon list is at
https://files.pfsense.org/lists/fullbogons-ipv4.txt and the
current version there also doesn't have your block.  Make sure
that your pfSense has the newest list. (This should usually be
done automatically, but you should be able to do it from the
console/SSH by running /etc/rc.update_bogons).

Moshe

Sent from mobile device; sorry for top-posting.

On Sep 28, 2014 10:26 AM, "Chris Bagnall"
mailto:pfse...@lists.minotaur.cc>> wrote:

On 28 Sep 2014, at 12:19, Andrew Mitchell
mailto:andrew.k.mitch...@att.net>>
wrote:
> My apologies. 192.40.140.0/23 

I'm not sure what pfSense uses as its Bogons source, but my
reference has usually been:
http://www.team-cymru.org/Services/Bogons/http.html

Your IP block isn't in there, from what I can see...

Kind regards,

Chris
--
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] bogon networks

[Andrew Mitchell]

Yeah. Connects to both files.pfsense.org and updates.pfsense.org servers fine. 

Drew 

- Original Message -

From: "Ryan Coleman"  
To: "pfSense Support and Discussion Mailing List"  
Sent: Monday, September 29, 2014 9:46:13 AM 
Subject: Re: [pfSense] bogon networks 

Have you tried pinging the IP from another machine not being routed through 
your subnet? 

On 9/29/2014 6:37 AM, Andrew Mitchell wrote: 



Thanks for the info. 

I've been working working on this all night on and off. 

My questions to you guys is, does files.pfsense.org and/or updates.pfsense.org 
block bogon networks and if so, can I ask the update schedule? I ask because 
the bogon list on a pfSense box connected to our 192.40.140.0/23 block 
currently does contain our block and we can't connect from source 192.40.140.2 
to download updates. 

Drew 

- Original Message -

From: "Moshe Katz"  
To: "pfSense support and discussion"  
Sent: Sunday, September 28, 2014 12:04:25 PM 
Subject: Re: [pfSense] bogon networks 


The pfSense bogon list is at 
https://files.pfsense.org/lists/fullbogons-ipv4.txt and the current version 
there also doesn't have your block. Make sure that your pfSense has the newest 
list. (This should usually be done automatically, but you should be able to do 
it from the console/SSH by running /etc/rc.update_bogons). 
Moshe 
Sent from mobile device; sorry for top-posting. 
On Sep 28, 2014 10:26 AM, "Chris Bagnall" < pfse...@lists.minotaur.cc > wrote: 


On 28 Sep 2014, at 12:19, Andrew Mitchell < andrew.k.mitch...@att.net > wrote: 
> My apologies. 192.40.140.0/23 

I'm not sure what pfSense uses as its Bogons source, but my reference has 
usually been: 
http://www.team-cymru.org/Services/Bogons/http.html 

Your IP block isn't in there, from what I can see... 

Kind regards, 

Chris 
-- 
This email is made from 100% recycled electrons 

___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 



___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 


___
List mailing list List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 



___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] bogon networks

[Ryan Coleman]

Have you tried pinging the IP from another machine not being routed 
through your subnet?

On 9/29/2014 6:37 AM, Andrew Mitchell wrote:

Thanks for the info.

I've been working working on this all night on and off.

My questions to you guys is, does files.pfsense.org and/or 
updates.pfsense.org block bogon networks and if so, can I ask the 
update schedule? I ask because the bogon list on a pfSense box 
connected to our 192.40.140.0/23 block currently does contain our 
block and we can't connect from source 192.40.140.2 to download updates.


Drew


*From: *"Moshe Katz" 
*To: *"pfSense support and discussion" 
*Sent: *Sunday, September 28, 2014 12:04:25 PM
*Subject: *Re: [pfSense] bogon networks

The pfSense bogon list is at 
https://files.pfsense.org/lists/fullbogons-ipv4.txt and the current 
version there also doesn't have your block. Make sure that your 
pfSense has the newest list. (This should usually be done 
automatically, but you should be able to do it from the console/SSH by 
running /etc/rc.update_bogons).


Moshe

Sent from mobile device; sorry for top-posting.

On Sep 28, 2014 10:26 AM, "Chris Bagnall" > wrote:


On 28 Sep 2014, at 12:19, Andrew Mitchell
mailto:andrew.k.mitch...@att.net>> wrote:
> My apologies. 192.40.140.0/23 

I'm not sure what pfSense uses as its Bogons source, but my
reference has usually been:
http://www.team-cymru.org/Services/Bogons/http.html

Your IP block isn't in there, from what I can see...

Kind regards,

Chris
--
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] bogon networks

[Andrew Mitchell]

Thanks for the info. 

I've been working working on this all night on and off. 

My questions to you guys is, does files.pfsense.org and/or updates.pfsense.org 
block bogon networks and if so, can I ask the update schedule? I ask because 
the bogon list on a pfSense box connected to our 192.40.140.0/23 block 
currently does contain our block and we can't connect from source 192.40.140.2 
to download updates. 

Drew 

- Original Message -

From: "Moshe Katz"  
To: "pfSense support and discussion"  
Sent: Sunday, September 28, 2014 12:04:25 PM 
Subject: Re: [pfSense] bogon networks 


The pfSense bogon list is at 
https://files.pfsense.org/lists/fullbogons-ipv4.txt and the current version 
there also doesn't have your block. Make sure that your pfSense has the newest 
list. (This should usually be done automatically, but you should be able to do 
it from the console/SSH by running /etc/rc.update_bogons). 
Moshe 
Sent from mobile device; sorry for top-posting. 
On Sep 28, 2014 10:26 AM, "Chris Bagnall" < pfse...@lists.minotaur.cc > wrote: 


On 28 Sep 2014, at 12:19, Andrew Mitchell < andrew.k.mitch...@att.net > wrote: 
> My apologies. 192.40.140.0/23 

I'm not sure what pfSense uses as its Bogons source, but my reference has 
usually been: 
http://www.team-cymru.org/Services/Bogons/http.html 

Your IP block isn't in there, from what I can see... 

Kind regards, 

Chris 
-- 
This email is made from 100% recycled electrons 

___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 



___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list 
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list