Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

Ivo, thank you very much !

Regards,

JeLo

On Tue, Sep 30, 2014 at 3:53 PM, Ivo Tonev  wrote:

> bridge interface not need IP.
> it runs in promisc mode and only forward packages from one side to another.
>
>
> On Tue, Sep 30, 2014 at 3:26 PM, Jeronimo L. Cabral 
> wrote:
>
>> But the bridging interface must have a public IP or do I have to set it
>> up as IP-Less ???
>>
>>
>>
>> On Tue, Sep 30, 2014 at 3:17 PM, Ivo Tonev  wrote:
>>
>>> bridge is necessary, without it there is no forward between interfaces.
>>>
>>>
>>> On Tue, Sep 30, 2014 at 3:11 PM, Jeronimo L. Cabral <
>>> jelocab...@gmail.com> wrote:
>>>
 OK Ivo, that's a great data.I really appreciate this...

 But please tell me this at last:

 So WAN and LAN interfaces have no IP assigned ???
 Do I have to create a bridging interface with WAN and LAN interfaces,
 and in this case is it possible to have an IP-Less bridging interface ???
 Or the bridge it's not necessary and it's enough with WAN and LAN IP-Less
 in promiscuous mode ???

 Thanks a lot again !!!


 On Tue, Sep 30, 2014 at 3:04 PM, Ivo Tonev  wrote:

> you need to use the management network to download.
>
>
> On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral <
> jelocab...@gmail.com> wrote:
>
>> Dear, I can't understand at allplease be patient with me :(
>>
>> I'll use pFsense with Snort as a IPS because I see is easier than the
>> manually configuration of Snort.
>>
>> I have an ISP router with 200.1.1.1, a corporate firewall with
>> 200.1.1.2 and the condition is that I MUST LET THIS CONFIGURATION AS IT 
>> IS
>> NOW.
>>
>> So, I have to locate the pFsense server between the router and the
>> firewall, in "inline" mode.
>>
>> My pFsense server has 3 network interfaces, let's say: WAN connected
>> to router, LAN connected to corporate firewall and OPT1 for management 
>> with
>> IP 192.168.1.1.
>>
>> Now I have the question:
>>
>> How should I have to configure the WAN and LAN interfaces, with IP,
>> IP-less, creating a bridging interface IP-less or with IP  Because 
>> if I
>> create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
>> download the signs from Internet...I'm a bit confused.
>>
>> Thanks a lot, regards.
>>
>> JeLo
>>
>>
>>
>> On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:
>>
>>> Yes. Always use out of band management.
>>>
>>>
>>>
>>> On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna <
>>> robertocarn...@gmail.com> wrote:
>>>
 Ivo, that's a good ideabut please tell me if I'm correct or not:

 WAN, LAN, Bridge interfaces: IP-Less
 OPT1: IP for management in a management network

 Tnaks again,

 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
 > I recommend you create a management network for OPT1 with private
 IP.
 >
 >
 > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
 robertocarn...@gmail.com>
 > wrote:
 >>
 >> I think this is good for us:
 >>
 >>
 >> - Router ISP with IP 200.0.0.1
 >>
 >> - pFsense with the following interfaces:
 >>
 >>   a) WAN IP-Less
 >>   b) LAN IP-Less
 >>   c) OPT1 with IP 200.0.0.2 (management)
 >>   d) Bridge with WAN and LAN interfaces, and Bridge interface
 IP-Less
 >>
 >> - Corporate firewall with IP 200.0.0.3
 >>
 >> - Snort runs in Bridge interface
 >>
 >> Do you think this is correct ???
 >>
 >> Good night !!!
 >>
 >> Roberto
 >>
 >>
 >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral <
 jelocab...@gmail.com>:
 >> > I can say that I imagine this addresses space:
 >> >
 >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less
 ---
 >> > Firewall /
 >> > IP 200.1.1.2
 >> >
 OPT1 / IP
 >> > 200.1.1.3
 >> >
  (management)
 >> >
 >> > So, the WAN and LAN interfaces from pFsense are IP-LESS
 (promiscuos
 >> > mode),
 >> > and the OPT1 interface from pFsense has a public IP as router
 and
 >> > firewall.
 >> >
 >> > Can I do this in pfsense ???
 >> >
 >> >
 >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
 >> > 
 >> > wrote:
 >> >>
 >> >> OK Ivo, this is very helpful to meSuppose I have:
 >> >>
 >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP
 200.1.1.2
 >> >>
 >> >> I have to maintan invariable the addressing of this scenario,
 so what
>>>

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

bridge interface not need IP.
it runs in promisc mode and only forward packages from one side to another.


On Tue, Sep 30, 2014 at 3:26 PM, Jeronimo L. Cabral 
wrote:

> But the bridging interface must have a public IP or do I have to set it up
> as IP-Less ???
>
>
>
> On Tue, Sep 30, 2014 at 3:17 PM, Ivo Tonev  wrote:
>
>> bridge is necessary, without it there is no forward between interfaces.
>>
>>
>> On Tue, Sep 30, 2014 at 3:11 PM, Jeronimo L. Cabral > > wrote:
>>
>>> OK Ivo, that's a great data.I really appreciate this...
>>>
>>> But please tell me this at last:
>>>
>>> So WAN and LAN interfaces have no IP assigned ???
>>> Do I have to create a bridging interface with WAN and LAN interfaces,
>>> and in this case is it possible to have an IP-Less bridging interface ???
>>> Or the bridge it's not necessary and it's enough with WAN and LAN IP-Less
>>> in promiscuous mode ???
>>>
>>> Thanks a lot again !!!
>>>
>>>
>>> On Tue, Sep 30, 2014 at 3:04 PM, Ivo Tonev  wrote:
>>>
 you need to use the management network to download.


 On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral <
 jelocab...@gmail.com> wrote:

> Dear, I can't understand at allplease be patient with me :(
>
> I'll use pFsense with Snort as a IPS because I see is easier than the
> manually configuration of Snort.
>
> I have an ISP router with 200.1.1.1, a corporate firewall with
> 200.1.1.2 and the condition is that I MUST LET THIS CONFIGURATION AS IT IS
> NOW.
>
> So, I have to locate the pFsense server between the router and the
> firewall, in "inline" mode.
>
> My pFsense server has 3 network interfaces, let's say: WAN connected
> to router, LAN connected to corporate firewall and OPT1 for management 
> with
> IP 192.168.1.1.
>
> Now I have the question:
>
> How should I have to configure the WAN and LAN interfaces, with IP,
> IP-less, creating a bridging interface IP-less or with IP  Because if 
> I
> create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
> download the signs from Internet...I'm a bit confused.
>
> Thanks a lot, regards.
>
> JeLo
>
>
>
> On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:
>
>> Yes. Always use out of band management.
>>
>>
>>
>> On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna <
>> robertocarn...@gmail.com> wrote:
>>
>>> Ivo, that's a good ideabut please tell me if I'm correct or not:
>>>
>>> WAN, LAN, Bridge interfaces: IP-Less
>>> OPT1: IP for management in a management network
>>>
>>> Tnaks again,
>>>
>>> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
>>> > I recommend you create a management network for OPT1 with private
>>> IP.
>>> >
>>> >
>>> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
>>> robertocarn...@gmail.com>
>>> > wrote:
>>> >>
>>> >> I think this is good for us:
>>> >>
>>> >>
>>> >> - Router ISP with IP 200.0.0.1
>>> >>
>>> >> - pFsense with the following interfaces:
>>> >>
>>> >>   a) WAN IP-Less
>>> >>   b) LAN IP-Less
>>> >>   c) OPT1 with IP 200.0.0.2 (management)
>>> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface
>>> IP-Less
>>> >>
>>> >> - Corporate firewall with IP 200.0.0.3
>>> >>
>>> >> - Snort runs in Bridge interface
>>> >>
>>> >> Do you think this is correct ???
>>> >>
>>> >> Good night !!!
>>> >>
>>> >> Roberto
>>> >>
>>> >>
>>> >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral <
>>> jelocab...@gmail.com>:
>>> >> > I can say that I imagine this addresses space:
>>> >> >
>>> >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
>>> >> > Firewall /
>>> >> > IP 200.1.1.2
>>> >> >OPT1
>>> / IP
>>> >> > 200.1.1.3
>>> >> >
>>>  (management)
>>> >> >
>>> >> > So, the WAN and LAN interfaces from pFsense are IP-LESS
>>> (promiscuos
>>> >> > mode),
>>> >> > and the OPT1 interface from pFsense has a public IP as router
>>> and
>>> >> > firewall.
>>> >> >
>>> >> > Can I do this in pfsense ???
>>> >> >
>>> >> >
>>> >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
>>> >> > 
>>> >> > wrote:
>>> >> >>
>>> >> >> OK Ivo, this is very helpful to meSuppose I have:
>>> >> >>
>>> >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP
>>> 200.1.1.2
>>> >> >>
>>> >> >> I have to maintan invariable the addressing of this scenario,
>>> so what
>>> >> >> IP
>>> >> >> addresses do I have to assign to WAN and LAN pFsense
>>> interfaces ???
>>> >> >>
>>> >> >> Thanks a lot,
>>> >> >>
>>> >> >> JeLo
>>> >> >>
>>> >> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo 

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

But the bridging interface must have a public IP or do I have to set it up
as IP-Less ???



On Tue, Sep 30, 2014 at 3:17 PM, Ivo Tonev  wrote:

> bridge is necessary, without it there is no forward between interfaces.
>
>
> On Tue, Sep 30, 2014 at 3:11 PM, Jeronimo L. Cabral 
> wrote:
>
>> OK Ivo, that's a great data.I really appreciate this...
>>
>> But please tell me this at last:
>>
>> So WAN and LAN interfaces have no IP assigned ???
>> Do I have to create a bridging interface with WAN and LAN interfaces, and
>> in this case is it possible to have an IP-Less bridging interface ??? Or
>> the bridge it's not necessary and it's enough with WAN and LAN IP-Less in
>> promiscuous mode ???
>>
>> Thanks a lot again !!!
>>
>>
>> On Tue, Sep 30, 2014 at 3:04 PM, Ivo Tonev  wrote:
>>
>>> you need to use the management network to download.
>>>
>>>
>>> On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral <
>>> jelocab...@gmail.com> wrote:
>>>
 Dear, I can't understand at allplease be patient with me :(

 I'll use pFsense with Snort as a IPS because I see is easier than the
 manually configuration of Snort.

 I have an ISP router with 200.1.1.1, a corporate firewall with
 200.1.1.2 and the condition is that I MUST LET THIS CONFIGURATION AS IT IS
 NOW.

 So, I have to locate the pFsense server between the router and the
 firewall, in "inline" mode.

 My pFsense server has 3 network interfaces, let's say: WAN connected to
 router, LAN connected to corporate firewall and OPT1 for management with IP
 192.168.1.1.

 Now I have the question:

 How should I have to configure the WAN and LAN interfaces, with IP,
 IP-less, creating a bridging interface IP-less or with IP  Because if I
 create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
 download the signs from Internet...I'm a bit confused.

 Thanks a lot, regards.

 JeLo



 On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:

> Yes. Always use out of band management.
>
>
>
> On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna <
> robertocarn...@gmail.com> wrote:
>
>> Ivo, that's a good ideabut please tell me if I'm correct or not:
>>
>> WAN, LAN, Bridge interfaces: IP-Less
>> OPT1: IP for management in a management network
>>
>> Tnaks again,
>>
>> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
>> > I recommend you create a management network for OPT1 with private
>> IP.
>> >
>> >
>> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
>> robertocarn...@gmail.com>
>> > wrote:
>> >>
>> >> I think this is good for us:
>> >>
>> >>
>> >> - Router ISP with IP 200.0.0.1
>> >>
>> >> - pFsense with the following interfaces:
>> >>
>> >>   a) WAN IP-Less
>> >>   b) LAN IP-Less
>> >>   c) OPT1 with IP 200.0.0.2 (management)
>> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface
>> IP-Less
>> >>
>> >> - Corporate firewall with IP 200.0.0.3
>> >>
>> >> - Snort runs in Bridge interface
>> >>
>> >> Do you think this is correct ???
>> >>
>> >> Good night !!!
>> >>
>> >> Roberto
>> >>
>> >>
>> >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral <
>> jelocab...@gmail.com>:
>> >> > I can say that I imagine this addresses space:
>> >> >
>> >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
>> >> > Firewall /
>> >> > IP 200.1.1.2
>> >> >OPT1
>> / IP
>> >> > 200.1.1.3
>> >> >
>>  (management)
>> >> >
>> >> > So, the WAN and LAN interfaces from pFsense are IP-LESS
>> (promiscuos
>> >> > mode),
>> >> > and the OPT1 interface from pFsense has a public IP as router and
>> >> > firewall.
>> >> >
>> >> > Can I do this in pfsense ???
>> >> >
>> >> >
>> >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
>> >> > 
>> >> > wrote:
>> >> >>
>> >> >> OK Ivo, this is very helpful to meSuppose I have:
>> >> >>
>> >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP
>> 200.1.1.2
>> >> >>
>> >> >> I have to maintan invariable the addressing of this scenario,
>> so what
>> >> >> IP
>> >> >> addresses do I have to assign to WAN and LAN pFsense interfaces
>> ???
>> >> >>
>> >> >> Thanks a lot,
>> >> >>
>> >> >> JeLo
>> >> >>
>> >> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev 
>> wrote:
>> >> >>>
>> >> >>> In production environment you need 3 interfaces - one for WAN,
>> one for
>> >> >>> LAN and one for management.
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
>> >> >>>
>> >> >>>
>> >>

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

bridge is necessary, without it there is no forward between interfaces.


On Tue, Sep 30, 2014 at 3:11 PM, Jeronimo L. Cabral 
wrote:

> OK Ivo, that's a great data.I really appreciate this...
>
> But please tell me this at last:
>
> So WAN and LAN interfaces have no IP assigned ???
> Do I have to create a bridging interface with WAN and LAN interfaces, and
> in this case is it possible to have an IP-Less bridging interface ??? Or
> the bridge it's not necessary and it's enough with WAN and LAN IP-Less in
> promiscuous mode ???
>
> Thanks a lot again !!!
>
>
> On Tue, Sep 30, 2014 at 3:04 PM, Ivo Tonev  wrote:
>
>> you need to use the management network to download.
>>
>>
>> On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral > > wrote:
>>
>>> Dear, I can't understand at allplease be patient with me :(
>>>
>>> I'll use pFsense with Snort as a IPS because I see is easier than the
>>> manually configuration of Snort.
>>>
>>> I have an ISP router with 200.1.1.1, a corporate firewall with 200.1.1.2
>>> and the condition is that I MUST LET THIS CONFIGURATION AS IT IS NOW.
>>>
>>> So, I have to locate the pFsense server between the router and the
>>> firewall, in "inline" mode.
>>>
>>> My pFsense server has 3 network interfaces, let's say: WAN connected to
>>> router, LAN connected to corporate firewall and OPT1 for management with IP
>>> 192.168.1.1.
>>>
>>> Now I have the question:
>>>
>>> How should I have to configure the WAN and LAN interfaces, with IP,
>>> IP-less, creating a bridging interface IP-less or with IP  Because if I
>>> create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
>>> download the signs from Internet...I'm a bit confused.
>>>
>>> Thanks a lot, regards.
>>>
>>> JeLo
>>>
>>>
>>>
>>> On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:
>>>
 Yes. Always use out of band management.



 On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna <
 robertocarn...@gmail.com> wrote:

> Ivo, that's a good ideabut please tell me if I'm correct or not:
>
> WAN, LAN, Bridge interfaces: IP-Less
> OPT1: IP for management in a management network
>
> Tnaks again,
>
> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
> > I recommend you create a management network for OPT1 with private IP.
> >
> >
> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
> robertocarn...@gmail.com>
> > wrote:
> >>
> >> I think this is good for us:
> >>
> >>
> >> - Router ISP with IP 200.0.0.1
> >>
> >> - pFsense with the following interfaces:
> >>
> >>   a) WAN IP-Less
> >>   b) LAN IP-Less
> >>   c) OPT1 with IP 200.0.0.2 (management)
> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface
> IP-Less
> >>
> >> - Corporate firewall with IP 200.0.0.3
> >>
> >> - Snort runs in Bridge interface
> >>
> >> Do you think this is correct ???
> >>
> >> Good night !!!
> >>
> >> Roberto
> >>
> >>
> >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral  >:
> >> > I can say that I imagine this addresses space:
> >> >
> >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
> >> > Firewall /
> >> > IP 200.1.1.2
> >> >OPT1 /
> IP
> >> > 200.1.1.3
> >> >
>  (management)
> >> >
> >> > So, the WAN and LAN interfaces from pFsense are IP-LESS
> (promiscuos
> >> > mode),
> >> > and the OPT1 interface from pFsense has a public IP as router and
> >> > firewall.
> >> >
> >> > Can I do this in pfsense ???
> >> >
> >> >
> >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
> >> > 
> >> > wrote:
> >> >>
> >> >> OK Ivo, this is very helpful to meSuppose I have:
> >> >>
> >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP
> 200.1.1.2
> >> >>
> >> >> I have to maintan invariable the addressing of this scenario, so
> what
> >> >> IP
> >> >> addresses do I have to assign to WAN and LAN pFsense interfaces
> ???
> >> >>
> >> >> Thanks a lot,
> >> >>
> >> >> JeLo
> >> >>
> >> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev 
> wrote:
> >> >>>
> >> >>> In production environment you need 3 interfaces - one for WAN,
> one for
> >> >>> LAN and one for management.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
> >> >>>
> >> >>>
> >> >>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc 
> wrote:
> >> 
> >>  > But you say: one interface for WAN, a second for
> >> 
> >>  >LAN...and which interface is for managing ???
> >> 
> >> 
> >> 
> >> 
> >> 
> >>  You manage with a browser from LAN, and optional also from the
>>>

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

OK Ivo, that's a great data.I really appreciate this...

But please tell me this at last:

So WAN and LAN interfaces have no IP assigned ???
Do I have to create a bridging interface with WAN and LAN interfaces, and
in this case is it possible to have an IP-Less bridging interface ??? Or
the bridge it's not necessary and it's enough with WAN and LAN IP-Less in
promiscuous mode ???

Thanks a lot again !!!


On Tue, Sep 30, 2014 at 3:04 PM, Ivo Tonev  wrote:

> you need to use the management network to download.
>
>
> On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral 
> wrote:
>
>> Dear, I can't understand at allplease be patient with me :(
>>
>> I'll use pFsense with Snort as a IPS because I see is easier than the
>> manually configuration of Snort.
>>
>> I have an ISP router with 200.1.1.1, a corporate firewall with 200.1.1.2
>> and the condition is that I MUST LET THIS CONFIGURATION AS IT IS NOW.
>>
>> So, I have to locate the pFsense server between the router and the
>> firewall, in "inline" mode.
>>
>> My pFsense server has 3 network interfaces, let's say: WAN connected to
>> router, LAN connected to corporate firewall and OPT1 for management with IP
>> 192.168.1.1.
>>
>> Now I have the question:
>>
>> How should I have to configure the WAN and LAN interfaces, with IP,
>> IP-less, creating a bridging interface IP-less or with IP  Because if I
>> create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
>> download the signs from Internet...I'm a bit confused.
>>
>> Thanks a lot, regards.
>>
>> JeLo
>>
>>
>>
>> On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:
>>
>>> Yes. Always use out of band management.
>>>
>>>
>>>
>>> On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna <
>>> robertocarn...@gmail.com> wrote:
>>>
 Ivo, that's a good ideabut please tell me if I'm correct or not:

 WAN, LAN, Bridge interfaces: IP-Less
 OPT1: IP for management in a management network

 Tnaks again,

 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
 > I recommend you create a management network for OPT1 with private IP.
 >
 >
 > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
 robertocarn...@gmail.com>
 > wrote:
 >>
 >> I think this is good for us:
 >>
 >>
 >> - Router ISP with IP 200.0.0.1
 >>
 >> - pFsense with the following interfaces:
 >>
 >>   a) WAN IP-Less
 >>   b) LAN IP-Less
 >>   c) OPT1 with IP 200.0.0.2 (management)
 >>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
 >>
 >> - Corporate firewall with IP 200.0.0.3
 >>
 >> - Snort runs in Bridge interface
 >>
 >> Do you think this is correct ???
 >>
 >> Good night !!!
 >>
 >> Roberto
 >>
 >>
 >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral >>> >:
 >> > I can say that I imagine this addresses space:
 >> >
 >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
 >> > Firewall /
 >> > IP 200.1.1.2
 >> >OPT1 /
 IP
 >> > 200.1.1.3
 >> >
  (management)
 >> >
 >> > So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
 >> > mode),
 >> > and the OPT1 interface from pFsense has a public IP as router and
 >> > firewall.
 >> >
 >> > Can I do this in pfsense ???
 >> >
 >> >
 >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
 >> > 
 >> > wrote:
 >> >>
 >> >> OK Ivo, this is very helpful to meSuppose I have:
 >> >>
 >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP
 200.1.1.2
 >> >>
 >> >> I have to maintan invariable the addressing of this scenario, so
 what
 >> >> IP
 >> >> addresses do I have to assign to WAN and LAN pFsense interfaces
 ???
 >> >>
 >> >> Thanks a lot,
 >> >>
 >> >> JeLo
 >> >>
 >> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev 
 wrote:
 >> >>>
 >> >>> In production environment you need 3 interfaces - one for WAN,
 one for
 >> >>> LAN and one for management.
 >> >>>
 >> >>>
 >> >>>
 >> >>>
 http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
 >> >>>
 >> >>>
 >> >>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc 
 wrote:
 >> 
 >>  > But you say: one interface for WAN, a second for
 >> 
 >>  >LAN...and which interface is for managing ???
 >> 
 >> 
 >> 
 >> 
 >> 
 >>  You manage with a browser from LAN, and optional also from the
 WAN
 >>  port.
 >>  And with ssh from the LAN.
 >> 
 >> 
 >> 
 >> 
 >>  ___
 >>  List mailing list
 >>  List@lists.pfsense.org
 >>  https://lists.pfsense.org/mailman/listinfo/list
 >> >>>

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

you need to use the management network to download.


On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral 
wrote:

> Dear, I can't understand at allplease be patient with me :(
>
> I'll use pFsense with Snort as a IPS because I see is easier than the
> manually configuration of Snort.
>
> I have an ISP router with 200.1.1.1, a corporate firewall with 200.1.1.2
> and the condition is that I MUST LET THIS CONFIGURATION AS IT IS NOW.
>
> So, I have to locate the pFsense server between the router and the
> firewall, in "inline" mode.
>
> My pFsense server has 3 network interfaces, let's say: WAN connected to
> router, LAN connected to corporate firewall and OPT1 for management with IP
> 192.168.1.1.
>
> Now I have the question:
>
> How should I have to configure the WAN and LAN interfaces, with IP,
> IP-less, creating a bridging interface IP-less or with IP  Because if I
> create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
> download the signs from Internet...I'm a bit confused.
>
> Thanks a lot, regards.
>
> JeLo
>
>
>
> On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:
>
>> Yes. Always use out of band management.
>>
>>
>>
>> On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna > > wrote:
>>
>>> Ivo, that's a good ideabut please tell me if I'm correct or not:
>>>
>>> WAN, LAN, Bridge interfaces: IP-Less
>>> OPT1: IP for management in a management network
>>>
>>> Tnaks again,
>>>
>>> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
>>> > I recommend you create a management network for OPT1 with private IP.
>>> >
>>> >
>>> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
>>> robertocarn...@gmail.com>
>>> > wrote:
>>> >>
>>> >> I think this is good for us:
>>> >>
>>> >>
>>> >> - Router ISP with IP 200.0.0.1
>>> >>
>>> >> - pFsense with the following interfaces:
>>> >>
>>> >>   a) WAN IP-Less
>>> >>   b) LAN IP-Less
>>> >>   c) OPT1 with IP 200.0.0.2 (management)
>>> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
>>> >>
>>> >> - Corporate firewall with IP 200.0.0.3
>>> >>
>>> >> - Snort runs in Bridge interface
>>> >>
>>> >> Do you think this is correct ???
>>> >>
>>> >> Good night !!!
>>> >>
>>> >> Roberto
>>> >>
>>> >>
>>> >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
>>> >> > I can say that I imagine this addresses space:
>>> >> >
>>> >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
>>> >> > Firewall /
>>> >> > IP 200.1.1.2
>>> >> >OPT1 / IP
>>> >> > 200.1.1.3
>>> >> >
>>>  (management)
>>> >> >
>>> >> > So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
>>> >> > mode),
>>> >> > and the OPT1 interface from pFsense has a public IP as router and
>>> >> > firewall.
>>> >> >
>>> >> > Can I do this in pfsense ???
>>> >> >
>>> >> >
>>> >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
>>> >> > 
>>> >> > wrote:
>>> >> >>
>>> >> >> OK Ivo, this is very helpful to meSuppose I have:
>>> >> >>
>>> >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP
>>> 200.1.1.2
>>> >> >>
>>> >> >> I have to maintan invariable the addressing of this scenario, so
>>> what
>>> >> >> IP
>>> >> >> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>>> >> >>
>>> >> >> Thanks a lot,
>>> >> >>
>>> >> >> JeLo
>>> >> >>
>>> >> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev 
>>> wrote:
>>> >> >>>
>>> >> >>> In production environment you need 3 interfaces - one for WAN,
>>> one for
>>> >> >>> LAN and one for management.
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
>>> >> >>>
>>> >> >>>
>>> >> >>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc 
>>> wrote:
>>> >> 
>>> >>  > But you say: one interface for WAN, a second for
>>> >> 
>>> >>  >LAN...and which interface is for managing ???
>>> >> 
>>> >> 
>>> >> 
>>> >> 
>>> >> 
>>> >>  You manage with a browser from LAN, and optional also from the
>>> WAN
>>> >>  port.
>>> >>  And with ssh from the LAN.
>>> >> 
>>> >> 
>>> >> 
>>> >> 
>>> >>  ___
>>> >>  List mailing list
>>> >>  List@lists.pfsense.org
>>> >>  https://lists.pfsense.org/mailman/listinfo/list
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> --
>>> >> >>> Ivo R. Tonev
>>> >> >>> +55 61 8409-2642
>>> >> >>> i...@tonev.com.br
>>> >> >>>
>>> >> >>> ___
>>> >> >>> List mailing list
>>> >> >>> List@lists.pfsense.org
>>> >> >>> https://lists.pfsense.org/mailman/listinfo/list
>>> >> >>
>>> >> >>
>>> >> >
>>> >> >
>>> >> > ___
>>> >> > List mailing list
>>> >> > List@lists.pfsense.org
>>> >> > https://lists.pfsense.org/mailman/listinfo/list
>>> >> ___
>>> >> List mailing list
>>> >> List@lists.pfsense.org
>>> >> https://lists.pf

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

Dear, I can't understand at allplease be patient with me :(

I'll use pFsense with Snort as a IPS because I see is easier than the
manually configuration of Snort.

I have an ISP router with 200.1.1.1, a corporate firewall with 200.1.1.2
and the condition is that I MUST LET THIS CONFIGURATION AS IT IS NOW.

So, I have to locate the pFsense server between the router and the
firewall, in "inline" mode.

My pFsense server has 3 network interfaces, let's say: WAN connected to
router, LAN connected to corporate firewall and OPT1 for management with IP
192.168.1.1.

Now I have the question:

How should I have to configure the WAN and LAN interfaces, with IP,
IP-less, creating a bridging interface IP-less or with IP  Because if I
create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
download the signs from Internet...I'm a bit confused.

Thanks a lot, regards.

JeLo



On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:

> Yes. Always use out of band management.
>
>
>
> On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna 
> wrote:
>
>> Ivo, that's a good ideabut please tell me if I'm correct or not:
>>
>> WAN, LAN, Bridge interfaces: IP-Less
>> OPT1: IP for management in a management network
>>
>> Tnaks again,
>>
>> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
>> > I recommend you create a management network for OPT1 with private IP.
>> >
>> >
>> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
>> robertocarn...@gmail.com>
>> > wrote:
>> >>
>> >> I think this is good for us:
>> >>
>> >>
>> >> - Router ISP with IP 200.0.0.1
>> >>
>> >> - pFsense with the following interfaces:
>> >>
>> >>   a) WAN IP-Less
>> >>   b) LAN IP-Less
>> >>   c) OPT1 with IP 200.0.0.2 (management)
>> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
>> >>
>> >> - Corporate firewall with IP 200.0.0.3
>> >>
>> >> - Snort runs in Bridge interface
>> >>
>> >> Do you think this is correct ???
>> >>
>> >> Good night !!!
>> >>
>> >> Roberto
>> >>
>> >>
>> >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
>> >> > I can say that I imagine this addresses space:
>> >> >
>> >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
>> >> > Firewall /
>> >> > IP 200.1.1.2
>> >> >OPT1 / IP
>> >> > 200.1.1.3
>> >> >
>>  (management)
>> >> >
>> >> > So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
>> >> > mode),
>> >> > and the OPT1 interface from pFsense has a public IP as router and
>> >> > firewall.
>> >> >
>> >> > Can I do this in pfsense ???
>> >> >
>> >> >
>> >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
>> >> > 
>> >> > wrote:
>> >> >>
>> >> >> OK Ivo, this is very helpful to meSuppose I have:
>> >> >>
>> >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP
>> 200.1.1.2
>> >> >>
>> >> >> I have to maintan invariable the addressing of this scenario, so
>> what
>> >> >> IP
>> >> >> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>> >> >>
>> >> >> Thanks a lot,
>> >> >>
>> >> >> JeLo
>> >> >>
>> >> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev 
>> wrote:
>> >> >>>
>> >> >>> In production environment you need 3 interfaces - one for WAN, one
>> for
>> >> >>> LAN and one for management.
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
>> >> >>>
>> >> >>>
>> >> >>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc 
>> wrote:
>> >> 
>> >>  > But you say: one interface for WAN, a second for
>> >> 
>> >>  >LAN...and which interface is for managing ???
>> >> 
>> >> 
>> >> 
>> >> 
>> >> 
>> >>  You manage with a browser from LAN, and optional also from the WAN
>> >>  port.
>> >>  And with ssh from the LAN.
>> >> 
>> >> 
>> >> 
>> >> 
>> >>  ___
>> >>  List mailing list
>> >>  List@lists.pfsense.org
>> >>  https://lists.pfsense.org/mailman/listinfo/list
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>> Ivo R. Tonev
>> >> >>> +55 61 8409-2642
>> >> >>> i...@tonev.com.br
>> >> >>>
>> >> >>> ___
>> >> >>> List mailing list
>> >> >>> List@lists.pfsense.org
>> >> >>> https://lists.pfsense.org/mailman/listinfo/list
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> > ___
>> >> > List mailing list
>> >> > List@lists.pfsense.org
>> >> > https://lists.pfsense.org/mailman/listinfo/list
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >
>> >
>> >
>> >
>> > --
>> > Ivo R. Tonev
>> > +55 61 8409-2642
>> > i...@tonev.com.br
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> _

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

Yes. Always use out of band management.



On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna 
wrote:

> Ivo, that's a good ideabut please tell me if I'm correct or not:
>
> WAN, LAN, Bridge interfaces: IP-Less
> OPT1: IP for management in a management network
>
> Tnaks again,
>
> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
> > I recommend you create a management network for OPT1 with private IP.
> >
> >
> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
> robertocarn...@gmail.com>
> > wrote:
> >>
> >> I think this is good for us:
> >>
> >>
> >> - Router ISP with IP 200.0.0.1
> >>
> >> - pFsense with the following interfaces:
> >>
> >>   a) WAN IP-Less
> >>   b) LAN IP-Less
> >>   c) OPT1 with IP 200.0.0.2 (management)
> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
> >>
> >> - Corporate firewall with IP 200.0.0.3
> >>
> >> - Snort runs in Bridge interface
> >>
> >> Do you think this is correct ???
> >>
> >> Good night !!!
> >>
> >> Roberto
> >>
> >>
> >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
> >> > I can say that I imagine this addresses space:
> >> >
> >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
> >> > Firewall /
> >> > IP 200.1.1.2
> >> >OPT1 / IP
> >> > 200.1.1.3
> >> >
>  (management)
> >> >
> >> > So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
> >> > mode),
> >> > and the OPT1 interface from pFsense has a public IP as router and
> >> > firewall.
> >> >
> >> > Can I do this in pfsense ???
> >> >
> >> >
> >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
> >> > 
> >> > wrote:
> >> >>
> >> >> OK Ivo, this is very helpful to meSuppose I have:
> >> >>
> >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
> >> >>
> >> >> I have to maintan invariable the addressing of this scenario, so what
> >> >> IP
> >> >> addresses do I have to assign to WAN and LAN pFsense interfaces ???
> >> >>
> >> >> Thanks a lot,
> >> >>
> >> >> JeLo
> >> >>
> >> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
> >> >>>
> >> >>> In production environment you need 3 interfaces - one for WAN, one
> for
> >> >>> LAN and one for management.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
> >> >>>
> >> >>>
> >> >>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc 
> wrote:
> >> 
> >>  > But you say: one interface for WAN, a second for
> >> 
> >>  >LAN...and which interface is for managing ???
> >> 
> >> 
> >> 
> >> 
> >> 
> >>  You manage with a browser from LAN, and optional also from the WAN
> >>  port.
> >>  And with ssh from the LAN.
> >> 
> >> 
> >> 
> >> 
> >>  ___
> >>  List mailing list
> >>  List@lists.pfsense.org
> >>  https://lists.pfsense.org/mailman/listinfo/list
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Ivo R. Tonev
> >> >>> +55 61 8409-2642
> >> >>> i...@tonev.com.br
> >> >>>
> >> >>> ___
> >> >>> List mailing list
> >> >>> List@lists.pfsense.org
> >> >>> https://lists.pfsense.org/mailman/listinfo/list
> >> >>
> >> >>
> >> >
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> >
> >
> > --
> > Ivo R. Tonev
> > +55 61 8409-2642
> > i...@tonev.com.br
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Ivo, that's a good ideabut please tell me if I'm correct or not:

WAN, LAN, Bridge interfaces: IP-Less
OPT1: IP for management in a management network

Tnaks again,

2014-09-30 9:27 GMT-03:00 Ivo Tonev :
> I recommend you create a management network for OPT1 with private IP.
>
>
> On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna 
> wrote:
>>
>> I think this is good for us:
>>
>>
>> - Router ISP with IP 200.0.0.1
>>
>> - pFsense with the following interfaces:
>>
>>   a) WAN IP-Less
>>   b) LAN IP-Less
>>   c) OPT1 with IP 200.0.0.2 (management)
>>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
>>
>> - Corporate firewall with IP 200.0.0.3
>>
>> - Snort runs in Bridge interface
>>
>> Do you think this is correct ???
>>
>> Good night !!!
>>
>> Roberto
>>
>>
>> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
>> > I can say that I imagine this addresses space:
>> >
>> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
>> > Firewall /
>> > IP 200.1.1.2
>> >OPT1 / IP
>> > 200.1.1.3
>> > (management)
>> >
>> > So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
>> > mode),
>> > and the OPT1 interface from pFsense has a public IP as router and
>> > firewall.
>> >
>> > Can I do this in pfsense ???
>> >
>> >
>> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
>> > 
>> > wrote:
>> >>
>> >> OK Ivo, this is very helpful to meSuppose I have:
>> >>
>> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
>> >>
>> >> I have to maintan invariable the addressing of this scenario, so what
>> >> IP
>> >> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>> >>
>> >> Thanks a lot,
>> >>
>> >> JeLo
>> >>
>> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
>> >>>
>> >>> In production environment you need 3 interfaces - one for WAN, one for
>> >>> LAN and one for management.
>> >>>
>> >>>
>> >>>
>> >>> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
>> >>>
>> >>>
>> >>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:
>> 
>>  > But you say: one interface for WAN, a second for
>> 
>>  >LAN...and which interface is for managing ???
>> 
>> 
>> 
>> 
>> 
>>  You manage with a browser from LAN, and optional also from the WAN
>>  port.
>>  And with ssh from the LAN.
>> 
>> 
>> 
>> 
>>  ___
>>  List mailing list
>>  List@lists.pfsense.org
>>  https://lists.pfsense.org/mailman/listinfo/list
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Ivo R. Tonev
>> >>> +55 61 8409-2642
>> >>> i...@tonev.com.br
>> >>>
>> >>> ___
>> >>> List mailing list
>> >>> List@lists.pfsense.org
>> >>> https://lists.pfsense.org/mailman/listinfo/list
>> >>
>> >>
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
>
> --
> Ivo R. Tonev
> +55 61 8409-2642
> i...@tonev.com.br
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

I recommend you create a management network for OPT1 with private IP.


On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna 
wrote:

> I think this is good for us:
>
>
> - Router ISP with IP 200.0.0.1
>
> - pFsense with the following interfaces:
>
>   a) WAN IP-Less
>   b) LAN IP-Less
>   c) OPT1 with IP 200.0.0.2 (management)
>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
>
> - Corporate firewall with IP 200.0.0.3
>
> - Snort runs in Bridge interface
>
> Do you think this is correct ???
>
> Good night !!!
>
> Roberto
>
>
> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
> > I can say that I imagine this addresses space:
> >
> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
> Firewall /
> > IP 200.1.1.2
> >OPT1 / IP
> > 200.1.1.3
> > (management)
> >
> > So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
> mode),
> > and the OPT1 interface from pFsense has a public IP as router and
> firewall.
> >
> > Can I do this in pfsense ???
> >
> >
> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral <
> jelocab...@gmail.com>
> > wrote:
> >>
> >> OK Ivo, this is very helpful to meSuppose I have:
> >>
> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
> >>
> >> I have to maintan invariable the addressing of this scenario, so what IP
> >> addresses do I have to assign to WAN and LAN pFsense interfaces ???
> >>
> >> Thanks a lot,
> >>
> >> JeLo
> >>
> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
> >>>
> >>> In production environment you need 3 interfaces - one for WAN, one for
> >>> LAN and one for management.
> >>>
> >>>
> >>>
> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
> >>>
> >>>
> >>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:
> 
>  > But you say: one interface for WAN, a second for
> 
>  >LAN...and which interface is for managing ???
> 
> 
> 
> 
> 
>  You manage with a browser from LAN, and optional also from the WAN
> port.
>  And with ssh from the LAN.
> 
> 
> 
> 
>  ___
>  List mailing list
>  List@lists.pfsense.org
>  https://lists.pfsense.org/mailman/listinfo/list
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Ivo R. Tonev
> >>> +55 61 8409-2642
> >>> i...@tonev.com.br
> >>>
> >>> ___
> >>> List mailing list
> >>> List@lists.pfsense.org
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>
> >>
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Blake Cornell]

I see no keyword match for "Bro IDS" nor "Cymru" from the previous 34
messages.

https://github.com/sethhall/bro-scripts/wiki/The-Malware-Hash-Registry-and-Bro-IDS


https://www.bro.org/

2c

-- 
Blake Cornell
CTO, Integris Security LLC
501 Franklin Ave, Suite 200
Garden City, NY 11530 USA
http://www.integrissecurity.com/
O: +1(516)750-0478 x100
M: +1(516)900-2193
PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
Free Tools: https://www.integrissecurity.com/SecurityTools
Follow us on Twitter: @integrissec

On 09/29/2014 11:13 PM, Roberto Carna wrote:
> I think this is good for us:
>
>
> - Router ISP with IP 200.0.0.1
>
> - pFsense with the following interfaces:
>
>   a) WAN IP-Less
>   b) LAN IP-Less
>   c) OPT1 with IP 200.0.0.2 (management)
>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
>
> - Corporate firewall with IP 200.0.0.3
>
> - Snort runs in Bridge interface
>
> Do you think this is correct ???
>
> Good night !!!
>
> Roberto
>
>
> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
>> I can say that I imagine this addresses space:
>>
>> Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall /
>> IP 200.1.1.2
>>OPT1 / IP
>> 200.1.1.3
>> (management)
>>
>> So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode),
>> and the OPT1 interface from pFsense has a public IP as router and firewall.
>>
>> Can I do this in pfsense ???
>>
>>
>> On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral 
>> wrote:
>>> OK Ivo, this is very helpful to meSuppose I have:
>>>
>>> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
>>>
>>> I have to maintan invariable the addressing of this scenario, so what IP
>>> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>>>
>>> Thanks a lot,
>>>
>>> JeLo
>>>
>>> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
 In production environment you need 3 interfaces - one for WAN, one for
 LAN and one for management.


 http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html


 On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:
>> But you say: one interface for WAN, a second for
>> LAN...and which interface is for managing ???
>
>
>
>
> You manage with a browser from LAN, and optional also from the WAN port.
> And with ssh from the LAN.
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list



 --
 Ivo R. Tonev
 +55 61 8409-2642
 i...@tonev.com.br

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

I think this is good for us:


- Router ISP with IP 200.0.0.1

- pFsense with the following interfaces:

  a) WAN IP-Less
  b) LAN IP-Less
  c) OPT1 with IP 200.0.0.2 (management)
  d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less

- Corporate firewall with IP 200.0.0.3

- Snort runs in Bridge interface

Do you think this is correct ???

Good night !!!

Roberto


2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
> I can say that I imagine this addresses space:
>
> Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall /
> IP 200.1.1.2
>OPT1 / IP
> 200.1.1.3
> (management)
>
> So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode),
> and the OPT1 interface from pFsense has a public IP as router and firewall.
>
> Can I do this in pfsense ???
>
>
> On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral 
> wrote:
>>
>> OK Ivo, this is very helpful to meSuppose I have:
>>
>> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
>>
>> I have to maintan invariable the addressing of this scenario, so what IP
>> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>>
>> Thanks a lot,
>>
>> JeLo
>>
>> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
>>>
>>> In production environment you need 3 interfaces - one for WAN, one for
>>> LAN and one for management.
>>>
>>>
>>> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
>>>
>>>
>>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:

 > But you say: one interface for WAN, a second for

 >LAN...and which interface is for managing ???





 You manage with a browser from LAN, and optional also from the WAN port.
 And with ssh from the LAN.




 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
>>>
>>>
>>>
>>>
>>> --
>>> Ivo R. Tonev
>>> +55 61 8409-2642
>>> i...@tonev.com.br
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>
>>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

I can say that I imagine this addresses space:

Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall /
IP 200.1.1.2
   OPT1 / IP
200.1.1.3
(management)

So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode),
and the OPT1 interface from pFsense has a public IP as router and firewall.

Can I do this in pfsense ???


On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral 
wrote:

> OK Ivo, this is very helpful to meSuppose I have:
>
> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
>
> I have to maintan invariable the addressing of this scenario, so what IP
> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>
> Thanks a lot,
>
> JeLo
>
> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
>
>> In production environment you need 3 interfaces - one for WAN, one for
>> LAN and one for management.
>>
>> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg
>> .html
>>
>>
>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:
>>
>>> > But you say: one interface for WAN, a second for
>>>
>>> >LAN...and which interface is for managing ???
>>>
>>>
>>>
>>>
>>>
>>> You manage with a browser from LAN, and optional also from the WAN port.
>>> And with ssh from the LAN.
>>>
>>>
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>>
>>
>> --
>> Ivo R. Tonev
>> +55 61 8409-2642
>> i...@tonev.com.br
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

OK Ivo, this is very helpful to meSuppose I have:

Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2

I have to maintan invariable the addressing of this scenario, so what IP
addresses do I have to assign to WAN and LAN pFsense interfaces ???

Thanks a lot,

JeLo

On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:

> In production environment you need 3 interfaces - one for WAN, one for LAN
> and one for management.
>
> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg
> .html
>
>
> On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:
>
>> > But you say: one interface for WAN, a second for
>>
>> >LAN...and which interface is for managing ???
>>
>>
>>
>>
>>
>> You manage with a browser from LAN, and optional also from the WAN port.
>> And with ssh from the LAN.
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
> --
> Ivo R. Tonev
> +55 61 8409-2642
> i...@tonev.com.br
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

Correct, as you said:

www - ISP router - pfSense - corporate firewall - Lan

I have one public IP in the router interface, another public IP en the
corparate firewall interface, and I can't change these parameters at all, I
need to put the IPS in the middleso I think I have to use the bridge
mode, because ifI setup routing mode I alter the address schema.

Can you help me???

On Mon, Sep 29, 2014 at 9:19 PM, compdoc  wrote:

> > The Pfsense firewall has to be setup as BRIDGE if  want to put it
> between the router and the corporate firewall ???
>
>
>
>
>
> Connect like this?
>
>
>
> www - isp router - pfSense - corporate firewall - lan
>
>
>
>
>
> Don’t think you have to use bridge mode. Can Snort work in bridge mode?
>
>
>
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

In production environment you need 3 interfaces - one for WAN, one for LAN
and one for management.

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg
.html


On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:

> > But you say: one interface for WAN, a second for
>
> >LAN...and which interface is for managing ???
>
>
>
>
>
> You manage with a browser from LAN, and optional also from the WAN port.
> And with ssh from the LAN.
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[compdoc]

> But you say: one interface for WAN, a second for 

>LAN...and which interface is for managing ???

 

 

You manage with a browser from LAN, and optional also from the WAN port. And 
with ssh from the LAN.

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[compdoc]

> do I have to have 3 network interfaces or 2 interfaces are enough to 
> implement the IPS?

 

With Snort, just need one for wan, one for lan. That’s all. I use a 3rd for 
wifi at home. 

 

The office is a virtual machine with two wan ports, one lan, one wifi, and one 
connection for the host. 

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[compdoc]

> The Pfsense firewall has to be setup as BRIDGE if  want to put it between the 
> router and the corporate firewall ???

 

 

Connect like this?

 

www - isp router - pfSense - corporate firewall - lan

 

 

Don’t think you have to use bridge mode. Can Snort work in bridge mode?

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Mehmasarja]

Kickstarter had/has a campaign by iguardian to create a snort appliance. It 
looks like something you are trying to do. Instead of pf, it is based on 
openwrt. Check it out. 

Yudhvir 

> On Sep 29, 2014, at 4:22 PM, Ivo Tonev  wrote:
> 
> I don't like the bridge approach because if you have many vlans it become 
> very complicated.
> 
> I always use the router approach because I can configure the IDS for one 
> interface and IPS for another.
> 
> If you don't have enough IP addresses, you can use invalid IP on firewall WAN 
> and create a route on your router to reach your range.
> 
>> On Sep 29, 2014 7:31 PM, "Jeronimo L. Cabral"  wrote:
>> Dear, do I have to have 3 network interfaces or 2 interfaces are enough to 
>> implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1 
>> promiscuos LAN and 1 management.
>> 
>> The Pfsense firewall has to be setup as BRIDGE if  want to put it between 
>> the router and the corporate firewall ???
>> 
>> Special thanks,
>> 
>> JeLo
>> 
>>> On Mon, Sep 29, 2014 at 5:35 PM, compdoc  wrote:
>>> > Here is a good place to start regarding Suricata or Snort. 
>>> >
>>> >http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>>> 
>>> 
>>> 
>>> Is the free to use version of Snort going away? I scanned the page 
>>> mentioned above but it seems unclear.
>>> 
>>>  
>>> 
>>> Suricata sounds like an excellent replacement given the advanced features, 
>>> but I have to say Snort is doing a fine job for us.
>>> 
>>>  
>>> 
>>> I use the free Registered User rules and the free Emerging Threats rules, 
>>> and Snort is busy blocking port scans and all kinds of activity, while not 
>>> bothering/blocking our user's activity.
>>> 
>>>  
>>> 
>>> Not that we rely solely on Snort - no unnecessary ports are listening to 
>>> the web. No management ports like 22 are open.
>>> 
>>>  
>>> 
>>> Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense 
>>> makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think 
>>> its fine.
>>> 
>>>  
>>> 
>>> By the way, if you have a decent speed quad-core server with at least 8GB 
>>> ram, you can easily run pfSense, Suricata, and whatever else side by side 
>>> in virtual machines.
>>> 
>>>  
>>> 
>>>  
>>> 
>>> 
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>> 
>> 
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

I don't like the bridge approach because if you have many vlans it become
very complicated.

I always use the router approach because I can configure the IDS for one
interface and IPS for another.

If you don't have enough IP addresses, you can use invalid IP on firewall
WAN and create a route on your router to reach your range.
On Sep 29, 2014 7:31 PM, "Jeronimo L. Cabral"  wrote:

> Dear, do I have to have 3 network interfaces or 2 interfaces are enough to
> implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1
> promiscuos LAN and 1 management.
>
> The Pfsense firewall has to be setup as BRIDGE if  want to put it between
> the router and the corporate firewall ???
>
> Special thanks,
>
> JeLo
>
> On Mon, Sep 29, 2014 at 5:35 PM, compdoc  wrote:
>
>> > Here is a good place to start regarding Suricata or Snort.
>> >
>> >
>> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>>
>>
>> Is the free to use version of Snort going away? I scanned the page
>> mentioned above but it seems unclear.
>>
>>
>>
>> Suricata sounds like an excellent replacement given the advanced
>> features, but I have to say Snort is doing a fine job for us.
>>
>>
>>
>> I use the free Registered User rules and the free Emerging Threats rules,
>> and Snort is busy blocking port scans and all kinds of activity, while not
>> bothering/blocking our user's activity.
>>
>>
>>
>> Not that we rely solely on Snort - no unnecessary ports are listening to
>> the web. No management ports like 22 are open.
>>
>>
>>
>> Anyway, Snort doesn’t use much cpu time for our 30 user office, and
>> pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I
>> think its fine.
>>
>>
>>
>> By the way, if you have a decent speed quad-core server with at least 8GB
>> ram, you can easily run pfSense, Suricata, and whatever else side by side
>> in virtual machines.
>>
>>
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

Dear, do I have to have 3 network interfaces or 2 interfaces are enough to
implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1
promiscuos LAN and 1 management.

The Pfsense firewall has to be setup as BRIDGE if  want to put it between
the router and the corporate firewall ???

Special thanks,

JeLo

On Mon, Sep 29, 2014 at 5:35 PM, compdoc  wrote:

> > Here is a good place to start regarding Suricata or Snort.
> >
> >
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>
>
> Is the free to use version of Snort going away? I scanned the page
> mentioned above but it seems unclear.
>
>
>
> Suricata sounds like an excellent replacement given the advanced features,
> but I have to say Snort is doing a fine job for us.
>
>
>
> I use the free Registered User rules and the free Emerging Threats rules,
> and Snort is busy blocking port scans and all kinds of activity, while not
> bothering/blocking our user's activity.
>
>
>
> Not that we rely solely on Snort - no unnecessary ports are listening to
> the web. No management ports like 22 are open.
>
>
>
> Anyway, Snort doesn’t use much cpu time for our 30 user office, and
> pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I
> think its fine.
>
>
>
> By the way, if you have a decent speed quad-core server with at least 8GB
> ram, you can easily run pfSense, Suricata, and whatever else side by side
> in virtual machines.
>
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[compdoc]

> Here is a good place to start regarding Suricata or Snort. 
>
>http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/




Is the free to use version of Snort going away? I scanned the page mentioned 
above but it seems unclear. 

 

Suricata sounds like an excellent replacement given the advanced features, but 
I have to say Snort is doing a fine job for us. 

 

I use the free Registered User rules and the free Emerging Threats rules, and 
Snort is busy blocking port scans and all kinds of activity, while not 
bothering/blocking our user's activity.

 

Not that we rely solely on Snort - no unnecessary ports are listening to the 
web. No management ports like 22 are open. 

 

Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense 
makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think its 
fine.

 

By the way, if you have a decent speed quad-core server with at least 8GB ram, 
you can easily run pfSense, Suricata, and whatever else side by side in virtual 
machines.

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Jeronimo L. Cabral]

Dear, this topic is very interesting to me...I have the same scenario:

Internet Router --- PFsense  Corporate Firewall

1) Is it possible to have just 2 interfaces in Pfsense in order to setup an
IPS ???

2) Isn't it the best way to setup a bridged firewall ad Roberto said ???
Because I need to maintain the corporate firewall, and I want Pfsense just
for my IPS solution.

Thanking in advance.

JeLo

On Mon, Sep 29, 2014 at 5:07 PM, Roberto Carna 
wrote:

> Ok, thanks
>
> 2014-09-29 16:58 GMT-03:00 Ivo Tonev :
> > On pfsense is click&go. No need to install everything. :)
> >
> > On Sep 29, 2014 4:46 PM, "Espen Johansen"  wrote:
> >>
> >> If all you want is a IPS then i dont undertand what you need pfS for?
> >> There are tons of setup guides for a linux flavour of choice to get this
> >> setup done. You can even build a hogwash like setup if you like.
> >>
> >> 29. sep. 2014 21:38 skrev "Roberto Carna" 
> >> følgende:
> >>>
> >>> Ivo, I want to locate the IPS between the router and the corporative
> >>> firewall, so I think to use bridge modeis correct???
> >>>
> >>> 2014-09-29 16:34 GMT-03:00 Ivo Tonev :
> >>> > I recomend to use in "router mode".
> >>> >
> >>> > On Sep 29, 2014 4:29 PM, "Roberto Carna" 
> >>> > wrote:
> >>> >>
> >>> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> >>> >> in bridge mode with firewall rules enabled ???
> >>> >>
> >>> >> Really thanks,
> >>> >>
> >>> >> Roberto
> >>> >>
> >>> >>
> >>> >>
> >>> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> >>> >> > Depends on what you want. A splitt design is normaly better and
> >>> >> > safer
> >>> >> > then a
> >>> >> > all in one box. If you want suricata +snorby and barnyard its not
> >>> >> > recommended to run it all on pfsense. There are many deps. that
> will
> >>> >> > cause a
> >>> >> > security nightmare and you will probably run out of hw resources
> as
> >>> >> > well.
> >>> >> >
> >>> >> > OK, thanks, the last please:
> >>> >> >
> >>> >> > Do you recommend to install an IPS in a Virtual Machine like
> Vmware
> >>> >> > ??? Because we have VMweare for all our servers.
> >>> >> >
> >>> >> > Regards,
> >>> >> >
> >>> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
> >>> >> > :
> >>> >> >> Roberto
> >>> >> >>
> >>> >> >> Here is a good place to start regarding Suricata or Snort.
> >>> >> >>
> >>> >> >>
> >>> >> >>
> >>> >> >>
> >>> >> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >>> >> >>
> >>> >> >>
> >>> >> >>
> >>> >> >> ---
> >>> >> >> Anastasios Stefos
> >>> >> >> ´αίέν άριστεύειν
> >>> >> >>
> >>> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
> >>> >> >> 
> >>> >> >> wrote:
> >>> >> >>>
> >>> >> >>> Dear Ivo and people, just three short questions:
> >>> >> >>>
> >>> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using
> Snort
> >>> >> >>> ???
> >>> >> >>>
> >>> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>> >> >>>
> >>> >> >>> 3) The only way to view the IPS blocking events is from into
> >>> >> >>> Pfsense
> >>> >> >>> or can I use Snorby ???
> >>> >> >>>
> >>> >> >>> Thanks again,
> >>> >> >>>
> >>> >> >>> Roberto
> >>> >> >>>
> >>> >> >>> Thanks again,
> >>> >> >>>
> >>> >> >>> Roberto
> >>> >> >>>
> >>> >> >>>
> >>> >> >>>
> >>> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >>> >> >>> > Use suricata
> >>> >> >>> >
> >>> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna"
> >>> >> >>> > 
> >>> >> >>> > wrote:
> >>> >> >>> >>
> >>> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with
> >>> >> >>> >> Snort
> >>> >> >>> >> to
> >>> >> >>> >> get an IPS (Intrusion Prevention System), and in this case
> what
> >>> >> >>> >> is
> >>> >> >>> >> the
> >>> >> >>> >> graphical interface used to view events and dropped traffic.
> >>> >> >>> >>
> >>> >> >>> >> Thanks a lot,
> >>> >> >>> >>
> >>> >> >>> >> Roberto
> >>> >> >>> >> ___
> >>> >> >>> >> List mailing list
> >>> >> >>> >> List@lists.pfsense.org
> >>> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >>> >> >>> >
> >>> >> >>> >
> >>> >> >>> > ___
> >>> >> >>> > List mailing list
> >>> >> >>> > List@lists.pfsense.org
> >>> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >>> >> >>> ___
> >>> >> >>> List mailing list
> >>> >> >>> List@lists.pfsense.org
> >>> >> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>> >> >>
> >>> >> >>
> >>> >> >>
> >>> >> >> ___
> >>> >> >> List mailing list
> >>> >> >> List@lists.pfsense.org
> >>> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >>> >> > ___
> >>> >> > List mailing list
> >>> >> > List@lists.pfsense.org
> >>> >> > https://lists.pfsense.org/mailman/listinfo/list
> >>> >> >
> >>> >> > ___
> >

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Ok, thanks

2014-09-29 16:58 GMT-03:00 Ivo Tonev :
> On pfsense is click&go. No need to install everything. :)
>
> On Sep 29, 2014 4:46 PM, "Espen Johansen"  wrote:
>>
>> If all you want is a IPS then i dont undertand what you need pfS for?
>> There are tons of setup guides for a linux flavour of choice to get this
>> setup done. You can even build a hogwash like setup if you like.
>>
>> 29. sep. 2014 21:38 skrev "Roberto Carna" 
>> følgende:
>>>
>>> Ivo, I want to locate the IPS between the router and the corporative
>>> firewall, so I think to use bridge modeis correct???
>>>
>>> 2014-09-29 16:34 GMT-03:00 Ivo Tonev :
>>> > I recomend to use in "router mode".
>>> >
>>> > On Sep 29, 2014 4:29 PM, "Roberto Carna" 
>>> > wrote:
>>> >>
>>> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
>>> >> in bridge mode with firewall rules enabled ???
>>> >>
>>> >> Really thanks,
>>> >>
>>> >> Roberto
>>> >>
>>> >>
>>> >>
>>> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
>>> >> > Depends on what you want. A splitt design is normaly better and
>>> >> > safer
>>> >> > then a
>>> >> > all in one box. If you want suricata +snorby and barnyard its not
>>> >> > recommended to run it all on pfsense. There are many deps. that will
>>> >> > cause a
>>> >> > security nightmare and you will probably run out of hw resources as
>>> >> > well.
>>> >> >
>>> >> > OK, thanks, the last please:
>>> >> >
>>> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
>>> >> > ??? Because we have VMweare for all our servers.
>>> >> >
>>> >> > Regards,
>>> >> >
>>> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
>>> >> > :
>>> >> >> Roberto
>>> >> >>
>>> >> >> Here is a good place to start regarding Suricata or Snort.
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> ---
>>> >> >> Anastasios Stefos
>>> >> >> ´αίέν άριστεύειν
>>> >> >>
>>> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
>>> >> >> 
>>> >> >> wrote:
>>> >> >>>
>>> >> >>> Dear Ivo and people, just three short questions:
>>> >> >>>
>>> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
>>> >> >>> ???
>>> >> >>>
>>> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>>> >> >>>
>>> >> >>> 3) The only way to view the IPS blocking events is from into
>>> >> >>> Pfsense
>>> >> >>> or can I use Snorby ???
>>> >> >>>
>>> >> >>> Thanks again,
>>> >> >>>
>>> >> >>> Roberto
>>> >> >>>
>>> >> >>> Thanks again,
>>> >> >>>
>>> >> >>> Roberto
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>>> >> >>> > Use suricata
>>> >> >>> >
>>> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna"
>>> >> >>> > 
>>> >> >>> > wrote:
>>> >> >>> >>
>>> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with
>>> >> >>> >> Snort
>>> >> >>> >> to
>>> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
>>> >> >>> >> is
>>> >> >>> >> the
>>> >> >>> >> graphical interface used to view events and dropped traffic.
>>> >> >>> >>
>>> >> >>> >> Thanks a lot,
>>> >> >>> >>
>>> >> >>> >> Roberto
>>> >> >>> >> ___
>>> >> >>> >> List mailing list
>>> >> >>> >> List@lists.pfsense.org
>>> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
>>> >> >>> >
>>> >> >>> >
>>> >> >>> > ___
>>> >> >>> > List mailing list
>>> >> >>> > List@lists.pfsense.org
>>> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
>>> >> >>> ___
>>> >> >>> List mailing list
>>> >> >>> List@lists.pfsense.org
>>> >> >>> https://lists.pfsense.org/mailman/listinfo/list
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> ___
>>> >> >> List mailing list
>>> >> >> List@lists.pfsense.org
>>> >> >> https://lists.pfsense.org/mailman/listinfo/list
>>> >> > ___
>>> >> > List mailing list
>>> >> > List@lists.pfsense.org
>>> >> > https://lists.pfsense.org/mailman/listinfo/list
>>> >> >
>>> >> > ___
>>> >> > List mailing list
>>> >> > List@lists.pfsense.org
>>> >> > https://lists.pfsense.org/mailman/listinfo/list
>>> >> ___
>>> >> List mailing list
>>> >> List@lists.pfsense.org
>>> >> https://lists.pfsense.org/mailman/listinfo/list
>>> >
>>> >
>>> > ___
>>> > List mailing list
>>> > List@lists.pfsense.org
>>> > https://lists.pfsense.org/mailman/listinfo/list
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/li

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

On pfsense is click&go. No need to install everything. :)
On Sep 29, 2014 4:46 PM, "Espen Johansen"  wrote:

> If all you want is a IPS then i dont undertand what you need pfS for?
> There are tons of setup guides for a linux flavour of choice to get this
> setup done. You can even build a hogwash like setup if you like.
> 29. sep. 2014 21:38 skrev "Roberto Carna" 
> følgende:
>
>> Ivo, I want to locate the IPS between the router and the corporative
>> firewall, so I think to use bridge modeis correct???
>>
>> 2014-09-29 16:34 GMT-03:00 Ivo Tonev :
>> > I recomend to use in "router mode".
>> >
>> > On Sep 29, 2014 4:29 PM, "Roberto Carna" 
>> wrote:
>> >>
>> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
>> >> in bridge mode with firewall rules enabled ???
>> >>
>> >> Really thanks,
>> >>
>> >> Roberto
>> >>
>> >>
>> >>
>> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
>> >> > Depends on what you want. A splitt design is normaly better and safer
>> >> > then a
>> >> > all in one box. If you want suricata +snorby and barnyard its not
>> >> > recommended to run it all on pfsense. There are many deps. that will
>> >> > cause a
>> >> > security nightmare and you will probably run out of hw resources as
>> >> > well.
>> >> >
>> >> > OK, thanks, the last please:
>> >> >
>> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
>> >> > ??? Because we have VMweare for all our servers.
>> >> >
>> >> > Regards,
>> >> >
>> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
>> >> > :
>> >> >> Roberto
>> >> >>
>> >> >> Here is a good place to start regarding Suricata or Snort.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>> >> >>
>> >> >>
>> >> >>
>> >> >> ---
>> >> >> Anastasios Stefos
>> >> >> ´αίέν άριστεύειν
>> >> >>
>> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
>> >> >> 
>> >> >> wrote:
>> >> >>>
>> >> >>> Dear Ivo and people, just three short questions:
>> >> >>>
>> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
>> ???
>> >> >>>
>> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>> >> >>>
>> >> >>> 3) The only way to view the IPS blocking events is from into
>> Pfsense
>> >> >>> or can I use Snorby ???
>> >> >>>
>> >> >>> Thanks again,
>> >> >>>
>> >> >>> Roberto
>> >> >>>
>> >> >>> Thanks again,
>> >> >>>
>> >> >>> Roberto
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> >> >>> > Use suricata
>> >> >>> >
>> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" <
>> robertocarn...@gmail.com>
>> >> >>> > wrote:
>> >> >>> >>
>> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with
>> Snort
>> >> >>> >> to
>> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
>> is
>> >> >>> >> the
>> >> >>> >> graphical interface used to view events and dropped traffic.
>> >> >>> >>
>> >> >>> >> Thanks a lot,
>> >> >>> >>
>> >> >>> >> Roberto
>> >> >>> >> ___
>> >> >>> >> List mailing list
>> >> >>> >> List@lists.pfsense.org
>> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >> >>> >
>> >> >>> >
>> >> >>> > ___
>> >> >>> > List mailing list
>> >> >>> > List@lists.pfsense.org
>> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
>> >> >>> ___
>> >> >>> List mailing list
>> >> >>> List@lists.pfsense.org
>> >> >>> https://lists.pfsense.org/mailman/listinfo/list
>> >> >>
>> >> >>
>> >> >>
>> >> >> ___
>> >> >> List mailing list
>> >> >> List@lists.pfsense.org
>> >> >> https://lists.pfsense.org/mailman/listinfo/list
>> >> > ___
>> >> > List mailing list
>> >> > List@lists.pfsense.org
>> >> > https://lists.pfsense.org/mailman/listinfo/list
>> >> >
>> >> > ___
>> >> > List mailing list
>> >> > List@lists.pfsense.org
>> >> > https://lists.pfsense.org/mailman/listinfo/list
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

If all you want is a IPS then i dont undertand what you need pfS for?
There are tons of setup guides for a linux flavour of choice to get this
setup done. You can even build a hogwash like setup if you like.
29. sep. 2014 21:38 skrev "Roberto Carna" 
følgende:

> Ivo, I want to locate the IPS between the router and the corporative
> firewall, so I think to use bridge modeis correct???
>
> 2014-09-29 16:34 GMT-03:00 Ivo Tonev :
> > I recomend to use in "router mode".
> >
> > On Sep 29, 2014 4:29 PM, "Roberto Carna" 
> wrote:
> >>
> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> >> in bridge mode with firewall rules enabled ???
> >>
> >> Really thanks,
> >>
> >> Roberto
> >>
> >>
> >>
> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> >> > Depends on what you want. A splitt design is normaly better and safer
> >> > then a
> >> > all in one box. If you want suricata +snorby and barnyard its not
> >> > recommended to run it all on pfsense. There are many deps. that will
> >> > cause a
> >> > security nightmare and you will probably run out of hw resources as
> >> > well.
> >> >
> >> > OK, thanks, the last please:
> >> >
> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> >> > ??? Because we have VMweare for all our servers.
> >> >
> >> > Regards,
> >> >
> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
> >> > :
> >> >> Roberto
> >> >>
> >> >> Here is a good place to start regarding Suricata or Snort.
> >> >>
> >> >>
> >> >>
> >> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >> >>
> >> >>
> >> >>
> >> >> ---
> >> >> Anastasios Stefos
> >> >> ´αίέν άριστεύειν
> >> >>
> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
> >> >> 
> >> >> wrote:
> >> >>>
> >> >>> Dear Ivo and people, just three short questions:
> >> >>>
> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
> ???
> >> >>>
> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >> >>>
> >> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >> >>> or can I use Snorby ???
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>>
> >> >>>
> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >> >>> > Use suricata
> >> >>> >
> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" <
> robertocarn...@gmail.com>
> >> >>> > wrote:
> >> >>> >>
> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort
> >> >>> >> to
> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
> is
> >> >>> >> the
> >> >>> >> graphical interface used to view events and dropped traffic.
> >> >>> >>
> >> >>> >> Thanks a lot,
> >> >>> >>
> >> >>> >> Roberto
> >> >>> >> ___
> >> >>> >> List mailing list
> >> >>> >> List@lists.pfsense.org
> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >> >>> >
> >> >>> >
> >> >>> > ___
> >> >>> > List mailing list
> >> >>> > List@lists.pfsense.org
> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >> >>> ___
> >> >>> List mailing list
> >> >>> List@lists.pfsense.org
> >> >>> https://lists.pfsense.org/mailman/listinfo/list
> >> >>
> >> >>
> >> >>
> >> >> ___
> >> >> List mailing list
> >> >> List@lists.pfsense.org
> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

You can use invalid IP on wan interface. This way is no way to avoid the
firewall.
On Sep 29, 2014 4:37 PM, "Roberto Carna"  wrote:

> Mainly bridge to hide the IPS server from Internet, and also if I
> don't use the bridge mode I have to put a public IP in the WAN
> interface connected to the router and I have not much more available
> public IP's.
>
> 2014-09-29 16:31 GMT-03:00 Espen Johansen :
> > Why bridge? Do you want to hide evrything? Its not that hard to
> fingerprint
> > a pfS bridge. If you have practical reasons, sure go ahead.
> >
> > 29. sep. 2014 21:28 skrev "Roberto Carna" 
> > følgende:
> >
> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> >> in bridge mode with firewall rules enabled ???
> >>
> >> Really thanks,
> >>
> >> Roberto
> >>
> >>
> >>
> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> >> > Depends on what you want. A splitt design is normaly better and safer
> >> > then a
> >> > all in one box. If you want suricata +snorby and barnyard its not
> >> > recommended to run it all on pfsense. There are many deps. that will
> >> > cause a
> >> > security nightmare and you will probably run out of hw resources as
> >> > well.
> >> >
> >> > OK, thanks, the last please:
> >> >
> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> >> > ??? Because we have VMweare for all our servers.
> >> >
> >> > Regards,
> >> >
> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
> >> > :
> >> >> Roberto
> >> >>
> >> >> Here is a good place to start regarding Suricata or Snort.
> >> >>
> >> >>
> >> >>
> >> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >> >>
> >> >>
> >> >>
> >> >> ---
> >> >> Anastasios Stefos
> >> >> ´αίέν άριστεύειν
> >> >>
> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
> >> >> 
> >> >> wrote:
> >> >>>
> >> >>> Dear Ivo and people, just three short questions:
> >> >>>
> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
> ???
> >> >>>
> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >> >>>
> >> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >> >>> or can I use Snorby ???
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>>
> >> >>>
> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >> >>> > Use suricata
> >> >>> >
> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" <
> robertocarn...@gmail.com>
> >> >>> > wrote:
> >> >>> >>
> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort
> >> >>> >> to
> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
> is
> >> >>> >> the
> >> >>> >> graphical interface used to view events and dropped traffic.
> >> >>> >>
> >> >>> >> Thanks a lot,
> >> >>> >>
> >> >>> >> Roberto
> >> >>> >> ___
> >> >>> >> List mailing list
> >> >>> >> List@lists.pfsense.org
> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >> >>> >
> >> >>> >
> >> >>> > ___
> >> >>> > List mailing list
> >> >>> > List@lists.pfsense.org
> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >> >>> ___
> >> >>> List mailing list
> >> >>> List@lists.pfsense.org
> >> >>> https://lists.pfsense.org/mailman/listinfo/list
> >> >>
> >> >>
> >> >>
> >> >> ___
> >> >> List mailing list
> >> >> List@lists.pfsense.org
> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Ivo, I want to locate the IPS between the router and the corporative
firewall, so I think to use bridge modeis correct???

2014-09-29 16:34 GMT-03:00 Ivo Tonev :
> I recomend to use in "router mode".
>
> On Sep 29, 2014 4:29 PM, "Roberto Carna"  wrote:
>>
>> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
>> in bridge mode with firewall rules enabled ???
>>
>> Really thanks,
>>
>> Roberto
>>
>>
>>
>> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
>> > Depends on what you want. A splitt design is normaly better and safer
>> > then a
>> > all in one box. If you want suricata +snorby and barnyard its not
>> > recommended to run it all on pfsense. There are many deps. that will
>> > cause a
>> > security nightmare and you will probably run out of hw resources as
>> > well.
>> >
>> > OK, thanks, the last please:
>> >
>> > Do you recommend to install an IPS in a Virtual Machine like Vmware
>> > ??? Because we have VMweare for all our servers.
>> >
>> > Regards,
>> >
>> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
>> > :
>> >> Roberto
>> >>
>> >> Here is a good place to start regarding Suricata or Snort.
>> >>
>> >>
>> >>
>> >> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>> >>
>> >>
>> >>
>> >> ---
>> >> Anastasios Stefos
>> >> ´αίέν άριστεύειν
>> >>
>> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
>> >> 
>> >> wrote:
>> >>>
>> >>> Dear Ivo and people, just three short questions:
>> >>>
>> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>> >>>
>> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>> >>>
>> >>> 3) The only way to view the IPS blocking events is from into Pfsense
>> >>> or can I use Snorby ???
>> >>>
>> >>> Thanks again,
>> >>>
>> >>> Roberto
>> >>>
>> >>> Thanks again,
>> >>>
>> >>> Roberto
>> >>>
>> >>>
>> >>>
>> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> >>> > Use suricata
>> >>> >
>> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>> >>> > wrote:
>> >>> >>
>> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort
>> >>> >> to
>> >>> >> get an IPS (Intrusion Prevention System), and in this case what is
>> >>> >> the
>> >>> >> graphical interface used to view events and dropped traffic.
>> >>> >>
>> >>> >> Thanks a lot,
>> >>> >>
>> >>> >> Roberto
>> >>> >> ___
>> >>> >> List mailing list
>> >>> >> List@lists.pfsense.org
>> >>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >>> >
>> >>> >
>> >>> > ___
>> >>> > List mailing list
>> >>> > List@lists.pfsense.org
>> >>> > https://lists.pfsense.org/mailman/listinfo/list
>> >>> ___
>> >>> List mailing list
>> >>> List@lists.pfsense.org
>> >>> https://lists.pfsense.org/mailman/listinfo/list
>> >>
>> >>
>> >>
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

You can use as many interfacez you want.

You can use the web gui or tail -f the file on
/var/log/suricata/(interface)/*
:)
On Sep 29, 2014 3:34 PM, "Roberto Carna"  wrote:

> Dear Ivo and people, just three short questions:
>
> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>
> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>
> 3) The only way to view the IPS blocking events is from into Pfsense
> or can I use Snorby ???
>
> Thanks again,
>
> Roberto
>
> Thanks again,
>
> Roberto
>
>
>
> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> > Use suricata
> >
> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> wrote:
> >>
> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> get an IPS (Intrusion Prevention System), and in this case what is the
> >> graphical interface used to view events and dropped traffic.
> >>
> >> Thanks a lot,
> >>
> >> Roberto
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Mainly bridge to hide the IPS server from Internet, and also if I
don't use the bridge mode I have to put a public IP in the WAN
interface connected to the router and I have not much more available
public IP's.

2014-09-29 16:31 GMT-03:00 Espen Johansen :
> Why bridge? Do you want to hide evrything? Its not that hard to fingerprint
> a pfS bridge. If you have practical reasons, sure go ahead.
>
> 29. sep. 2014 21:28 skrev "Roberto Carna" 
> følgende:
>
>> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
>> in bridge mode with firewall rules enabled ???
>>
>> Really thanks,
>>
>> Roberto
>>
>>
>>
>> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
>> > Depends on what you want. A splitt design is normaly better and safer
>> > then a
>> > all in one box. If you want suricata +snorby and barnyard its not
>> > recommended to run it all on pfsense. There are many deps. that will
>> > cause a
>> > security nightmare and you will probably run out of hw resources as
>> > well.
>> >
>> > OK, thanks, the last please:
>> >
>> > Do you recommend to install an IPS in a Virtual Machine like Vmware
>> > ??? Because we have VMweare for all our servers.
>> >
>> > Regards,
>> >
>> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
>> > :
>> >> Roberto
>> >>
>> >> Here is a good place to start regarding Suricata or Snort.
>> >>
>> >>
>> >>
>> >> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>> >>
>> >>
>> >>
>> >> ---
>> >> Anastasios Stefos
>> >> ´αίέν άριστεύειν
>> >>
>> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
>> >> 
>> >> wrote:
>> >>>
>> >>> Dear Ivo and people, just three short questions:
>> >>>
>> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>> >>>
>> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>> >>>
>> >>> 3) The only way to view the IPS blocking events is from into Pfsense
>> >>> or can I use Snorby ???
>> >>>
>> >>> Thanks again,
>> >>>
>> >>> Roberto
>> >>>
>> >>> Thanks again,
>> >>>
>> >>> Roberto
>> >>>
>> >>>
>> >>>
>> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> >>> > Use suricata
>> >>> >
>> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>> >>> > wrote:
>> >>> >>
>> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort
>> >>> >> to
>> >>> >> get an IPS (Intrusion Prevention System), and in this case what is
>> >>> >> the
>> >>> >> graphical interface used to view events and dropped traffic.
>> >>> >>
>> >>> >> Thanks a lot,
>> >>> >>
>> >>> >> Roberto
>> >>> >> ___
>> >>> >> List mailing list
>> >>> >> List@lists.pfsense.org
>> >>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >>> >
>> >>> >
>> >>> > ___
>> >>> > List mailing list
>> >>> > List@lists.pfsense.org
>> >>> > https://lists.pfsense.org/mailman/listinfo/list
>> >>> ___
>> >>> List mailing list
>> >>> List@lists.pfsense.org
>> >>> https://lists.pfsense.org/mailman/listinfo/list
>> >>
>> >>
>> >>
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

I recomend to use in "router mode".
On Sep 29, 2014 4:29 PM, "Roberto Carna"  wrote:

> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> in bridge mode with firewall rules enabled ???
>
> Really thanks,
>
> Roberto
>
>
>
> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> > Depends on what you want. A splitt design is normaly better and safer
> then a
> > all in one box. If you want suricata +snorby and barnyard its not
> > recommended to run it all on pfsense. There are many deps. that will
> cause a
> > security nightmare and you will probably run out of hw resources as well.
> >
> > OK, thanks, the last please:
> >
> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> > ??? Because we have VMweare for all our servers.
> >
> > Regards,
> >
> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos <
> anastasios.ste...@gmail.com>:
> >> Roberto
> >>
> >> Here is a good place to start regarding Suricata or Snort.
> >>
> >>
> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >>
> >>
> >>
> >> ---
> >> Anastasios Stefos
> >> ´αίέν άριστεύειν
> >>
> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna <
> robertocarn...@gmail.com>
> >> wrote:
> >>>
> >>> Dear Ivo and people, just three short questions:
> >>>
> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
> >>>
> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>>
> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >>> or can I use Snorby ???
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>>
> >>>
> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >>> > Use suricata
> >>> >
> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> >>> > wrote:
> >>> >>
> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >>> >> get an IPS (Intrusion Prevention System), and in this case what is
> the
> >>> >> graphical interface used to view events and dropped traffic.
> >>> >>
> >>> >> Thanks a lot,
> >>> >>
> >>> >> Roberto
> >>> >> ___
> >>> >> List mailing list
> >>> >> List@lists.pfsense.org
> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >>> >
> >>> >
> >>> > ___
> >>> > List mailing list
> >>> > List@lists.pfsense.org
> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >>> ___
> >>> List mailing list
> >>> List@lists.pfsense.org
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>
> >>
> >>
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

Why bridge? Do you want to hide evrything? Its not that hard to fingerprint
a pfS bridge. If you have practical reasons, sure go ahead.
29. sep. 2014 21:28 skrev "Roberto Carna" 
følgende:

> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> in bridge mode with firewall rules enabled ???
>
> Really thanks,
>
> Roberto
>
>
>
> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> > Depends on what you want. A splitt design is normaly better and safer
> then a
> > all in one box. If you want suricata +snorby and barnyard its not
> > recommended to run it all on pfsense. There are many deps. that will
> cause a
> > security nightmare and you will probably run out of hw resources as well.
> >
> > OK, thanks, the last please:
> >
> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> > ??? Because we have VMweare for all our servers.
> >
> > Regards,
> >
> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos <
> anastasios.ste...@gmail.com>:
> >> Roberto
> >>
> >> Here is a good place to start regarding Suricata or Snort.
> >>
> >>
> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >>
> >>
> >>
> >> ---
> >> Anastasios Stefos
> >> ´αίέν άριστεύειν
> >>
> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna <
> robertocarn...@gmail.com>
> >> wrote:
> >>>
> >>> Dear Ivo and people, just three short questions:
> >>>
> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
> >>>
> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>>
> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >>> or can I use Snorby ???
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>>
> >>>
> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >>> > Use suricata
> >>> >
> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> >>> > wrote:
> >>> >>
> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >>> >> get an IPS (Intrusion Prevention System), and in this case what is
> the
> >>> >> graphical interface used to view events and dropped traffic.
> >>> >>
> >>> >> Thanks a lot,
> >>> >>
> >>> >> Roberto
> >>> >> ___
> >>> >> List mailing list
> >>> >> List@lists.pfsense.org
> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >>> >
> >>> >
> >>> > ___
> >>> > List mailing list
> >>> > List@lists.pfsense.org
> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >>> ___
> >>> List mailing list
> >>> List@lists.pfsense.org
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>
> >>
> >>
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
in bridge mode with firewall rules enabled ???

Really thanks,

Roberto



2014-09-29 16:15 GMT-03:00 Espen Johansen :
> Depends on what you want. A splitt design is normaly better and safer then a
> all in one box. If you want suricata +snorby and barnyard its not
> recommended to run it all on pfsense. There are many deps. that will cause a
> security nightmare and you will probably run out of hw resources as well.
>
> OK, thanks, the last please:
>
> Do you recommend to install an IPS in a Virtual Machine like Vmware
> ??? Because we have VMweare for all our servers.
>
> Regards,
>
> 2014-09-29 15:39 GMT-03:00 Anastasios Stefos :
>> Roberto
>>
>> Here is a good place to start regarding Suricata or Snort.
>>
>>
>> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>>
>>
>>
>> ---
>> Anastasios Stefos
>> ´αίέν άριστεύειν
>>
>> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna 
>> wrote:
>>>
>>> Dear Ivo and people, just three short questions:
>>>
>>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>>>
>>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>>>
>>> 3) The only way to view the IPS blocking events is from into Pfsense
>>> or can I use Snorby ???
>>>
>>> Thanks again,
>>>
>>> Roberto
>>>
>>> Thanks again,
>>>
>>> Roberto
>>>
>>>
>>>
>>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>>> > Use suricata
>>> >
>>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>>> > wrote:
>>> >>
>>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
>>> >> get an IPS (Intrusion Prevention System), and in this case what is the
>>> >> graphical interface used to view events and dropped traffic.
>>> >>
>>> >> Thanks a lot,
>>> >>
>>> >> Roberto
>>> >> ___
>>> >> List mailing list
>>> >> List@lists.pfsense.org
>>> >> https://lists.pfsense.org/mailman/listinfo/list
>>> >
>>> >
>>> > ___
>>> > List mailing list
>>> > List@lists.pfsense.org
>>> > https://lists.pfsense.org/mailman/listinfo/list
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Anastasios Stefos]

I agree completely with Espen. All your eggs in one basket is a terribly
bad idea and a troubleshooting nightmare.

Security Onion in back of pfsense is one idea. You can run Snorby, Snort
and additional tools and not overtax pfsense.



---
Anastasios Stefos
*´αίέν άριστεύειν*

On Mon, Sep 29, 2014 at 3:15 PM, Espen Johansen  wrote:

> Depends on what you want. A splitt design is normaly better and safer then
> a all in one box. If you want suricata +snorby and barnyard its not
> recommended to run it all on pfsense. There are many deps. that will cause
> a security nightmare and you will probably run out of hw resources as well.
> OK, thanks, the last please:
>
> Do you recommend to install an IPS in a Virtual Machine like Vmware
> ??? Because we have VMweare for all our servers.
>
> Regards,
>
> 2014-09-29 15:39 GMT-03:00 Anastasios Stefos  >:
> > Roberto
> >
> > Here is a good place to start regarding Suricata or Snort.
> >
> >
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >
> >
> >
> > ---
> > Anastasios Stefos
> > ´αίέν άριστεύειν
> >
> > On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna  >
> > wrote:
> >>
> >> Dear Ivo and people, just three short questions:
> >>
> >> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
> >>
> >> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>
> >> 3) The only way to view the IPS blocking events is from into Pfsense
> >> or can I use Snorby ???
> >>
> >> Thanks again,
> >>
> >> Roberto
> >>
> >> Thanks again,
> >>
> >> Roberto
> >>
> >>
> >>
> >> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >> > Use suricata
> >> >
> >> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> >> > wrote:
> >> >>
> >> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> >> get an IPS (Intrusion Prevention System), and in this case what is
> the
> >> >> graphical interface used to view events and dropped traffic.
> >> >>
> >> >> Thanks a lot,
> >> >>
> >> >> Roberto
> >> >> ___
> >> >> List mailing list
> >> >> List@lists.pfsense.org
> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >> >
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

Depends on what you want. A splitt design is normaly better and safer then
a all in one box. If you want suricata +snorby and barnyard its not
recommended to run it all on pfsense. There are many deps. that will cause
a security nightmare and you will probably run out of hw resources as well.
OK, thanks, the last please:

Do you recommend to install an IPS in a Virtual Machine like Vmware
??? Because we have VMweare for all our servers.

Regards,

2014-09-29 15:39 GMT-03:00 Anastasios Stefos :
> Roberto
>
> Here is a good place to start regarding Suricata or Snort.
>
>
http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>
>
>
> ---
> Anastasios Stefos
> ´αίέν άριστεύειν
>
> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna 
> wrote:
>>
>> Dear Ivo and people, just three short questions:
>>
>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>>
>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>>
>> 3) The only way to view the IPS blocking events is from into Pfsense
>> or can I use Snorby ???
>>
>> Thanks again,
>>
>> Roberto
>>
>> Thanks again,
>>
>> Roberto
>>
>>
>>
>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> > Use suricata
>> >
>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>> > wrote:
>> >>
>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
>> >> get an IPS (Intrusion Prevention System), and in this case what is the
>> >> graphical interface used to view events and dropped traffic.
>> >>
>> >> Thanks a lot,
>> >>
>> >> Roberto
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Anastasios Stefos]

If you have access to VMWare workstation installed or ESXi, it is
worthwhile to install and experiment in an isolated environment prior to
going live with either. If not, a couple of PC''s.



---
Anastasios Stefos
*´αίέν άριστεύειν*

On Mon, Sep 29, 2014 at 3:07 PM, Roberto Carna 
wrote:

> OK, thanks, the last please:
>
> Do you recommend to install an IPS in a Virtual Machine like Vmware
> ??? Because we have VMweare for all our servers.
>
> Regards,
>
> 2014-09-29 15:39 GMT-03:00 Anastasios Stefos  >:
> > Roberto
> >
> > Here is a good place to start regarding Suricata or Snort.
> >
> >
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >
> >
> >
> > ---
> > Anastasios Stefos
> > ´αίέν άριστεύειν
> >
> > On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna  >
> > wrote:
> >>
> >> Dear Ivo and people, just three short questions:
> >>
> >> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
> >>
> >> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>
> >> 3) The only way to view the IPS blocking events is from into Pfsense
> >> or can I use Snorby ???
> >>
> >> Thanks again,
> >>
> >> Roberto
> >>
> >> Thanks again,
> >>
> >> Roberto
> >>
> >>
> >>
> >> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >> > Use suricata
> >> >
> >> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> >> > wrote:
> >> >>
> >> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> >> get an IPS (Intrusion Prevention System), and in this case what is
> the
> >> >> graphical interface used to view events and dropped traffic.
> >> >>
> >> >> Thanks a lot,
> >> >>
> >> >> Roberto
> >> >> ___
> >> >> List mailing list
> >> >> List@lists.pfsense.org
> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >> >
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

OK, thanks, the last please:

Do you recommend to install an IPS in a Virtual Machine like Vmware
??? Because we have VMweare for all our servers.

Regards,

2014-09-29 15:39 GMT-03:00 Anastasios Stefos :
> Roberto
>
> Here is a good place to start regarding Suricata or Snort.
>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>
>
>
> ---
> Anastasios Stefos
> ´αίέν άριστεύειν
>
> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna 
> wrote:
>>
>> Dear Ivo and people, just three short questions:
>>
>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>>
>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>>
>> 3) The only way to view the IPS blocking events is from into Pfsense
>> or can I use Snorby ???
>>
>> Thanks again,
>>
>> Roberto
>>
>> Thanks again,
>>
>> Roberto
>>
>>
>>
>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> > Use suricata
>> >
>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
>> > wrote:
>> >>
>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
>> >> get an IPS (Intrusion Prevention System), and in this case what is the
>> >> graphical interface used to view events and dropped traffic.
>> >>
>> >> Thanks a lot,
>> >>
>> >> Roberto
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Anastasios Stefos]

Roberto

Here is a good place to start regarding Suricata or Snort.

http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/



---
Anastasios Stefos
*´αίέν άριστεύειν*

On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna 
wrote:

> Dear Ivo and people, just three short questions:
>
> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>
> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>
> 3) The only way to view the IPS blocking events is from into Pfsense
> or can I use Snorby ???
>
> Thanks again,
>
> Roberto
>
> Thanks again,
>
> Roberto
>
>
>
> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> > Use suricata
> >
> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> wrote:
> >>
> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> get an IPS (Intrusion Prevention System), and in this case what is the
> >> graphical interface used to view events and dropped traffic.
> >>
> >> Thanks a lot,
> >>
> >> Roberto
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

You might want to use google insted og relying on others. Maybe try to do
your own homework?

https://www.google.no/url?sa=t&source=web&rct=j&ei=faYpVJXTH6XGygP554LYBQ&url=https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guide&cd=1&ved=0CBwQFjAA&usg=AFQjCNFUY-LZh__z8odZ4G5SwA3s1vGGIA&sig2=HKTMIqME00rmj7mj-CHBrQ
29. sep. 2014 20:34 skrev "Roberto Carna" 
følgende:

> Dear Ivo and people, just three short questions:
>
> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>
> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>
> 3) The only way to view the IPS blocking events is from into Pfsense
> or can I use Snorby ???
>
> Thanks again,
>
> Roberto
>
> Thanks again,
>
> Roberto
>
>
>
> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> > Use suricata
> >
> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> wrote:
> >>
> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> get an IPS (Intrusion Prevention System), and in this case what is the
> >> graphical interface used to view events and dropped traffic.
> >>
> >> Thanks a lot,
> >>
> >> Roberto
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Dear Ivo and people, just three short questions:

1) Using Suricata, can I enable the IPS mode as I can using Snort ???

2) In IPS mode, do I have to have 3 interfaces in my server ???

3) The only way to view the IPS blocking events is from into Pfsense
or can I use Snorby ???

Thanks again,

Roberto

Thanks again,

Roberto



2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> Use suricata
>
> On Sep 29, 2014 2:27 PM, "Roberto Carna"  wrote:
>>
>> Dear, I need to know if it's possible to setup Pfsense with Snort to
>> get an IPS (Intrusion Prevention System), and in this case what is the
>> graphical interface used to view events and dropped traffic.
>>
>> Thanks a lot,
>>
>> Roberto
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Why Suricata in place of Snort?

Please can you tell me shortly the advantages of Suricata over Snort

Really thanks

Roberto

2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> Use suricata
>
> On Sep 29, 2014 2:27 PM, "Roberto Carna"  wrote:
>>
>> Dear, I need to know if it's possible to setup Pfsense with Snort to
>> get an IPS (Intrusion Prevention System), and in this case what is the
>> graphical interface used to view events and dropped traffic.
>>
>> Thanks a lot,
>>
>> Roberto
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

Use suricata
On Sep 29, 2014 2:27 PM, "Roberto Carna"  wrote:

> Dear, I need to know if it's possible to setup Pfsense with Snort to
> get an IPS (Intrusion Prevention System), and in this case what is the
> graphical interface used to view events and dropped traffic.
>
> Thanks a lot,
>
> Roberto
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Josh Bitto]

Of course you canIt's an add-on.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto Carna
Sent: Monday, September 29, 2014 10:28 AM
To: list@lists.pfsense.org
Subject: [pfSense] Snort as IPS in Pfsense

Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS 
(Intrusion Prevention System), and in this case what is the graphical interface 
used to view events and dropped traffic.

Thanks a lot,

Roberto
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Snort as IPS in Pfsense

[Roberto Carna]

Dear, I need to know if it's possible to setup Pfsense with Snort to
get an IPS (Intrusion Prevention System), and in this case what is the
graphical interface used to view events and dropped traffic.

Thanks a lot,

Roberto
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list