[Snortsam-discussion] Seeking "Best Way" to use PF2 plugin and Pfsense
Frank Knobbe
frank at snortsam.net
Sun Jun 14 15:27:34 EDT 2009
On Thu, 2009-06-04 at 20:44 -0500, Paul Tatarsky wrote:
> I have hacked together a basic way to use Snortsam with PfSense
> firewalls. Now I would like to see if I'm an idiot on a couple of topics
> and if I've re-invented the wheel or missed something easier in the
> module or somebody else doing this better.
Well, since PFsense is built on PF, use the existing PF plugin.
> Its not all pretty and wrapped yet, but not being a PF expert I had a
> question about "anchors" and the PF2 snortsam plugin. Can anyone more PF
> literate than me validate my plan here?
You can set the anchor and tables names in the PF plugins as far as I
recall.
FYI: I was dealing with a FreeBSD box running PF a couple months back,
but the PF2 plugin didn't work for me. I had to modify the PF plugin a
bit. I'll post diffs for comments on that.
> # snort2c
> table <snort2c> persist
> block quick from <snort2c> to any label "Block snort2c hosts"
> block quick from any to <snort2c> label "Block snort2c hosts"
The current PF plugins use three tables. One for inbound-only blocks,
one for outbound-only blocks, and one for inbound and outbound (full)
blocks.
> But I like issuing snortsam "blocks" from a set of correlation sensors
> to other devices...
Could you clarify please?
> Then I used the pf2 module to do the following with this config:
>
> /etc/snortsam.conf:
> pf2 anchor=none table=snort2c
As far as I recall, the PF plugin will then use three tables, snort2cin,
snort2cout and snort2cinout... but it sounds like you discovered that
already :)
> Questions:
>
> Should I change Pfsense to use an anchor?
I think anchors exist to make rule management easier. It's up to you if
you want to use them or not.
> Should I alter the defaulting of the anchor and just detect a NULL
> string for the anchor? (Compared to my silly "none" = skip anchor)
Any reason you are fixated on the snort2c thingy and didn't create the
anchor and tables as listed in the PF plugin documentation? Would save
you time to "fix" the PF code :)
Cheers,
Frank
More information about the Snortsam-discussion
mailing list