1

I've got PFSense V 2.0-RC1 (i386) and I've got the latest version of Snort installed

I've loaded up a bunch of rules from Oinkmaster, I've enabled all of the preprocessors, and I've ensured the service is started.

When I let it sit for a while and then check my Alerts and Block list, there are no entries. Even when I test it by logging into Skype (skype is listed as a Rule from P2P), I don't get any entries in the logs.

If you need any further information, please let me know... I simply can't figure this one out.

Chase Florell
  • 570
  • 3
  • 14
  • 29

2 Answers2

1

Check the logs for errors regarding Snort, and verify the interface is "started" in the Snort Interfaces tab. There should be a red "X" next to the interface ("WAN" for example). Also be sure to click the "Update Rules" button on the Update tab. You could also try updating pfSense to RELEASE.

Systemic
  • 31
  • 2
0

This is an old question but as this same issue comes back occasionally I'll relay what I learned. In my case it was on a Smoothwall box but Snort is Snort.

After recently upgrading to the latest version of Snort I discovered that although it had been working perfectly before it was no longer doing its job. Checks of the Smoothwall configs didn't reveal anything out of the ordinary. Snort was definitely running, it just wasn't detecting anything.

The problem turned out to be that the latest snort.conf (in /etc) had a couple of critical lines commented out. Specifically,

include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules

This meant that Snort simply wouldn't process the packets as they passed through. Uncommenting those line (located near the end of the file) and restarting Snort returned the system to full functionality.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108