Firewall IDS Explained: What Threats Can It Stop? [YouTube Release]

Additional Resources:

How to Configure Snort on pfsense

Snort Manual

Bleeping computer article

Connecting With Us

• Hire Us For A Project: Hire Us – Lawrence Systems
• Tom Twitter x.com
• Our Web Site https://www.lawrencesystems.com/
• Our Forums https://forums.lawrencesystems.com/
• Instagram Lawrence Technology Services (@lawrencesystems) • Instagram photos and videos
• Facebook Lawrence Systems | Southgate MI
• GitHub lawrencesystems (Lawrence Systems) · GitHub
• Discord Lawrence Systems

Lawrence Systems Shirts and Swag

►👕 Lawrence Systems

AFFILIATES & REFERRAL LINKS

Amazon Affiliate Store
Lawrence Systems's Amazon Page

UniFi Affiliate Link
Ubiquiti Store

All Of Our Affiliates that help us out and can get you discounts!
Partners We Love – Lawrence Systems

Gear we use on Kit
Kit

Use OfferCode LTSERVICES to get 10% off your order at
Tech Supply Direct - Premium Refurbished Servers & Workstations at Unbeatable Prices

Digital Ocean Offer Code
DigitalOcean | Cloud Infrastructure for Developers

HostiFi UniFi Cloud Hosting Service
HostiFi - Launch UniFi, UISP and Omada in the Cloud

Protect you privacy with a VPN from Private Internet Access
https://www.privateinternetaccess.com/pages/buy-vpn/LRNSYS

Patreon
https://www.patreon.com/lawrencesystems

Chapters
00:00:00 Intro to IDS/IPS
00:00:32 IDS Pattern Matching Basics
00:02:17 Snort Rule Triggers and Why
00:5:42 Encryption TLS SNI Detection Limits
00:07:13 Effectiveness Against Modern Threats

Tom opening a can of worms on this one. Let me go make some popcorn and watch the flood of highly opinionated comments come in.

I agree with Tom, the value proposition lately has been diminishing. Snort does have some “helpers” that know about behaviors of HTTP servers, port scanning etc that can be leveraged in rules to make them a bit more robust in detecting various attacks on the network.

Myself I run in “Inline” mode and have the rules updated by the IDS configuration in pfSense to update alerts into drops for the categories I am comfortable with. Also, I selected the pre-defined policy selection of “Security” which will select the category of “Snort” rules that are least likely to generate false positives while still providing some good IDS/IPS support for my sever VLAN.

As for the script kiddies out there, I created two aliases and WAN block rules for the persistent subnets or addresses that seem to be pests that aren’t in any of the ET-emerging or SNORT lists. By analysis the firewall logs quickly each morning with my Graylog dashboard (thanks Tom) I am able to see anything captured by those additional firewall rules or the ones that escaped and were captured by SNORT. There is one IP range in Australia that every two to three days floods my server network with port scans. By putting their address into the firewall alias and the rule to always block on the wan port I save some firewall/snort CPU and my state tables.

From my perspective I still takes a bit of time each day or weekly to make sure the system is operating correctly, and I still see value here to continue to use SNORT as my IDS/IPS. Heck I am even getting my son involved with it and I assume one day he would also become a network guru on these types of systems.