How To Secure pfsense with Snort: From Tuning Rules To Understanding CPU Performance [YouTube Release]

Additional Resources:

Suricata VS Snort
https://www.netgate.com/blog/suricata-vs-snort

Cisco Small Business Switch Review

Connecting With Us

• Hire Us For A Project: Hire Us – Lawrence Systems
• Tom Twitter https://twitter.com/TomLawrenceTech
• Our Web Site https://www.lawrencesystems.com/
• Our Forums https://staging-forum.lawrencesystems.com/
• Instagram https://www.instagram.com/lawrencesystems/
• Facebook https://www.facebook.com/Lawrencesystems/
• GitHub lawrencesystems (Lawrence Systems) · GitHub
• Discord Lawrence Systems

Lawrence Systems Shirts and Swag

►👕 Lawrence Systems

AFFILIATES & REFERRAL LINKS

Amazon Affiliate Store
Lawrence Systems's Amazon Page

All Of Our Affiliates that help us out and can get you discounts!
https://www.lawrencesystems.com/partners-and-affiliates/

Gear we use on Kit
Kit

Use OfferCode LTSERVICES to get 10% off your order at
Tech Supply Direct - Premium Refurbished Servers & Workstations at Unbeatable Prices

Digital Ocean Offer Code
DigitalOcean: AI-Powered Unified Inference Cloud Infrastructure

HostiFi UniFi Cloud Hosting Service
HostiFi - Fast and Reliable UniFi in the Cloud

Protect you privacy with a VPN from Private Internet Access
https://www.privateinternetaccess.com/pages/buy-vpn/LRNSYS

Patreon
https://www.patreon.com/lawrencesystems

Time Stamps
00:00 - How To Setup Snort on pfsense
00:37 - Install and basic setup
03:32 - Snort on WAN interface
04:47 - Creating Interfaces to Snort
06:24 - Examining Alerts and How They Are Triggered
09:36 - How Encryption Blinds Intrusion Detection
10:53 - Security Investigations and Tuning Rules
12:46 - Rule Suppression
15:53 - Snort CPU Requirements and Performance
19:55 - Some final notes on processors and rules

Snort (single threaded) v. Suricata (multi-threaded) which one is better? I’m running Suricata to get the multi-threaded performance but not sure if I really needed to be concerned about that aspect.

Snort and Suricata can inspect encrypted traffic. It might have been out of scope for this video.You can install the squid proxy and I already know argument will be that it’s a headache and there are certificates involved and have to be installed on every PC. Well you are correct if you are using the proxy as a transparent proxy. You bypass all that mess and just setup the proxy settings on your PC to point to the interface IP and port number from pfsense. And like magic you don’t need certificates or anything complicated or special.

I have been testing both on FW4C Protectli boxes and I would say they are neck and neck on impact of CPU when properly set up. It all depends on how many rules you want to include in your configuration that really makes the difference. I still fall back to Suricata but from my perspective both products do precisely what they state.

I just wanted to attach a chart of what normal rules on the Wan interface catches and then what what Suricata picks up with it own rules. You will see the default rules for PF Blocker is the #1 and default blocking rules of the firewall are #2. Suricata is #5 in the order of connections rejected: