How To Secure pfsense with Snort: From Tuning Rules To Understanding CPU Performance [YouTube Release]

Additional Resources:

Suricata VS Snort

Cisco Small Business Switch Review

Connecting With Us

Lawrence Systems Shirts and Swag



Amazon Affiliate Store
:shopping_cart: Lawrence Systems's Amazon Page

All Of Our Affiliates that help us out and can get you discounts!
:shopping_cart: Affiliates We Love - Lawrence Technology Services

Gear we use on Kit
:shopping_cart: Kit

Use OfferCode LTSERVICES to get 10% off your order at
:shopping_cart: Tech Supply Direct - Refurbished Tech at Unbeatable Prices

Digital Ocean Offer Code
:shopping_cart: DigitalOcean | Cloud Hosting for Builders

HostiFi UniFi Cloud Hosting Service
:shopping_cart: HostiFi - UniFi Cloud Hosting

Protect you privacy with a VPN from Private Internet Access
:shopping_cart: Buy VPN with Credit Card or PayPal | Private Internet Access


Time Stamps
00:00 - How To Setup Snort on pfsense
00:37 - Install and basic setup
03:32 - Snort on WAN interface
04:47 - Creating Interfaces to Snort
06:24 - Examining Alerts and How They Are Triggered
09:36 - How Encryption Blinds Intrusion Detection
10:53 - Security Investigations and Tuning Rules
12:46 - Rule Suppression
15:53 - Snort CPU Requirements and Performance
19:55 - Some final notes on processors and rules

Snort (single threaded) v. Suricata (multi-threaded) which one is better? I’m running Suricata to get the multi-threaded performance but not sure if I really needed to be concerned about that aspect.

Snort and Suricata can inspect encrypted traffic. It might have been out of scope for this video.You can install the squid proxy and I already know argument will be that it’s a headache and there are certificates involved and have to be installed on every PC. Well you are correct if you are using the proxy as a transparent proxy. You bypass all that mess and just setup the proxy settings on your PC to point to the interface IP and port number from pfsense. And like magic you don’t need certificates or anything complicated or special.

I have been testing both on FW4C Protectli boxes and I would say they are neck and neck on impact of CPU when properly set up. It all depends on how many rules you want to include in your configuration that really makes the difference. I still fall back to Suricata but from my perspective both products do precisely what they state.

I just wanted to attach a chart of what normal rules on the Wan interface catches and then what what Suricata picks up with it own rules. You will see the default rules for PF Blocker is the #1 and default blocking rules of the firewall are #2. Suricata is #5 in the order of connections rejected: