I use pfSense for my firewall at home. I log all of my events to my Splunk system, so I can visualize them and see what is really going on with my network. I constantly watch my IDS logs (Snort), as I am interested in seeing what attacks are being attempted on my home network on a regular basis. As a note, it is interesting to me that one of the most used attacks are SIP proxy attacks. Of course, the attackers have no idea whether or not I am a business which might be running SIP, but it is interesting that I am hit so often with those attacks. I also like to keep an eye on what attackers are doing who belong to my ISP. That way I can correspond with them and get them to clean up their own network. I have discovered lately that, regardless of which snort rules I configure, it appears that at some point in time all rules or many more rules are enabled. This is frustrating as I can restart the service, but the rules are enabled later by default.
I posted this situation to the pfSense forums this morning and discovered that this is an issue with the way ET rule sets are written. When certain flow bits are required for a rule set, then all rules using those flow bits are enabled. I think this is ridiculous, and it appears that Snort rules are written in a way that this does not occur. So, since I am not interested in all of the policy rules that keep getting enabled by ET, I will have to disable all ET rule sets and stick with Snort rule sets only. That is frustrating, because I want to capture what might not be caught by Snort rules alone. Regardless, I do not want a bunch of rules getting enabled that I have purposely disabled. I thought I would bring this up since it was an issue for me. I have included links to my post and another post where I actually found my answer on the forums.
References:
My post – https://forum.pfsense.org/index.php?topic=130189.0
Post that helped – https://forum.pfsense.org/index.php?topic=129486.0
