pfSense Emerging Threat Rule Issues

I use pfSense for my firewall at home.  I log all of my events to my Splunk system, so I can visualize them and see what is really going on with my network.  I constantly watch my IDS logs (Snort), as I am interested in seeing what attacks are being attempted on my home network on a regular basis.  As a note, it is interesting to me that one of the most used attacks are SIP proxy attacks.  Of course, the attackers have no idea whether or not I am a business which might be running SIP, but it is interesting that I am hit so often with those attacks.  I also like to keep an eye on what attackers are doing who belong to my ISP.  That way I can correspond with them and get them to clean up their own network.  I have discovered lately that, regardless of which snort rules I configure, it appears that at some point in time all rules or many more rules are enabled.  This is frustrating as I can restart the service, but the rules are enabled later by default.

I posted this situation to the pfSense forums this morning and discovered that this is an issue with the way ET rule sets are written.  When certain flow bits are required for a rule set, then all rules using those flow bits are enabled.  I think this is ridiculous, and it appears that Snort rules are written in a way that this does not occur.  So, since I am not interested in all of the policy rules that keep getting enabled by ET, I will have to disable all ET rule sets and stick with Snort rule sets only.  That is frustrating, because I want to capture what might not be caught by Snort rules alone.  Regardless, I do not want a bunch of rules getting enabled that I have purposely disabled.  I thought I would bring this up since it was an issue for me.  I have included links to my post and another post where I actually found my answer on the forums.

References:

My post – https://forum.pfsense.org/index.php?topic=130189.0

Post that helped – https://forum.pfsense.org/index.php?topic=129486.0

Author: Phil

Phil Williams is an engineer with around 20 years of information technology industry experience with past focus areas in security, performance, and compliance monitoring and reporting. Phil is a husband, father of 6 children, and an avid geek who loves building computers, gaming, and gadgets. He has an undergraduate degree in general IT sciences and has worked with the US Government as a contractor for over 20 years. He is now in a security solutions advisory role for a large vendor supporting commercial and enterprise customers.

Leave a Reply

Your email address will not be published. Required fields are marked *