# IPS/IDS Software for FreeBSD



## bryn1u (Mar 1, 2018)

Hello guys,

I'm looking for some IPS/IDS software be able block packets or ip from bad guys. I'm using PF but it's not enough. I was trying Snort/Suricata but it's pain of ass to configure properly. There is a lack to find some solutions.

Thanks.


----------



## Lamia (Mar 1, 2018)

You actually need bruteforceblocker.

And you can still get snort running. The same goes for BRO. 
Interestingly, you can install both Snort & BRO on the same machine, in addition to the bruteforceblocker. I bet it with you, they would do a fantastic job. Check NSM-hunter for BRO & Snort installation. There is a simple guide on the website.


----------



## bryn1u (Mar 1, 2018)

lamia said:


> You actually need bruteforceblocker.
> 
> And you can still get snort running. The same goes for BRO.
> Interestingly, you can install both Snort & BRO on the same machine, in addition to the bruteforceblocker. I bet it with you, they would do a fantastic job. Check NSM-hunter for BRO & Snort installation. There is a simple guide on the website.



Ooo thank you ! I will check it !


----------



## Lamia (Mar 2, 2018)

bryn1u said:


> Ooo thank you ! I will check it !


You are welcome bryn1u.

For the thank you, may I ask that you give me a thumb up by clicking the thanks (thumb-up) button adjacent the reply?


----------



## bryn1u (Mar 5, 2018)

lamia said:


> You are welcome bryn1u.
> 
> For the thank you, may I ask that you give me a thumb up by clicking the thanks (thumb-up) button adjacent the reply?


Hey,

Could you tell me did you install Bro or Snort using this script ?


----------



## Lamia (Mar 5, 2018)

bryn1u said:


> Could you tell me did you install Bro or Snort using this script ?


The script works, though it looks old. I have used it in the past for the installation of both Bro & Snort. They serve different purposes. One is an IDS and the other is an IPS.


----------



## bryn1u (Mar 8, 2018)

Lamia said:


> The script works, though it looks old. I have used it in the past for the installation of both Bro & Snort. They serve different purposes. One is an IDS and the other is an IPS.



IM guessing Bro an IDS and Snort IPS. Could you tell me when you were using it, how snort block packages ? Does Snort use IPFW or PF ?


----------



## Lamia (Mar 8, 2018)

bryn1u said:


> IM guessing Bro an IDS and Snort IPS. ?


You should be right.


bryn1u said:


> how snort block packages ?


Snort uses snort rules, which will be downloaded during installation from https://www.snort.org/downloads#rules.


bryn1u said:


> Does Snort use IPFW or PF ?


I can't remember making changes in the PF.conf for Snort to work. The script (NSM-hunter) must have catered for any need to change the PF.conf.


----------



## bryn1u (Mar 8, 2018)

Lamia said:


> You should be right.
> 
> Snort uses snort rules, which will be downloaded during installation from https://www.snort.org/downloads#rules.
> 
> I can't remember making changes in the PF.conf for Snort to work. The script (NSM-hunter) must have catered for any need to change the PF.conf.


Im asking about that things because im using HardenedBSD-11 stable. I think it shouldn't be any diffrences between FreeBSD and HardendBSD, but when im trying install it im getting so many issues related to this script.


----------



## Lamia (Mar 8, 2018)

bryn1u said:


> I think it shouldn't be any diffrences between FreeBSD and HardendBSD, but when im trying install it im getting so many issues related to this script.


HardendBSD would have a feature, in FreeBSD, called kern_securelevel set to something like "3" by default.  That would prevent many packages from being installed. I reckon that is the problem you are encountering.


----------



## gkontos (Mar 8, 2018)

bryn1u said:


> Hello guys,
> 
> I'm looking for some IPS/IDS software be able block packets or ip from bad guys. I'm using PF but it's not enough. I was trying Snort/Suricata but it's pain of ass to configure properly. There is a lack to find some solutions.
> 
> Thanks.



Keep in mind that a proper IPS will require a lot of resources. It really depends on what application you want to secure. Running an IPS just to block ssh brute force is an overkill. Just change your ssh port, use key authentication and or limit access to certain networks.

If you want to secure a web server you might want to have a look at www/mod_security3


----------

