Wednesday, September 18, 2013

Hello little NAS why are you trying to talk to Russia?

In a recent post I talked about securing your home network, so of course I want to make sure I practice what I preach.  My main server recently suffered some hardware failure, there was nothing critical on it so I am in no hurry to get it back up and running.  I took the opportunity to find something more dedicated to run the file sharing on the network so I picked up a QNAP  TS series device.  I figured yeah, this should do what I need.  Well I didn't realize that was able to replace most of the services that my bulky Dell server was hosting.  After getting it up and running I found it to have a slew of useful services like VPN, media server (DLNA) services, and of course file storage/sharing.  So I got the thing running, connected up the big USB HDD and restored all the shared paths and such.  Eventually I got the VPN working and made sure managing it was only done through SSL.

So I had it going for a couple weeks without any issues, until the morning I decided to check out my network traffic.  I saw some odd stuff in my firewall logs that didn't make sense, and they were coming from the QNAP system.  It started because I saw a good deal of inbound UDP traffic being blocked.  UDP is basically TCP's bastard cousin.  It is not typical for legitimate internet services to use UDP.  So I checked out some IP addresses and they were coming from the usual oversees locations.  No big thing, most likely internet scanning on UDP to see if anyone's firewall will allow it through.  So I continue through the log and notice outbound UDP traffic.  I panic a little and then notice it is going out over 6881.  Now my lovely firewall allows me to do an on-demand packet capture, which is handy as it sits between my LAN and Internet, so it can see everything.  So I ran the capture and then filtered the results in Wireshark:
Notice the many different non-US destinations?  Yeah that didn't sit right with me.  Did some digging as I have not memorized all my TCP/UDP port numbers and found that this is typical of BitTorrent listeners.  I did some additional searching and found that the QNAP has a Download Manager service that comes turned on by default.  This download manager runs like a Torrent listener so this is beacon traffic to the torrent network.  I took a look at some of the packets and found it to be random garbage, nothing malicious.  But still, that is traffic I don't want going out without my permission, least of all to overseas locations.  I made some changes on the firewall that would automatically block traffic based on country of origin and found a nifty forum post about disabling the feature and hardening the device further.

  • Disable Download Station - unless you can find a good use for it.  This can be done from "My Apps." Just slide the bar to the left.
  • Now we need some clean-up.  We will need to make sure only authorized networks can access the QNAP.  Go to the Security Settings in the QNAP control panel.

  • In the Security Settings, you will want to select "Allow connections from the list only."  Then add the internal IP address/ranges you wish to allow to access the device.  This is handy if you happen to have a guest wireless network that may touch your main network.  Again who would have that, it is just silly.  Refer to the image below, IP addresses are obfuscated, but those would change based on the network anyway.  I did have to add my VPN IP Pool in as it is different from the internal LAN.
So that is it, piece of cake!  Once you make the changes it will restart the network services, so you may lose access to the shares for a minute or 2.  After I made those changes the traffic pretty much stopped.  I am still getting a bunch of inbound UDP getting blocked but that should decline as well.  Anyway hope this is helpful to some folks.  The device is pretty useful but again, don't always trust the default settings or apps.  Take the time to understand what you plugged into your network!  Any questions feel free to leave a comment below!

So quick update on the network security... as I sit here waiting for my plane to Louisville for DerbyCon 2013, I decided to test my VPN to the home office.  It wouldn't connect, so through other magical means I remoted in a different way to check the systems.  Firewall check!  It was passing traffic nicely.  So logged into the QNAP where the service is hosted and immediately saw the warning indicator for unauthorized network attempting to connect on my VPN port.  Nifty, that made fixing the issue pretty easy.  Made the necessary changes and all is working now.  So if you lock your QNAP down and use the VPN service, you may need to open some ranges or just not use the block networks piece.  The VPN is only temporary until I can bring up a new full time server.

Sunday, September 15, 2013

Securing Your Home Network

Every now and again I try to take some time out of my weekend mornings to take a look at my network traffic.  I should certainly do it more often or enable some form of weekly report to be sent to me, maybe that will be a winter project this year.  In any event, with all the new tech we add to our home networks every year, it makes more sense to know just what exactly is going on in the network.  Big enterprises have numerous tools (not so much personnel) to monitor both outbound/inbound traffic, unfortunately the typical home user does not.  In fact many believe that if they slap in their Linksys/Netgear home router, they are good to go and everything will behave.  But with stories such as the "hacked" baby monitor in Texas, we know this is not true.  Just some corrections to that story, it wasn't an actual baby monitor, you know the two way radio sort of monitors.  It was a Foscam IP Video Camera, most likely of the wireless sort.  It sounded like the father took the appropriate steps in configuring it, but again, just doing what the manual tells you to, does not make it securely configured.

But I digress, the point of today's post is to help educate my not so tech savvy readers and make them aware that many of these consumer brand companies really don't put too much effort in securing their product.  They have some basics covered like changing the default password or enabling secure wireless, but something such as allowing access to the device over the internet, well that opens a door and invites trouble into your network.  Researchers and the bad guys are constantly scanning the internet for open ports to determine services that might be running on those ports.  You have your typical ones such as web based TCP 80 (http) and 443 (https), as well as email (SMTP/TCP25), FTP (TCP21), and SSH/SFTP (TCP22).  There are also standard services running on non standard ports; for example, http running TCP 8080.  This is typically done to either obscure a web server from the untrained script kiddie or run more than one web server from a single host.  In my case it would be to get web traffic through my cable companies routing rules, as residential internet typically filters popular traffic such as SMTP and HTTP on standard ports.  We can go into details another time on that.  With tools such as Shodan (See previous post) being used much more frequently and internet scanning software becoming more efficient (Check out the post from Robert Graham), it is getting much easier to find out what is running on people's networks.

So what does all this mean?  Well as consumers we need to start getting smart about what we are connecting to our home networks.  In the past the average home probably had 1-2 computers and possibly both wired and wireless networking.  Now a majority of homes have any number of smart phones, tablets, game consoles, laptops, and (maybe) a desktop all connected up.  They may also include network printers, Smart TVs, Smart Blu-ray players, and other media devices such as Apple TV or Roku.  All of these are now nodes on your home network and they all require internet access to function.  

Now of course we have all created a network diagram that we keep handy for reference... right?? Anyone?  Anyone besides the crickets?  OK I'm joking, only folks like myself who do this for a living will probably go the extra length and document the home network.  At least I can rest easy knowing that if I am ever hit by a truck, my wife will know what device to unplug to reset the cable modem.  I only partially joke about this, but it is not a bad idea to know what is connected to your home network, just draw it out on paper or make a simple list.  You don't need to make high end enterprise architecture diagrams, I mean that would be silly!  The first part to securing something is knowing what it consists of.  You know how many doors and windows you have in your home right?  Well think of your network in a similar way.  The less devices you expose to the internet, the better.  Exposed meaning you allow inbound access to them.  If you absolutely must have access to something while you are away from your home, then look into setting up a VPN.  It is not all that hard and there are a number of both hosted and local solutions out there.  I will be doing a write up on one such device coming up.  The VPN allows you to make a secure connection to your home network from outside.  The tunnel is encrypted so it is difficult to play a man-in-the-middle on.  Is it full proof?  absolutely not, but it is another layer to make it so the novice cannot get in.  In security we like to say, if someone wants something bad enough, they will get it, it is just a matter of time.  You best defense is to make it as hard as possible for them to do it. Think about it this way, putting frosted glass on windows, using thick curtains, and even placing warning signs on your property for dogs or an alarm system.  Granted these may throw up flags that you have valuable stuff, but it will keep the curious passer-bys from snooping around.  A determined criminal may risk it and smash in a window still but he may not be willing to tangle with a big dog.  

So this one went on log enough, I will end with this... don't assume the product manufacturers have your back, they want to make money and adding extra steps to secure something may take from their bottom line.  So go out and do some research on that next new gadget you want to add.  Know that you may need to do some extra work to harden it!  If you ever want more education on the matter, swing by your local Hackerspace, there are always folks willing to educate people on these sorts of things.  If you are local to CT, you can come by  We are usually around in the evenings during the week and random times on the weekends.  The weekly schedule is posted on Sundays.

Tuesday, September 3, 2013

Edumacation and Training: Who's responsible? You or your employer?

If you consciously decide to take a career in information technology, then you should have realized that school and training doesn't stop after you receive your degree.  The same goes for you if you decide to move into an information security position.  This realm is constantly evolving and you need to be willing to evolve with it, or find a new career.

Your goals may not align with your employer's...

If you are lucky enough to land a job with a company that will pay for training, then take advantage of it.  Just be ready to accept that what they are willing to train you on may not be in line with your personal career goals.  For example, if you work for a consulting company, they may want you certified with their primary vendors' products.  If it is a Microsoft Gold partner shop, then they need to maintain a certain number of MCSE/MCSA certified individuals to keep that partnership.  If you sell Cisco or Juniper products, the company may need those certificates as well.  They may not want to send you to SANS or Blackhat for training on the latest security topics.  Unless, of course, they are a security consulting company and they would rather your pen testing skills be honed.  If you are in a large enterprise, the training may be more open, as long as it fits in with your development plan, then it can be justified.  In any event take whatever training you can get, it will never be wasted and you might learn something interesting.

It may not be in the budget....

Be ready to hear that if you want an employer to pick up the bill for a conference.  Although it may benefit them that you receive some cutting edge knowledge, they may prefer you attend online webinars or local events, rather than sending you to San Francisco for RSA or Vegas for DEFCON and Blackhat.  If that is the case, don't be afraid to spend some of your own cash and use your personal time to hit up some of the smaller cons like DerbyCon (Louisville), ShmooCon (Washington D.C.), Thotcon (Chicago), and of course any of the many Security BSides events happening all over the world.  Most of these are pretty affordable, and all you need to do is come up with the means to get there.  If you can't afford a room, there is usually someone willing to split one.

Don't pass up excellent networking opportunities...

Back to the topic of the conferences, not only do you get exposed to some excellent talks, but these are also great opportunities to meet some interesting people.  Again, your goals may not align with your company's, but that doesn't mean you should ignore them.  Invest in yourself a little and get out to these cons.  Who knows, you might have a conversation with someone who may want you to come out the next year and speak at the con.  If it is a vendor, they may even pay for it.  Also, when at the conference, don't worry about getting to every talk on the schedule.  Take the time to participate in the "HallwayCon", grab coffee with some attendees, and don't be afraid to join a public dinner invite.  You never know who you will meet out there, they could lead you to the next stage of your career.

"I'm going as long as work approves..."

So something along those lines was said to me when talking about a BSides event that was in the next state.  They person was hoping work would pay for the single night at the hotel.  Since BSides are relatively cheap, and usually in driving distance, I will cough up the 100-200 bucks for a single night at the hotel.  Again, back to the networking opportunities and the education factor of these events, it is worth spending some of your own cash for it.  In some cases, you can claim these trips as a business expense, but check with your tax guy first.


Ultimately you are responsible for your own training and education.  If you want to succeed in your career, you will make it happen.  Whether you get work to pay for it, or not, you should still do it.  If work wants to get you trained on something not necessarily related to your goals, take it!  It is knowledge you did not have before.  So good luck out there and keep up the learning!  Maybe we will bump into each other at the next HallwayCon.  Otherwise see you at DerbyCon 2013 in Louisville this year!

Saturday, May 25, 2013

Communicating with Execs on InfoSec

As I sit here, drink my coffee, and worry about the troubles of the world, I came across this DarkReading post on Security Pros failing in Business Lingo.  It is an interesting read but nothing ground breaking.  The argument has been around for a while now that much of senior management rarely has any idea of what we are talking about.  We are finally seeing more of us making their way to that table.  Those that do are usually well versed in the business speak.  I would agree that all Security pros should be familiar with out to explain why technical vulnerabilities affect business.  In smaller shops you may not have that C-level representation so you would need to double has the highly skilled security engineer and the CISO/CSO.  But in the larger environments, there really needs to be some tiers in place.  Your skilled staff should worry about the job/mission while their management can translate their activities/needs to the execs.

An engineer is an engineer regardless if they are building a new jet propulsion system or developing a new architecture to store that system's critical data.  People like your incident responders, security architects, penetration testers and such are (hopefully) highly skilled individuals who know their craft inside and out.  They spend their days learning about the newest attack methods and how to detect/defend against them.  They are engineers and scientists of the IT world.  They are not that different from your network/systems engineers who build the infrastructure.  I'm not saying they can't be bothered with talking to execs, but they really shouldn't be focusing on that.  They should be able to provide data to their management so they can communicate it up the chain.  Let them do what they are good at and everyone will be happy.  At times though, the engineers may need to step up and speak directly to management.  At that point, the security execs/managers should be supportive and help get the right "Lingo" into that presentation.

As a consultant, it is a different story.  You need to be able to play both sides as you are typically selling your service to non-technical people.  You need to understand what keeps them up at night and address that.  If you cater to SMBs, you will most likely be talking to the President/CEO of the company.  They will most likely not know about things like "Firewalls" or "SQL Injection" and what types of risk they pose to their company.  So things like "getting shell on your webserver" will need to be explained in different terms;  for example, "Your web server that hosts <insert app name here> is vulnerable to a number of attacks that will lead to a compromise of your customers data.  This data can then be downloaded and used to carry out a number of computer fraud crimes.  Since this data contains SSNs and other Personally Identifiable Information, you can be held accountable and possibly fined a significant amount by the federal government."  Make sure you include numbers on the possible fines because in some cases, if the business is small enough, that one fine can end them.  I would site similar numbers if I found a prospect that was out of compliance with Microsoft licenses.  That was something like $100K per incident.  Tell that to a company who doesn't want to "waste" money on a $1500 license pack and they change their tune.

So I guess to wrap this up...  This is going to be ever-present as you will always need highly skilled individuals who know how to figure out the problems and fix them.  The types that you throw a rubik's cube in front of and they will relentlessly work it until they achieve their goal.  You will have the researchers who continually take a part hardware/software to see how it ticks.  These guys are the scientists of technology and they need to spend their days doing this type of work.  Eventually one will rise out of the lab, that person will realize they are better fit to help the cause from a managerial post.  They will work to attain the skills to better work with the executives, but will retain the knowledge to continue communicating with the engineers and architects.

As always feel free to leave your comments, do you agree or disagree?

Monday, April 22, 2013

Quick fun code with Powershell

So one of my areas of improvement this year is in my coding ability.  Just finished the Python course from (I highly recommend checking them out), but I also enjoy Powershell, as I primarily work on Microsoft systems.  I follow the MS Scripting Guy's blog -, he always has some great material to check out and try.  Right now is the start of the 2013 Scripting Games so to honor it, he posted a great tip for pulling down the latest blog posts for the games.  You can check out the code here: Use PowerShell to Keep Up-to-Date with the 2013 Scripting Games.

So the initial code is pretty simple.  When you run the script it will dump to your Powershell console.  But what if I don't want to review it just yet and save it for later?  I could dump the results to a file with a number of methods, but I really want to make sure I check it out. So why not generate a web page with the results?  That would be perfect!!  Powershell has a number of ConverTo-X commands, they happen to have one for ConvertTo-HTML.  Here is the modified code:

Invoke-RestMethod -Uri $sg2013 | select title, pubdate, link |
ConvertTo-Html | Out-File E:\Code\Powershell\rss_reader.html

Notice I also added the link to the select statement.  The last half of the code sends the information to the designated out-file.  But I am not fond of the results.
See?  Very boring.  Believe it or not, there is quite a bit of code present in the page.  Since the Conversion occurs with the original output in a table format, it actually created it as such in the html.  Unfortunately no color.  Lets see if we can spruce things up a bit.  With a bit more research into ConvertTo-Html, I found that it has options for the various sections of an HTML file: HEAD, BODY, and TITLE.  For this example we will stick with working in the HEAD section.  In the HEAD section we could call various STYLE configurations that will apply to the whole page.  A new variable will need to be created that will contain the content for the HEAD section:

$style = "<style>BODY{background-color:black;}</style>"

Invoke-RestMethod -Uri $sg2013 | select title, pubdate, link |
ConvertTo-Html -head $style | Out-File E:\Code\Powershell\rss_reader.html

We are almost there, unfortunately this creates a page with a black background, not good since the font color is also black.  The style variable can be further declared using a series of "$style = $style + ..." calls.

$style = "<style>"
$style = $style + "BODY{background-color:black;}"
$style = $style + "BODY{color:lime;}"
$style = $style + "</style>"

This essentially builds out the style tag for the page.  You can add additional code to format the table colors as well.  But lets keep it simple, here is how the new page looks:
That is much better, you can experiment with the colors if black and lime green are not your thing.  We will add one more option to the ConvertTo-Html function using the -body option:

Invoke-RestMethod -Uri $sg2013 | select title, pubdate, link |
ConvertTo-Html -head $style -body "<H2>2013 Scripting Games Feed</H2>" | Out-File E:\DMZ\Code\Powershell\rss_reader.html

This adds a nice heading to the page.  So this is great, I have a nicely formatted list of items from the Scripting Guy's blog, but how do I remember to go back and check???  Well you can call the following command in the script to open the file in a browser:

Invoke-Expression E:\Code\Powershell\rss_reader.html

This will open the HTML file up in your default browser.  So if you want to get really crazy, add this as a scheduled task to run every couple hours/days/weeks etc.  A couple things I will be trying to add are some conditions so that I don't just keep getting a full list of items.  I may only want to view the latest posts and I may want the list to convert the links to hyper-links.  Well I hope you enjoyed, now go out and code!  

Friday, March 22, 2013

You Just Won A MEGA DISCOUNT!!!! (no you didn't)

You are an infosec geek when you receive a call that you know is a scam but you pick it up anyway to hear the recording. You then do some internet recon on the domain they tell you to go to and find that it was registered very recently. Next you pull up your sandbox system, load up BurpSuite and proceed to visit the very obvious phishing site to see what happens.
Fake AT&T Phishing Site

So random pre-recorded call from a bogus 800 number.
"You just won the AT&T Mega Discount for $555 dollars off your next AT&T bill. You just need to visit to claim your discount."
So you go to this site and say "Hey this looks legit, all the logos are there and such. Let me just log in and get my reward!"

Real AT&T Account Site
And now you just gave some guy in Germany your AT&T Account creds and your last 4 digits of your Social. Notice the attached images? The first is the phishing site, it has all the logos and looks very similar to the real AT&T Account site (next image). But, the bogus site has an extra field for "Last 4 of SSN." In most cases AT&T will never require this unless you forgot your password or they need to verify your account when you call them.

With BurpSuite running in intercept mode, you can watch the activity as you throw in the fake information in the site. It took whatever I submitted with no validation (another sign it is a bogus site). When I hit "log in", a ton of stuff happens in the background. It sends the data you entered to an web address in Germany:
This happens in clear text as well, with no SSL anywhere to be seen.  This is just one more thing to add to the list of suspicious activity.  If they phisher was more creative, they would have at least used a bogus SSL Cert to add more realism to the ruse.

So moral of the story, think before you click! Be aware of your surroundings. If something is too good to be true... it probably is.

Tuesday, January 1, 2013

Open Source Firewall project... Day 3, Time for Splunk!

So I scrapped the full UTM solution seeing that Snort has some serious memory requirements.  I did not want to add any other packages to this device.  If you are curious as to what would have been done you can check out SmallNetBuilder's UTM Guide.  If I can obtain some better hardware I may move to a beefier solution, but for now, I will be happy just seeing more detailed firewall and IDS/IPS data.

So if you have worked with pfSense at all, you will notice that it has limited internal logging capacity.  You can adjust but eventually logs will be overwritten.  With the addition of Snort, you now have another important log to look at.  There is an option for each of the managed interfaces in Snort to send data to the System logs, but remember, you will now overwrite those with more data.  So best solution is to send all this information to a Syslog server.  There are a couple solutions out there such as KiwiSyslog, but I sent the information to my Windows 2008 server running Splunk.  There is a decent guide on SeattleIT.Net.  That one includes using the Google Maps app in splunk to track the geo-IP location of external hosts.  The guide does contain two important config files needed, which is why I referenced it.  You will need those so Splunk knows how to parse the information it receives from pfSense.  On the pfSense box you will need to enable logging to a Syslog server.  This is done from Status-->System Logs-->Settings (see fig 3.1).
Fig 3.1 - Log Settings pfSense
From here you can add the server and the logs you want to use.  Unfortunately, pfSense only supports the UDP port 514 for Syslog data.  This is the default configuration, there are some guides out there that instruct you how to change this setting but that is beyond the scope of this discussion.  One more thing needs to be done here before we head over to Splunk.  I want to make sure I capture the Snort logs as well.  I haven't found an individual setting for Snort in pfSense to send logs to an external source, but there is an option to send them to the System Log for pfSense.  This will work out seeing that I already set the System logs up to go to a Syslog server.  Head over to Services-->Snort and edit each interface you the logs for.  You will want to check off the option to "Send alerts to the main lSystem logs (see fig 3.2).
Fig 3.2 Sending snort alerts to System Logs
Now that we have logs to collect, it is time to turn on the feed in Splunk.  This was tricky at first then I realized I made a dumb mistake and it worked perfectly.  If you are using a Windows server with the firewall enabled, you may have to allow the UDP 514 traffic from the pfSense box.  The easiest way to add the information to Splunk is to go under the Search section and "Add more data" (See fig 3.3).
Fig 3.3 Add Data to Splunk Search
From the next section you will be able to choose the type of data you want to add.  For this we will choose "Syslog" (See fig 3.4).
Fig 3.4
Choose the type of Syslog you want, for this I used "Consume syslog over UDP" (See Fig 3.5).
Fig 3.5
This brings you to the configuration screen.  Set the port to 514 since that is the default used by pfSense.  Then configure the remaining settings and check off "More Settings" for additional options (See Fig 3.6-7). 
Fig 3.6

Fig 3.7
Use the manual option for Source Type so you can set the correct name that coincides with the props.conf and transforms.conf files created in the blog.

Also notice in Fig 3.7 the "Restrict to Host" option.  This will help lock down the what host Splunk will listen for, any other syslog servers will be ignored.

Once the Splunk server has been rebooted, you should start seeing information flow in from pfSense.  At this point you can start searching for specific events from Snort or the Firewall logs.  Right now the logs from Snort are mixed up with the System log activity of pfSense.  If you choose the SourceType="pfsense-firewall" you will see only the firewall logs.  For now I created an event type based off a simple search string 'source="udp:514" snort'.  I will most likely move to pulling out the Snort logs as a separate feed but for now this will work just fine.

At this point I have called it a day and the initial project is done.  I will most likely tweak the configuration and try pull out some more useful information that will assist in setting up some decent block rules in Snort.  But that is enough work on my vacation and the Xbox is calling!  If you have any questions, feel free to leave a comment or hit me up in Twitter.  I hope you all kick the new year off right!

Open Source Firewall project... Day 2ish

OK so this is a couple days combined.  We left off with getting access to the WebGUI and making sure everything was good to go for connectivity.  I put a hold on configuring additional firewall rules for OpenVPN but will look to getting that up in the next day.  I spent some time checking out the new data I was logging for external access attempts.  Eventually this information will be sent to a log management solution for better data gathering, more on that later.

Over the last couple days I worked on getting Snort installed and configured as well as setting up the Dynamic DNS service I use.  DynDNS ( is a nifty service that allows you to have a dynamic public facing IP address (typical for residential ISP customers) but you can assign a static DNS record to that interface.  The service utilizes an agent based, manual, and/or account based method to update the host information.  Most broadband routers and SOHO style firewall services have the ability to communicate with Dynamic DNS services.  The typical free solutions give you some pre-defined domains to use, but if you want to get fancy, you can just create a CNAME with your current DNS host and point it to the DynDNS domain for example: -->

Now that all that is settled, we can proceed to getting the IDS/IPS up and running.  For that we add the snort package.  If you are following the guide from SmallNetBuilder, then you see it is pretty simple.  Always remember when configuring your IDS/IPS, only turn up the rules/Categories related to your network.  For example, if you do not have Oracle Servers, then don't turn on the Oracle rules.  This cuts down on the amount of alerts you will receive from the IPS.  If this is your first IPS solution on your network, you may also just want to enable the IDS portion first just to see what is going on.  If you see immediate activity that you know should not be occurring, then enable the IPS portion for that specific activity.  Upper management tends to frown on bringing the business to a screeching halt because your custom application looked like bad network activity to Snort.  For a home network straight Snort is good enough, but for business you may want to consider the SourceFire appliance.  It is much easier to call support to fix something ASAP rather than scouring Google.

I initially turned up the block rules for the WAN and left them off for LAN.  I had some issues though with the blocking on the WAN since it was blocking the pfsense package management traffic.  I am currently just in IDS mode on both interfaces since my main goal here was to see what is happening on the home network.  Later I may build up some suppression/whitelist rules,

The final part of the guide instructs you to install IP-Blocklist.  The application is basically a managed blackhole solution for the firewall side of pfsense.  You configure it to look at some blacklists and it will drop packets for IP addresses on those lists.  This is great if you want to block traffic from specific countries.  The IP-Blocklist is no longer fully supported by pfsense, they offer pfblocker which works much the same way and is added to your Firewall controls.  I did not do much to configure this yet.  Again I want to see where traffic is coming from then I will look at initiating some blocks.

Once Snort was running I did notice some errors popping up repeatedly on the console.  Many where due to ACPI errors.  I found some discussions pointing to a variety of items for FreeBSD and hardware issues.  The one that the issue may be related to was with the onboard Realtek NIC.  Disabling the NIC in the BIOS and rebooting seemed to stop the errors.  Of course that angered pfSense and forced me through the config prompts.  After fixing all that, re-enabled the onboard NIC and received the ACPI errors again.  Rebooted using Safemode and a number of errors were auto-corrected.  Unlike a Windows Safemode reboot, no services were disabled.

This is where I pretty much called it a day.  Next up is adding this new found information to Splunk.