Extending pfSense with SNORT for Intrusion detection & prevention. The SNORT package, available in pfSense, provides a much needed Intrusion detection and/or prevention system alongside the existing PF stateful firewall within pfsense. These directions show how to get SNORT running with pfSense and some of the common problems which may be encountered. Contents Extending pfSense with SNORT for Intrusion detection & prevention. .................................................. 1 Quick overview of SNORT on pfSense. .................................................................................................. 2 Introduction ........................................................................................................................................ 2 Rules & subscriptions .......................................................................................................................... 2 Rulesets and detection ....................................................................................................................... 2 White lists & suppression rules........................................................................................................... 3 White lists ....................................................................................................................................... 3 Suppression rules. ........................................................................................................................... 3 Installing SNORT ..................................................................................................................................... 4 Initial Configuration of SNORT ............................................................................................................... 5 General configuration ........................................................................................................................ 5 Assigning an interfaces to SNORT instances ..................................................................................... 6 Selecting the SNORT rules you need and testing them. ....................................................................... 9 Common Rulesets ......................................................................................................................... 10 Whitelist definition .............................................................................................................................. 11 Alerts, suppression rules & lists ........................................................................................................... 12 Alert alert alert! ................................................................................................................................ 12 Unblocking a host ............................................................................................................................. 13 Preventing it happening again (suppression or disabling a rule)...................................................... 14 Disabling rules ............................................................................................................................... 14 Suppressing rules .......................................................................................................................... 16
21
Embed
Extending pfSense with SNORT for Intrusion detection ...users.ox.ac.uk/...pfSense-with-SNORT-for-Intrusion-detection.pdfExtending pfSense with SNORT for Intrusion detection & prevention.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Extending pfSense with SNORT for Intrusion detection & prevention.
The SNORT package, available in pfSense, provides a much needed Intrusion detection and/or
prevention system alongside the existing PF stateful firewall within pfsense.
These directions show how to get SNORT running with pfSense and some of the common problems
which may be encountered.
Contents Extending pfSense with SNORT for Intrusion detection & prevention. .................................................. 1
Quick overview of SNORT on pfSense. .................................................................................................. 2
Example 3: You can change the rule to match by source instead:
suppress gen_id 141, sig_id 1, track by_src, ip xxx.xxx.xxx.xxx
Is it bad traffic or not?
Determining what is bad traffic is tricky.
I usually try:
If it’s block with the “Dshield Block” or “ET COMPROMISED” list it’s almost certainly bad.
Thease are IP black lists.
Can you resolve the IP address to a DNS name, if not it’s probably not good.
Does the rule mention ‘possible’ or ‘unknown traffic’ – this maybe harmless if the case.
Try and track the IP, to identify is possible the user – this may help identify the traffic.
The rule description goes a long way here – google it to find more info.
Some rule sets have comments for rules as well (not many!).
Put the IP into a reputation search (there are many online and some show registered
address block owner and geo-location).
Is it from china…? Some locations are more fishy.
Keeping an eye on your servers resources (swap swap swap)
The more you load onto SNORT the more likely you are to eat RAM and CPU cycle.
If your firewall slows down, you’re likely running into SWAP – bad news!
You can easily see SWAP usage on the dashboard:
Each time SNORT reloads (usually due to config changes or scheduled rule updates) there is a chance
the old instances of SNORT did not stop running before the new ones started.
Check Diagnostics then system activity tab to see how many SNORT instances you have running:
If you have too many, either reboot or use a terminal to kill all instances of SNORT.
If you want to Kill snort (least disruptive), you can log on via SSH1 (if SSH is enabled) and use the
following command:
pkill -9 snort
Then you can start you’re SNORT instances up at the SNORT interfaces screen by clicking on the red
‘X’ icons – which should turn to green chevrons ( ).
1 Enable via System interface, then Advanced, scroll down to secure shell and tick enable. You’ll need an allow rule in firewall rules for your LAN as well.