pfSense – Snort ids/ips basic setup and configuration

Snort is one of the best opensource ids/ips (intrusion detection/prevention system) there is. Actually snort entered the opensource hall of fame in 2009 as the best opensource software of all time! snort has the ability to use real-time traffic monitoring. it has three functions – sniffer, packet logger, and network intrusion detection. and are there fore ideal to use with pfSense.

Snort is must if you are running a server at home or ind a firm. It is a very complicated program with a lot of information! it has many useful and very powerful functions, you will probably get a headache in the start but when you have been using snort for a little while,will you quickly learn the functions and understand the information output.

In this guide will i show you how to install and make a basic configuration with a free set of Snort rules.

 

Go to System > Packages > Available Packages > Security and find Snort
Selection_026 Clock on the icon to the right to install.Snort Package Click on confirm to install.Confirm Installationit is always a good idea to check if there is any errors in the installation.Installation processTo get the free rules to snort you will need a Oinkcode! so jump to snort’s website
Snort Homepage You will need to create an account to get the rules, first create an account and then login.Snort SIgnin Click on Oinkcode in the menu to the leftSnort acc.

Copy your private Oinkcode and return to pfSense Webgui
Oink Codeyou can find Snort under Services > SnortSnort LocationClick on Global settings in the topbarSelection_001Check the box under Install snort VRT rules and paste your Oinkcode here.
Make sure there is no blank spaces after the Oinkcode.
Check the two next boxes.
Selection_002 As default auto update isn’t enabled. when you are using the free snort rules you don’t have to
Update multiple times each day because the aren’t sending updates that often unless you have a paid subscription.  Selection_003And don’t forget to Save.
Selection_004 Scroll to the topbar and click UpdatesSelection_005 Update the rules.Selection_006 Selection_007Check if there is any errors!
Selection_008 Go to Snort Interfaces and click on the box to the right to add a interface.Selection_009Select WAN and leave anything else as default
Selection_010And again don’t forget to save ;)
Selection_011

Click on the red X to start the Snort (it will be green afterwards), and after that click on the icon to right with an e (edit)Selection_015Go into WAN Categories
Selection_013Check the snort Snort GPLv2 Community Rules (VRT CERTIFED) to enable the snort rules.
and remember to save!
Selection_014
You can try to surf around on the internet and then you can try to take a look at Alerts in the tabs. You will probably see 50+ alerts and you might not know what half of them means, I certainly didn’t!

In most case is these alerts what we would call a false-positive alert and are not a real threat to you. So what we would do to remove all of these false-positive alerts is to create a suppress list under Suppress. In my case i am not finished with my own suppress list yet, it is a complicated process to finish and you will probably bang you head into the desk over and over again like me. but it is definitely worth it.
Take a look here it is a link to pfSense user community and they are forking a “master” suppression list.

Snort should be running by now and you can configure to fit your needs.