pfSense – Snort ids/ips basic setup and configuration
Snort is one of the best opensource ids/ips (intrusion detection/prevention system) there is. Actually snort entered the opensource hall of fame in 2009 as the best opensource software of all time! snort has the ability to use real-time traffic monitoring. it has three functions – sniffer, packet logger, and network intrusion detection. and are there fore ideal to use with pfSense.
Snort is must if you are running a server at home or ind a firm. It is a very complicated program with a lot of information! it has many useful and very powerful functions, you will probably get a headache in the start but when you have been using snort for a little while,will you quickly learn the functions and understand the information output.
In this guide will i show you how to install and make a basic configuration with a free set of Snort rules.
Go to System > Packages > Available Packages > Security and find Snort
Clock on the icon to the right to install. Click on confirm to install.it is always a good idea to check if there is any errors in the installation.To get the free rules to snort you will need a Oinkcode! so jump to snort’s website
You will need to create an account to get the rules, first create an account and then login. Click on Oinkcode in the menu to the left
Copy your private Oinkcode and return to pfSense Webgui
you can find Snort under Services > SnortClick on Global settings in the topbarCheck the box under Install snort VRT rules and paste your Oinkcode here.
Make sure there is no blank spaces after the Oinkcode.
Check the two next boxes.
As default auto update isn’t enabled. when you are using the free snort rules you don’t have to
Update multiple times each day because the aren’t sending updates that often unless you have a paid subscription. And don’t forget to Save.
Scroll to the topbar and click Updates Update the rules. Check if there is any errors!
Go to Snort Interfaces and click on the box to the right to add a interface.Select WAN and leave anything else as default
And again don’t forget to save
Click on the red X to start the Snort (it will be green afterwards), and after that click on the icon to right with an e (edit)Go into WAN Categories
Check the snort Snort GPLv2 Community Rules (VRT CERTIFED) to enable the snort rules.
and remember to save!
You can try to surf around on the internet and then you can try to take a look at Alerts in the tabs. You will probably see 50+ alerts and you might not know what half of them means, I certainly didn’t!
In most case is these alerts what we would call a false-positive alert and are not a real threat to you. So what we would do to remove all of these false-positive alerts is to create a suppress list under Suppress. In my case i am not finished with my own suppress list yet, it is a complicated process to finish and you will probably bang you head into the desk over and over again like me. but it is definitely worth it.
Take a look here it is a link to pfSense user community and they are forking a “master” suppression list.
Snort should be running by now and you can configure to fit your needs.